By on 2013-12-17 in, Update January 2015: It seems that direct access to the compiled application is no longer available. The list of files is still there, but every link now redirects to the Sourceforge malware-ridden downloader. Another update and a solution: I have just had this tip passed on to me (thanks Mike:), and it is brilliant.
FTP – FTP stands for “File Transfer Protocol”. It is an Internet service specially designed to establish a connection to a particular Internet server (or computer), so that users are able to transfer The Secure File Transfer Protocol ensures that data is securely transferred using a private and safe data stream. FileZilla Client for Mac OS X FileZilla Client for Windows FileZilla – Features As soon as you open FileZilla, primary step is going to be to go to the Site manager from the File option given in the menu and initialize your FTP client through the standard hostname, username and password.
When you get to the Filezilla download page, it will be a URL like this: That URL will give you the Sourceforge downloader application for the project, sized about 700kB. You don’t want that. Quickly go to the URL and add “?nowrap” onto the end. It will look like this: Now what you get is the compiled installer for the project, in this case an executable 6MB in size.
So, just add “?nowrap” to get the file you really wanted. This link gives you the index page for all the downloads, but it automatically adds the nowrap parameter: How long that link will remain, is unclear. The thing to remember, is to look at the size of the download before you run it. Went to Sourceforge to download a copy of FileZilla, the Open Source FTP client.
What a disappointing experience. What Sourceforge wants to do, is push a piece of Spyware at you. What the spyware does, is anyone’s guess, but it asks for permission to change Windows settings, which makes me suspicious. Then I tried the “Browse all files” link (which used to be called “other download options”) and went to the direct download page, where I can choose a specific version of FileZilla and download that. Except no – it does not work like that.
The URL shows me the link to the file I want, but clicking on it redirects my browser to the spyware download again. This shit is misleading and should be considered dangerous. They try their best to trick you into installing something that has full access privileges to your entire machine, and then sell that on to their “partners”, who could be just about anyone.
Given how they are misleading users, I don’t trust them, and neither should you. If you want FileZilla, here are the downloads direct from the project: The one you want is probably down near the bottom of that long list, as the latest is at the bottom and not at the top as you would hope.
Good luck, and stay away from Sourceforge – they are looking more dangerous by the day. Update: today I also needed to download an update to SoapUI, the excellent SOAP testing and development tool. That is also hosted on Sourceforge, but the download links do exactly what they say they do – no spyware, just the 140Mbyte (!) application.
I’m guessing SoapUI has a different arrangement with Sourceforge than does FileZilla, though I suspect whatever gains FileZilla thinks they may be getting, are going to be destroyed by the distrust they are building up amongst its end users. FileZilla has an arrangement with Sourceforge to bundle malware with their installers. Sourceforge knows about this, and Filezilla developers know about it. They are hoping that a portion of their users do not know about it, and will accidentally install malware so that Filezilla and Sourceforge can get a few extra bucks. There have been reports that the malware will install even if you say “no.” Make sure that you always avoid the sourceforge installer. The sourceforge installer has the SF logo, while a clean Filezilla installation executable will have the FZ logo.
You can get a clean Filezilla installer if, from the download page, you click “Other Downloads” and look for the link with “nowrap” in it. They seem to change the method every few months, so it might be safest to find a third party site that builds from source. Hi Jason, boy I totally agree. I just spent a whole day getting rid of such malware and I don’t even know which source it came from. Maybe sourceforge maybe cnet, maybe tucows or other (previously thought to be trusted site). Who knows, maybe now even other free trial anti-malware and such other security software downloads / even directly from companies that develop them could be infected.
In any case, the link you provided toook me through two page (first looks like real FileZilla page the second paged did say sourceforge at the top. However, the auto-download at that time did seem to download the real FileZilla, not the sourceforge exec. One more thing, when I first downloaded (but did not run the sorceforge exec) I cannot find it in my download folder (in fact, searched my whole computer and cannot find it). I wonder where they sneaked that in and what it may do to me later??? Really appreciate your help on this. Hi Jason, First off, thank you for the article and for allowing others to post news of this very sad turn of affairs. Today I fired up Filezilla and it provided notice of an update, like it has done for what seems like since day one; however, today there was the malware Vosteran, a browser hijacker present during installation of Filezilla.
Even though I stopped the installation of Filezilla before it had barely begun, the malware had already hijacked Chrome and established itself as the default search engine. Removing Vosteran which had showed up in the listing of Programs, power cycled off/on a couple of times and then removing any instance in Chrome’s Settings, Manage search engines, and then double checking for any suspicious items, closing Chrome and reopened, and then another power cycle off/on hopefully has nipped things in the bud. If you have anything further to add to removal strategies, I’m sure that your readers would be quite happy to learn and without question, so would I.
