1Password update failed, site download broken [Caused by McAfee/Cisco AMP]

trastan

So, today 1Password told me that I needed to update to 6.6.439 from my current 6.5.401d. Sounds good to me! Unfortunately, running the update from the Options section results in "1Password for Windows desktop has stopped working", followed by a full app crash.

Okay, so what if I try to re-download the program from the site at https://1password.com/downloads/? No luck! The download instantly fails, and Chrome tells me that there was a download error.

Could you please look into this? My guess is that both the app update and the site are trying to download the same, apparently missing, file.

---

1Password Version: 6.5.401d
Extension Version: Not Provided
OS Version: Windows 7 Service Pack 1
Sync Type: 1Password account

AGAlumB

@trastan: Hmm. That's really odd. I haven't seen other reports of this, and I'm not having any trouble either installing the update or downloading the new version directly. This may just be a caching issue where it hasn't propagated to your area yet on the CDN since it was released only a few hours ago, but do you perhaps have "security" software that may be interfering with the connection? Have you tried another browser? Any luck downloading directly form our update site? Since we're using HockeyApp for provisioning, it may also be that this is blocked on your network. Let me know what you find!

trastan

Hmm. Same deal with directly downloading from your update site. Really odd stuff. I'm on my work network, so maybe it's blocking HockeyApp like you're suggesting. I'll try again later on another network to see if that helps. I'll let you know either way.

Thanks!

AGAlumB

@trastan: Ah, if it's a company network, that wouldn't surprise me at all, as we've had reports that others were seeing HockeyApp blocked at work. You can try this direct link, but I am curious if you're able to download normally using another network.

trastan

So, I've tried a few things, and my guess is that the file does download, but is immediately deleted from my PC. This seems to only happen with 1Password installers - other downloaded exes save and run just fine.

I don't know. This is a work PC, so it's likely that some security program is labeling this as a danger somehow. Even when I'm able to save the program to the desktop (transferring it in via a thumb drive, for example), trying to open the installer causes it to immediately disappear completely.

It's very odd, since I was able to install 6.5.401d without issue.

trastan

@brenty Sure enough, it's the 6.6.439 installer. I just tried direct downloading the 6.5.401 installer from https://cache.agilebits.com/dist/1P/win6/1PasswordSetup-6.5.401.exe, and it downloaded, saved, and ran just fine.

There seems to be some issue with the 6.6.439, or, at least, the security software on my PC sure thinks so.

This is actually starting to make me a little concerned, as I've already installed 6.6.439 on my home PC...

MikeT

Hi @trastan,

If it ran and disappeared right away, that's a crash. Check your Event Viewer to see if there was a crash or send us the log to analyze it:

1. Click on Start Menu, search for Event Viewer and open it
2. On the left sidebar, expand Custom Views on the top and then click on Administrative Events
3. Reproduce the issue with 1Password
4. Go back to the Event Viewer, right-click on the list to refresh. Right-click on any new errors to select Copy > Copy Details as text.
5. Paste it into a new text file with NotePad, save it and attach it to an email, send that email to us at support+windows@agilebits.com along with your forum username and the link to this thread, so we can connect the dots.

Please let us know here when you sent it, so we can confirm we got the email.

trastan

@MikeT A crash? I'm a little skeptical - why would a crash cause the original exe to be deleted without a trace? How could the file have been deleted immediately upon downloading, before I tried to run it?

Further, after successfully downloading the file from any source, I am unable to download the file again. The browser just gives me a "Download error" message. Having the Event Viewer open during this time causes it to pop up with a "Security - Access is denied" message.

So, the order of events:

• I download the 6.6.439 exe successfully.
• I attempt to run the exe.
• The exe deletes itself.
• I am blocked from downloading the exe again.

My security software is seeing the 6.6.439 as a threat.

MikeT

Hi @trastan,

That was prior to your second reply, which I didn't see. I was referring to this quote:

Even when I'm able to save the program to the desktop (transferring it in via a thumb drive, for example), trying to open the installer causes it to immediately disappear completely.

Because if it was removed, you wouldn't see anything start, it just won't run. However, we're going to improve on the download experience to indicate an error that the file has been removed, rather than crashing.

This is actually starting to make me a little concerned, as I've already installed 6.6.439 on my home PC...

We had this same build out for a while in the beta channel and it is uploaded on Virustotal with a clean health of bill from all anti-malware solutions on VirusTotal.

My security software is seeing the 6.6.439 as a threat.

What security software are you using? This most likely is a false positive because the security software may be viewing it as a new file as we've released it this morning to everyone on the stable channel. Due to the encryption library stored in 1Password, some anti-malware solution tends to be overaggressive and block them by default. Note that each update has a different hash, so security tools will vary in its behavior toward 1Password unless they trust our code signature, which not all tools have.

trastan

@MikeT I believe that it's McAfee, but I'm not sure what all is on this PC. I'm not IT, so I'm not going to go mucking around changing settings or adding exclusions to make this work.

I suppose I'll just wait, and try again in a week or so. I wish I knew why this particular installer is being flagged and deleted.

