Why is nexus mod manager protected by password as an archive? There were a lot of reports that nexus contains malware, and that supports it.

[ghost]

try unpacking the latest installer with any archiver. This app is OPEN SOURCE, there is no reason whatsoever to do this other than preventing AV from scanning it. The "custom install" version from nexus is also very suspicious

[DuskDweller]

Why do you want to unpack the .exe installer with an archiver is beyond me. Anyway if you're downloading it from this Github page: https://github.com/Nexus-Mods/Nexus-Mod-Manager/releases then it's safe. Since 2018 NMM is no longer mantained by the Nexus Mods website so we lost their digital signing of the installer and the program's .exe, but I'm still the one compiling it and this means it's the same as before, just no signing.

If you're downloading it somewhere else, then: no, don't do it.

[inikishev]

Why do you want to unpack the .exe installer with an archiver is beyond me. Anyway if you're downloading it from this Github page: https://github.com/Nexus-Mods/Nexus-Mod-Manager/releases then it's safe. Since 2018 NMM is no longer mantained by the Nexus Mods website so we lost their digital signing of the installer and the program's .exe, but I'm still the one compiling it and this means it's the same as before, just no signing.

If you're downloading it somewhere else, then: no, don't do it.

I tried to unpack latest github .exe and got the same results. It is always reasonable to want to unpack .exe if you want to scan it for malware. If .exe is protected by password, it is indeed a plausible scenario that it is protection from scanning by anti-virus applications like virustotal. Github does not magically make everthing safe, many examples prove that. What is beyond me is if there is no malware, why protect open sourced software by password? I can't imagine a single scenario where this would be useful, which leads be to believe that nexus mod manager is distributing malware. If it does, I wouldn't trust the new Vortex as well

[inikishev]

You are ignoring the hard evidence and using your powers to hide the evidence from other people

[DuskDweller]

Please, humor me, you're saying that:

• Github is hosting a malware without noticing
• VirusTotal is reporting it as clear (https://www.virustotal.com/gui/file/4539b8701ca91f2f5f8cf92fa994365f8aa70f7ac3b86bda326b478f22a1a61a/detection) because it's part of the conspiracy
• Thousands of users are affected by a malware without noticing it

I'm sorry, I'm not that good.

The installer is made using Inno Setup Compiler, if you know of a setting to make it pack the archive without encrypting it with a password please let me know, I'll be happy to compile it this way just for you (or whoever wants it, it'll come bundled with a tinfoil hat).

[inikishev]

Github is hosting a malware without noticing

Github is not some kind of god that can magically detect all malware uploaded to it. How many times do you think anyone has ever looked in the NMM .exe installer for malware? Not a single time, the .exe is encrypted, the automated scanning can't scan it, doesn't detect malware, and no one cares beyond that.

VirusTotal is reporting it as clear (https://www.virustotal.com/gui/file/4539b8701ca91f2f5f8cf92fa994365f8aa70f7ac3b86bda326b478f22a1a61a/detection) because it's part of the conspiracy

Virustotal can't magically decrypt the exe either.

Thousands of users are affected by a malware without noticing it

You are not supposed to notice malware, since then you would try to find it, delete it, add it into AV databases. You are supposed to notice only specific types of malware that show you something.

The installer is made using Inno Setup Compiler, if you know of a setting to make it pack the archive without encrypting it with a password please let me know

Don't use it then, just pack files into an archive. I don't see why a mod manager wouldn't work without a setup program, unless the installation does something malicious under encryption.

[DuskDweller]

I will add an archived version of the program with the next release so you will feel safe.

[squid-box]

It's likely the property SignedUninstaller that is rendering the installer "encrypted". Changing it to false I'm able to open the produced installer with 7-zip at least.

I don't see why a mod manager wouldn't work without a setup program

It will work without installing, but for most users it's easier to have it installed so you don't have to replace files / recompile it yourself with every update.

The only way to feel completely safe is to clone the repo, inspect every part of the code / referenced libraries, and compile and run it yourself.