Ask Your Question

Application plus malware were downloaded upon getting LibreOffice from your website!

asked 2020-03-08 12:55:14 +0100

Vesta C.R. gravatar image

I have downloaded LibreOffice from your website, I made sure to not download any of the advertized apps/features/extensions that annoyingly pop up at the beginning of App, an antivirus called SAntivirus Realtime was downloaded anyway, and it has gravely affected the performance of my computer. It was like a virus, not allowing me to remove the file in standard boot, telling me "files were locked" and of course I had to reboot in safemode to finally eliminate this application, which I wouldn't be bold to say was more like a virus on my computer as upon it showing up there was also a keylogger bug discovered on the same day!! So, Libreoffice...if you are going to offer clean, and free downloadable files...why possibly harm your customers?

edit retag flag offensive close merge delete



Someone interested in spreading malware/adware/nagware/... may well offer a download site mimicking the official one. Did you thoroughly read the URL? What was it?

Lupp gravatar imageLupp ( 2020-03-08 13:20:58 +0100 )edit

To add to what @Lupp said (and please answer his questions) SAntivirus Realtime is known malware. See link text for example.

LibreOffice does not offer to install any additional software ("apps/features/extensions") and never has.

BigRAl gravatar imageBigRAl ( 2020-03-08 18:21:21 +0100 )edit

It was downloaded from

Vesta C.R. gravatar imageVesta C.R. ( 2020-03-09 10:05:38 +0100 )edit

Your link is which is an unsecure HTTP-link. My browsers do all switch automatically to which is a secure encrypted HTTPS-link, where people can see which certificate is affiliated with the connection. Which browser are you using?

sveinki gravatar imagesveinki ( 2020-03-09 12:48:09 +0100 )edit

@sveinki: OP has just typed without any protocol (and it was automatically linkified by the AskBot). In fact, that was not a proper answer from OP at all, given the detailed instructions from @keme.

E.g., OP could mis-type a character back then when downloading LibreOffice, and be using some malicious site with a similar name; now typing it here, the same typo could not happen. Or some specific mirror hosting packages could get compromised. That's why copy-pasting of the download URL is needed, not some addresses typed anew from memory.

Mike Kaganski gravatar imageMike Kaganski ( 2020-03-09 13:08:14 +0100 )edit

same me got the unwanted program, just follow free instruction how to get rid of SAntivirus also called segurazo

Mattcc gravatar imageMattcc ( 2021-02-15 13:33:58 +0100 )edit

4 Answers

Sort by » oldest newest most voted

answered 2020-03-09 01:07:29 +0100

keme gravatar image

updated 2020-03-09 08:25:57 +0100

Please help the LibreOffice to keep the set of downloads clean!

Share your download link with us if possible. If that shows an address linked from the LibreOffice pages, and the content is not clean, the web admins must be alerted. Also, if you remember how you reached the link (by search, linked from other page, help from a friend), that may be useful information.

To find the download link, open your browser and then view downloads. In some browsers (Firefox and Internet Explorer I know of) ctrl+J is a shortcut keypress to open download history. You may need to click "show all" or similar to have previous downloads listed. Hopefully, your offending download has not been purged from the list yet.

Right click the entry in the downloads history, and select "Copy download link". Paste the copied link in a comment to your question, or a comment to this answer. Click the link "Add a comment" to open a new blank comment entry. Add any other info you have which may be useful in investigating the case.

edit flag offensive delete link more


It was downloaded from

Vesta C.R. gravatar imageVesta C.R. ( 2020-03-09 10:05:15 +0100 )edit

@Vesta C.R.: please read @keme's description of what is needed to identify the problem. LibreOffice site allows you to choose what to download; but the download itself happens from one of multiple mirrors throughout the world (provided by third parties who donate their servers and bandwidths to host the packages: otherwise, The Document Foundation would possibly be unable to serve millions of downloads). All mirrors must give you the same packages. If some mirror became corrupted/compromised, we need the specific URL of the download, not of the page that you used to choose.