A couple of questions: 1) are you still using Filezilla, and if not, 2) what are you using for ftp transfers? The link that SF provides to supposedly download the product (the compiled application) instead downloads an application to deliver ads and other malware to your machine, before it then downloads the product. Once people run this malware – thinking it is Filezilla – many people report that ad-ware has been installed on their machine even if they cancel the installation, and even if they tick any boxes to indicate that they do not want this software installed. This is underhand, and breaks all trust between the users and the projects. This kind of action drags the name that SF built up a decade ago, through the sordid depths of all things nasty on the Internet. I am sorry Jason, I probably have not provided enough details in my first question.
I am aware of the DevShare program on SourceForge because I am an active member there. More details on the DevShare program are here: In few words: the installer is intended to let the project administrators to earn some money and keep developing their projects, but without harming the users systems; sadly sometimes the installer gives problems to some users and I can understand that a lot of people consider additional software undesiderable. Indeed my question was about this statement: “I am also having issues downloading older versions of some applications (to do legacy upgrades) as they tend to be more likely to suffer from bit-rot pre 2013 and are simply not accessible anymore without losing the link halfway through.” If I read well, you found broken links, which ones? The web pages of the projects (project.sourceforge.net) are maintained by the projects’ administrators and links to files (sourceforge.net/projects/project/files) are removed either by projects’ administrators or due to the violation of the SourceForge’s terms of use (spam, illegal stuff, non open source projects in example); indeed it would be a problem if a legit link to files (sourceforge.net/projects/project/files) will break and this is the reason I will ask you, what can’t you download from there? The “installer” is a shit way to get malware onto users machines while putting the apparent blame on the developers. Sorry, but however you try to spin it, it is an appalling thing to do.
Like I say, what it does is underhand, just like the big “Start Download” advert buttons you allow on the download page to MISLEAD people into clicking them. The broken CiviCRM links I was having trouble downloading (they were half-downloading then timing out in the middle) all seem to be a bit more stable now. They were not working properly earlier in January. Is it possible (and legal according to the license) to do a build from the available source files and distribute it through other channels? I have several people in my network I can activate, but they have little interest in license terms and Windows – they’re Linux buffs. They would help me if I asked them though, and I would be happy to share the output. In essence: Can “we” just build a clean version of FileZilla and share it through other channels?
I might even have a digital cert which can be used to code-sign it (establishing credibility that the output is not filled with yet another batch of malware)? Similar experience with FileZilla – install was downloaded through their website. Saw a brief popup for a different product. Tried backing up, but was not able to get to that view of the popup to disable install. Immediately exited/cancelled the install w/o installing, but noticed activity on the machine. Brought up Task Manager – found ‘WebCompanion’ running – immediately terminated it and started a filesystem search on the same name (I have a good idea what is supposed to be running on my machine). Found installer and a bunch of partial matches (use a search on WebCompa), not the full name.
Moved installer to another location (copy if you can’t move). Checked services – nothing added. Did internet search on WebCompanion – found LavaSoft and they state to remove it, look for the program labelled “Ad-Aware Antivirus” – no such creature present. Another page indicates the name “Trovi” – no such creature present. Checked browsers for unknown addons – didn’t find them, might have gotten it early enough to prevent it. Manually opened/unpacked contents of installer(without installing) and used files present to search the filesystem for them(using common base names) – deleted identfied files – watch for files that have same name, check for date updates to current. Searched registry for same.
Be careful of mods – surgically removed refs. Now for a beer – ‘caus I’m really T’d off. I think I got it all. It might help to list the names of the crapware that FileZilla is trying to squeeze in. NOTE: The zips don’t have the crapware installer in them.
This is a great article and thread of replies. I won’t bore anyone with my story, but I will add some things I’ve noted.
Upon download of the file from Filezilla’s website, what you receive is a Zip Archive called “FileZilla3.26.2macosx-x86setupbundled.zip” (798 KB). You do not want this. Adding “?nowrap” to the end of the link, as suggested, a bzip2 compressed archive is downloaded. It’s called “FileZilla3.26.2macosx-x86.app.tar.bz2” (8.9 MB). This IS the file you want. Some additional information I found (as I had no idea what a bzip2 compressed archive was), according to WinZip, “The BZ2 format is used to compress single files only and is not able to archive a group of files. That means you need to assemble the group of files you want to compress into an archive first, then apply bzip2 compression to that archive file.” This definition eases my concern of installing unwanted, malicious software.
I would like to thank Author Jason Judge for this article and can confirm adding “?nowrap”, will indeed lead you to the file you’ll want to download. Current, safe, MacOS build link below.