Goodbye FileZilla
I have been using FileZilla since it came out (I think?) back in 2001. It was heralded as being an excellent FTP client and server and I would have to agree. I used it on and off for many years. It was always my go to piece of software for FTP as both the client and server. One thing that really upsets me is when software providers all of a sudden decide to start providing their software as bundled installers. It’s misleading and wrong. It’s especially bad when the software it’s being bundled with, is what people would generally consider almost a virus. I can’t say that FileZilla bundles their installers with harmful viruses per se, but they do bundle it with AdWare and Potentially Unwanted Program (PUP). People generally dislike this and it’s a weak argument to say, “We have both a bundled and unbundled installer” when the bundled installer is the giant green download button.
This unfortunately is a reminder of when I got hit with malware installing CDisplayEx back in 2014. The jerks who run that project are making the same defenses that FileZilla is now making which is just sad. There is nothing wrong with asking for donations or selling merch to fund your project, but there is everything wrong with taking advantage of people’s trust who have for years blindly installed your application because they love(d) it. It’s a violation of trust and it will damage your reputation. Clearly the people who work on FileZilla don’t care because they parrot the same nonsense reasoning I got from the criminals running CDisplayEx now after the original founder died. “If you are too stupid to not click on the giant green button, that’s your fault.” is the line I am paraphrasing which I got from the CDisplayEx acolytes. FileZilla’s responses are no better:
I do not recommend using FileZilla for work
I unfortunately had a very poor experience several years back in 2019. I felt very guilty when I recommended a co-worker install FileZilla when they asked which FTP client to install. For me it was a robotic response, “Oh you need an FTP client? Just use FileZilla!” I had not known that FileZilla’s integrity had suffered and that they started bundling their installer with hot garbage no one wants. I usually do not deal with this problem because I use Ninite.com for my basic installers which automatically downloads and installs software for me and skips any potential bloatware. My poor co-worker downloaded FileZilla from their website, installed it and corporate immediately flagged her computer as compromised. Her computer had to be sent TO CORPORATE physically and she was out of commission for about a week. Corporate bugged out which is enough reason for me to say, “DO NOT USE FILEZILLA ANYMORE FOR WORK!”
At the time I did a bunch of research and if you want to entertain yourself the FileZilla forum is full of people complaining about virus scanners detecting malware in the FileZilla installer. There is one post in particular that I can no longer find which was awe inspiringly stupid. A user pointed out that if they did not get reassurance that FileZilla was not infected with malware then they would ban it from company use. The well known site administrator “botg” who is none other than the author of FileZilla Tim Kosse, replied to the user with a bunch of nonsense answers to misdirect the user. It really was repugnant to witness a software developer not clearly answer a question about how their own software works by writing tons of lorem ipsum equivalent replies.
It annoys me that I cannot find this post anymore because to me it was the clearest example of being caught red handed. There was a process found to be inside of FileZilla called “tofufetti.exe” which was allegedly reporting information out during the usage of FileZilla. That’s what sparked the security user’s inquiry. Botg refused to answer the direct questions about why this other process is required. Ultimately, just like so many of the posts concerning security conclude, the user said, “No thank you – you are banned from this organization.”
What if I still want to use FileZilla for personal use?
Tread carefully. I would also recommend not using it anymore personally, but if you must:
- The big green button that says “Download FileZilla Client” is a sponsored link which is the bundled installer that everyone is upset about. Do not use this link.
- At the bottom of the page you can see a link that says “Show additional download options”. Supposedly these are the safe links. I downloaded the zip file and scanned it with a virus scanner and it came back clean.
Alternatives to FileZilla
- WinSCP seems to be the only other worthwhile free alternative. It pales in comparison to FileZilla sadly.
- The other option is to purchase a client from a serious vendor who isn’t going to play games with you. I considered purchasing CuteFTP, but since this was for work I opted to go the free route unless work would foot the bill which they usually don’t want to do.
- Other FTP options pending review: https://en.wikipedia.org/wiki/Comparison_of_FTP_client_software
- Ultimately, I stuck with WinSCP after speaking to several people who are security conscious.
FileZilla forum posts about viruses
There are too many examples to share or to link to directly. Also, since I cannot find that original damning post from 2019 that tells me they are either pruning their posts that are older than X years or they flat out deleted that thread because it made them look so bad. I wish I kept a copy of it. Therefore, instead of me keeping links which will eventually die just go read anything that matches this keyword search:
- https://forum.filezilla-project.org/search.php?keywords=virus
- https://www.google.com/search?q=filezilla+virus
- Organizational ban example: https://security.it.miami.edu/stay-safe/sec-articles/filezilla-issues/index.html this is from University of Miami (UM)
- I am sure there are more bans like this, but they aren’t publicly visible, probably on intranet.
When the support people speak like this to their users, that’s a clear sign to stop using their software. Here is a more recent example of such “support”: https://forum.filezilla-project.org/viewtopic.php?t=50565 if this link goes dead I have a fully copy of the post below.