Mike Kaganski gravatar imageMike Kaganski ( 2020-03-09 10:48:14 +0100 )edit

I would suggest to post any probably unclean link here always as preformatted text to avoids its calling a site on inadvertent clicks. E.g.

Lupp gravatar imageLupp ( 2020-03-09 13:25:28 +0100 )edit

answered 2020-11-21 18:08:06 +0100

khan flo mah gravatar image

updated 2020-11-21 18:13:48 +0100

I find a very troubling behavior on community boards (besides the fact that rich companies are getting away with free customer service for their products) When someone says they have an issue, then they have an issue. What they say they did, then thats what the did. Some will say "you must have meant this.. or that... then the answer given is based on that assumption.

the reality is, I myself have downloaded libre and when sending the saved document to my wife at work, it attached malware. She opened it up, and could read the letter. then she went to print. and it said "disable protection?" She clicked "yes" and it printed, but then she ended up with ads due to malware.

I am not computer illiterate. Lets say I myself have adware lurking and it attached to the outgoing email. if that's the case, it would also be present in something other than the one program...Libre

But if there is a breech making libre vulnerable, or the site itself is doing it and making profit by doing it to people that actually dont have libre in the first place, who try to use files made in libre, the OP issue happens. And NO, it wasnt downloaded from some misleading website. I am fully aware of how to download things.

so here is your out, if you already don't see it. You can say, "well you likely have malware" and ignore that its libre which facilitated it. Or you can start to wonder is libre doing it as of recent, to non libre users, or for a time they may have had an issue that was corrected.

We would never know, because like most giant companies, the actual employees never or rarely ever speak on anything to provide actual customer care.

Lets be clear. there is no such thing as a free program anymore at levels like libre. they want to make money. how are they doing that?

the question was, "how do I get rid of it"

An easy answer would be getting CCleaner from this link. After running the program, you can have it show what programs are on your computer, based of date of install. Find the date you got Libre or came in contact with libre, and see if there is another program installed on that same date and time.

Delete that program.

this fix assumes that the program attached wasnt trying to be evil, and deliberately made to hide on the computer. to fix one that ISNT being shown that easily, you need a program called Malwarebytes (NEVER NORTON! they are worse than the pop ups are as far as I am concerned, demanding I renew, or upgrade, bla bla bla)

Learn about Malwarebytes somewhere else though thats more involved. My answer is based on the facts presented to me. that the person downloaded properly. Likely when asked, the person just typed as an answer, and the ... (plus)

edit flag offensive delete link more



Nevertheless TDF infrastructure guys must investigate the case. As explained by @keme, telling the malware was downloaded from libreoffice is insufficient evidence. The URL could have been, or even, all similar enough to the real URL that memory will swear it was the real URL.

I tried and you reach a site proposing download. The page has the official LO logo but is not TDF controlled. And the supposed version is not up-to-date (claiming 6.4.2).

And I don't speak of a possible replacement of letter o by digit 0 which a favourite if ill-intended people to catch involuntary typos through their site.

Everybody is taking the issue seriously but there is an utter need for technically accurate information. So, if you also experienced malware downloading, report the URL according to @keme's procedure.

ajlittoz gravatar imageajlittoz ( 2020-11-21 18:26:44 +0100 )edit

Hey, everyone, the question is 8 months old and the OP never did properly answer the question about where exactly (full URL) the download came from. Let us not agonize over someone's evident computer illiteracy.

ve3oat gravatar imageve3oat ( 2020-11-21 21:23:48 +0100 )edit

the question is 8 months old [,,,] Let us not agonize over someone's evident computer illiteracy.

Whereas this particular question is getting old, the issue is recurring. The download indirection is a lasting solution. When the answer is not straightforward, conveyng the complexity itself is useful. The download redirection is automated most of the time, and currently there is no clue, not even a new mirror site page turning up.

We, the users, have varying levels of computer literacy. Working in 1st/2nd tier support in a secondary school, serving students, teachers and guests, I see all levels and I recognize that not everyone possess the resources (be it time, motivation, info source, or intellect) to bring them up to the desired literacy level.

Not agonizing, but let's work together, helping each other out. We are good at different things.