AGAlumB

@trastan: In a lot of cases when we hear from folks with McAfee at work, it's managed — i.e. you won't be able to change any of the settings, since they're configured centrally by your IT department. That's interesting that you're not having trouble with the old .exe, perhaps because it's already been flagged safe since it's been around a while, or some change we've made in the new version is triggering something in their pattern matching. Definitely let us know if you're able to get any information from your IT department, and if there's any information they need from us...or if it just starts working. We'll see if there's a way we can get the .exe unflagged with McAfee if that's the root cause (I've just contacted them via email).

ref: PKP-71441-448

trastan

@brenty Thanks for your reply. This morning I was confronted with many of my PC applications (particularly MS ones, such as the Office suite and IE) giving me a "resource unavailable" error when I tried to load them. Of course, the programs were still in their directories when I browsed to them. I took my PC to the IT help desk, and they discovered that Windows had somehow decided to blacklist a large number of programs on my PC (I wasn't able to see the screen at the time, so I'm not sure if it was actually Windows or McAfee). Once they cleared that list, things seemed to be working better.

Even so, I later went to try the download of 6.6.439, and was again presented with the failed download error. At this point, I don't know what the issue is. I'll just keep using this PC and see how it goes. If there are any further developments, I'll be sure to post and let you know. I really can't imagine that there's anything wrong on your end, but I'm sure that you'd like to know what the final culprit ends up being, regardless (if we ever find out).

Crazy stuff.

MikeT

Hi @trastan,

Download error where, in the app or on our web site? Did you try downloading with the direct link instead?

That can happen if your work is intentionally blocking HockeyApp.com we use to find the latest download.

trastan

@MikeT Actually, all three methods - on 1password.com/downloads, via the direct link, and through the auto-updater in the software. The first two give me the download error (literally "Failed - Download error" in Chrome), and the app itself just crashes when I try to make it auto-update.

Windows does NOT want that installer on my PC at any time, for some reason.

MikeT

Gee, I wonder why it is overaggressive like that.

baristadice

At my work place Cisco's FireAMP also tagged this as trastan described. I was sent this info:
Cisco AMP for Endpoints found a total of 2 events matching your subscription named Indicator of Compromise since 2017-06-20 12:23:07 UTC.

1. o Event Type: Executed malware
   o Computer: HARMELIP-2ABD97.office.ads.gvsu.edu
   o Hostname: HARMELIP-2ABD97.office.ads.gvsu.edu
   o IP: 148.61.110.64
   o Detection: Auto.51FD5D2B9D.Locky.tht.Talos
   o Detection SHA-256: 51fd5d2b9d780fc92dfdb488a85e3034af286a7b2ba6fbd3348c16a60fd9bb72
   o Application SHA-256: 50acd084d6e2b3eaa6841021c8aa113d7f61d3f5822d865d12a10b264ed746f8
   o Timestamp: 2017-06-20 12:34:42 +0000 UTC

o Event Type: Potential Dropper Infection
o Computer: HARMELIP-2ABD97.office.ads.gvsu.edu
o Hostname: HARMELIP-2ABD97.office.ads.gvsu.edu
o IP: 148.61.110.64
o Detection: Auto.51FD5D2B9D.Locky.tht.Talos
o Detection SHA-256: 51fd5d2b9d780fc92dfdb488a85e3034af286a7b2ba6fbd3348c16a60fd9bb72
o Application SHA-256: 50acd084d6e2b3eaa6841021c8aa113d7f61d3f5822d865d12a10b264ed746f8
o Timestamp: 2017-06-20 12:34:42 +0000 UTC
Log into your Cisco AMP for Endpoints Console for more information.

PDH

MikeT

Hi @baristadice,

Thanks so much for sharing that.

The SHA256 hash is correct for 1Password 6.6 installer (51fd5d2b9d780fc92dfdb488a85e3034af286a7b2ba6fbd3348c16a60fd9bb72) but I'm not sure why it says the detection SHA-256 and not the application SHA-256. Are you guys pulling directly the file from our web site?

This is likely a false positive because we have an encryption library that encrypting randomware may be using, so our file is getting flagged as false positive.

Can you report it to Cisco as a false positive to start the investigation and we'll look into doing this as well.

Manaburner

@MikeT
do you sign your installers with a signature that is trusted by Windows? Maybe there's a group policy in place that disallows installers that are not signed "properly".
Just a wild guess ;)

MikeT

Hi @Manaburner,

Yes, we do and it is also listed as valid in the Virustotal report here.

It doesn't explain why the previous build with the same code signature works or why Cisco would flag it as infected with Locky.

Just in case, I've downloaded the file via IE and there is no smart screen issue.

We'll get in touch with Cisco and McAfee to see what they say.

mcj

Just FYI, I'm getting the same error with SourceFire (which I think is also Cisco).

MikeT

Hi @mcj,

Thanks for reporting this, please do report it as a false positive. The more customers report it as false positive, the quicker they can look into it.

MikeT

Hi guys,

Just an FYI, Immunet has fixed the false positive for us:

https://twitter.com/immunet/status/877958886585647104

This applies to Cisco AMP, SourceFire and Immunet, they're all related.