I tried installing this game from the offline installer, but when I try to virus scan it, it says it is a "password protected file", Any way that can be removed from the offline download file?

Since when has GOG ever made policy to put passwords on anything? What garbage heap of a trash fire antivirus would even detect such a thing on a compressed file that installs a game from 1980/2004?

First install possible virus/malware, then scan it. Got it, good idea!

Well you could always install it via Galaxy (if you already have that piece of malware on) and then scan the appropriate folder.

Generally malware is going to be fairly small, not huge, so a brand new AAA game that's only 30Mb? Unless it's using very good compression (.kkrieger) it's less likely; While a questionable installer with 8Gb of data is unlikely to be the type of thing to rewrite your harddrive and encrypt it and demand you pay in bitcoin. Some 'Malware' is more 'Scareware', but that's another topic.

But let's be serious. I agree with you, installing something is iffy at best when you want to know if it's safe. So have a serious computer you only put on safe programs you trust for work and personal information, and on a gaming or other machine you don't mind if you toss the entire contents of the hard drive out and reinstall fresh or from a save-state with the preinstalled drivers to make the machine good to go.

On the other hand, a storefront selling software rests it's reputation on NOT selling malware and viruses, and if you prove you got one that was intentionally offensive it may tank a company's reputation, thus it's less likely they will.

If you don't trust GOGs installers, this site is not for you. That also means that you can not use Galaxy, since you can't scan the files prior to the download to your hard disc.

And all sarcasm aside: You can have thousands of infected files on your systems without being in any danger. As long as they are not executed or opened, nothing happens. So scanning after installation is perfectly fine.
Usually scan on access is enough, that also covers automated access by Windows thumbnail generators.

I'm not talking about myself and/or what I trust. Your advise is still bad.
- Downloading only = nothing bad can happen
- Installing = executing = opening (!) -> This is how viruses, malware, etc. can do 'their job'.

edit: the above is 'in general', not about GOG offline installers or Galaxy game installation specifically.

Well, the question was about GOG and it's installers and that's what I answered to. I even mentioned the word "installers" ... twice. That's what I was saying. As long as you don't start the game, potentially contained malware won't harm you.

What is your opinion about the GOG installers? Can they be trusted or not?

You said: "So scanning after installation is perfectly fine"
I said: Installation is potentially harmful. Anti-virus/malware software (like Windows Defender) usually scans the GOG offline installers automatically before ever running them.
They're probably all fine but you can never be a 100% sure/safe.

As a Software-Developer myself, one of the core principles (for me at least) is: Never trust incoming data, especially usermade (interactive stuff).
It's a good practice to check/scan data, even from trustworthy sources.
It doesn't need to have to be always malicious intent for corrupted/infected stuff, it could be that the sender is unaware of it, too :-)

But usually, in case of such sites as GOG which handles and provides a large amount of data to download, there are measurements in place to ensure the integrity etc. and that's where i would trust them a little bit more than others. Also, if something goes wrong in this matter, it wouldn't take long everyone to notice! (I mean in case of virus/rootkits etc.)

And yeah, password protected installer-files/data are such an idiotic decision and makes no sense at all...

Installation often involves executing programs contained within as part if the overall process. And this can happen without further prompt from the user.

1. do you know any GOG installers that may do something like that? I know some run scripts for registry entries (Tales of Monkey Island being an example). Most of the time we complain about the GOG installers not installing the necessary runtimes.
2. The 'on access' scan would trigger then when programs are being executed, so protection is active.
3. do you know any scanner that would be able to find a problem like that before the chunks were unpacked? Because then I agree, then it would make sense.

While not a virus, Shadow Warrior free on gog can almost crash Windows 10, when opening certain folders in the games folder. Not some crap pc either. I had the pc isolated from internet altogether. Anecdotal I know. But some games are wonky. No malware warnings. It just hung the folder and required a task manager to force it closed every time I open the games folders. So I deleted it and never got it again.


FYI, it happened on 2 different computers using win10.

Well, it's the runtimes which I was referring. If you've got dotNet redists included in the installer and they get launched without prompting the user, then if they contained anything malicious (not saying it's likely, but let's just use this as an example) then the execution has already occurred. Yes, good AV packages scan in progress and nab stuff as they happen. As for detecting the segments of code prior to unpacking ... no, probably not... depending on how it's packaged/compressed. I don't know nearly enough about how they work to say so definitively.

It's just, well, your advice sounded ambiguous/absolute, and when dealing with users of much lower knowledge base here they might take it as verbatim that it's OK to, say, turn off their AV to install and just turn it back on later to scan the install directory. Which, don't laugh, some may actually do because they have had issues in the past with false positives or think it'll significantly speed up the install process.

All I am saying is that it's pointless to scan the GOG installers, no more, no less. And I very much mean that as an absolute.

I certainly don't laugh. In fact for a part of the software we sell, that's sometimes necessary too, even if we have all the certificates from Microsoft, some AV softwares don't accept them and sometimes it's even caused by some Windows admin settings, especially for network installations. We also use a launcher to download licencing service and the software products.