Help may be in the form of "what happened ...(more)

keme gravatar imagekeme ( 2020-11-22 15:16:17 +0100 )edit

Good points, @keme. And I agree with you.

ve3oat gravatar imageve3oat ( 2020-11-22 21:29:28 +0100 )edit

answered 2020-11-28 20:31:19 +0100

panjandrum gravatar image

I also have a bunch of malware immediately since updating Writer directly through the client-side update process. Now I have a masquerading version of TMeter hogging up resources I have to deal with. Aside from the suspicious NXr gang you have managing your english dictionary gits, now this. LibreOffice is dead to me.

edit flag offensive delete link more


This is not a solution to the initial problem. Copy your "non answer" as a comment under the question.

While you're at it, provide useful information. As is, it is only a "me too" and is worth nothing to identify the cause. Copy the URL you downloaded from so that we can make sure it comes from the official site. Hackers are very good at masquerading real URLs in very subtle ways.

What is your OS? Sometimes, vulnerable OSes (like Windows) can be altered so that the legitimate URLs are redirected to infected sites.

Tell us which procedure you followed. Describe it thoroughly, step by step.

ajlittoz gravatar imageajlittoz ( 2020-11-28 20:51:12 +0100 )edit

Ah yes, the classical defensive pedantry from the LibreOffice gang.

Okay, here are the steps:

  1. Use your janky writer app that's been knownto be vulnerable to malware exploits.

  2. Get an annoying popup in the top right-hand corner for a month urging me to update. Click it with the hopes that feedback issued last month about racist spellcheck suggestions lead to some fixes.

  3. Download the installer, install and grow suspicious of the lengthy installation and deployment and registry-related processes.

  4. Immediately notice performance drops associated with weird pseudo-windows processes in task manager, NOD32 dings.

  5. Uninstall this mess

panjandrum gravatar imagepanjandrum ( 2020-11-28 22:12:51 +0100 )edit

Ah yes, the classical rant of frustrated egotist ones who don't realize we aren't official TDF representatives but simple users trying to help other users and sharing whatever knowledge we gained about the suite.

You don't even provide basic information allowing to understand the issue: what is your OS? Some OSes are well known for their vulnerability.

Your first link is even broken "Error 404"!

You didn't tell where you got the app from start. Is it from a trusted site? The only way to tell is to quote exactly the URL. There are too many download sites luring you into thinking they are endorsed.

You didn't mention the suite version.

You didn't even read the How to use the Ask site page nor the Guidelines.

Apart from sympathizing for the mishap, what do you expect from us without minimal information?

ajlittoz gravatar imageajlittoz ( 2020-11-29 08:06:47 +0100 )edit

Heh, the first "link" was in fact two separate links - one and two - the second one was also posted separately...

and the user was so clueless that didn't realize how those two links were contradicting the premise: the first one told about TDF trying hard to follow all Apple's published procedures, and still Apple issuing wrong warnings, undermining the value of its own "protection" (if its protection does not pass applications notarized as it requires, making it necessary for users to override the protection, then the protection would do no good in a real treat case); the other was about a vulnerability that was instantly fixed in LibreOffice - that is known for its reactivity to such problems - but not in AOO, which is mentioned in the article...

Mike Kaganski gravatar imageMike Kaganski ( 2020-12-16 07:29:59 +0100 )edit

answered 2020-12-13 18:27:23 +0100

vanguard gravatar image

Till now no solution. Why are the affected links not removed till now. How many systems are successfully infected.

edit flag offensive delete link more


This is not a solution to the problem.

You submitted the same complaint as 282335/libreoffice-packaged-with-malwareand-virus-wrong-checksum-value-and-virus-total-warning-in-libreoffice-downloaded-from-official-download-link-and and you didn't mention it.

Repost as a comment.

ajlittoz gravatar imageajlittoz ( 2020-12-13 18:58:28 +0100 )edit
Login/Signup to Answer

Question Tools

1 follower


Asked: 2020-03-08 12:55:14 +0100

Seen: 628 times

Last updated: Dec 13 '20