

Lenovo's SuperFish Removal Tool on GitHub - akoeplinger
https://github.com/lenovo-inc/superfishremoval

======
rsync
I hate to collapse the high level of discussion on HN all the way down to the
least common denominator "my computer doesn't work" discussion, but ...

There is no such thing as cleaning your PC or removing the malware or removing
the virus(es).

You reload the OS, from scratch, with non-OEM (that is, generic) OS media.
Otherwise you will lose.

This has been true for 20 years and it only gets more true as OS software
becomes more abstracted and tightly coupled to hardware.

Do not remove superfish. Do not "clean" your PC. In fact, don't even upgrade
your OS from one major revision to the next. Wipe your system, install from
generic media.

Tell everyone you know.

~~~
elithrar
I can see this NOT being an option for a lot of users—"Mom and Dad" types,
people who travel, etc. Many would prefer nothing is done if it's an option
between "full reinstall" and "live with the cert".

In this case Windows Defender and Lenovo's own tool remove the app +
certificate. I think that's certainly "enough" as we're not dealing with
malware which has trashed the system in other ways. Heck, they have to pay for
a fresh copy of Windows first too.

TL;DR: "Clean install from a standard image" sounds like great advice on paper
but it's not practicable for normal users.

~~~
toothbrush
> In this case Windows Defender and Lenovo's own tool remove the app +
> certificate. I think that's certainly "enough" as we're not dealing with
> malware which has trashed the system in other ways.

You don't know that for sure. Hence, reinstall. Also, why not use a Libre
operating system? I've never had my GNU activation fail.

~~~
smkelly
I guess you never mistyped a Red Hat Enterprise Linux installation number
before then.

~~~
derekp7
You mean that monstrosity from RHEL 5? I'm so glad they got rid of that in
RHEL 6.

------
pilif
_> return ( (Issuer.ToLower().Contains("superfish, inc")) ||
(IssuerName.ToLower().Contains("superfish, inc")) );_

While in this case, it might be ok, please never do this in your own programs.
Before deciding to act on something, make sure that you are as precise as
possible before taking action.

In this case, as all machines had the same certificate, use the key
fingerprint or the whole certificate for comparison. And failing that, do an
equality match on the name. A case insensitive substring match is way too wide
and you might be accidentally removing things you didn't want to remove
("pilif's Superfish, Including production" is an issuer name of a certificate
that would be removed by Lenovo's code).

It's easy to be accurate when checking. It's hard to undo accidental damage.
And no matter how much time it takes you right now to go the extra length, it
will pale in comparison to the hell you will have to go through once the
accident happens.

~~~
len_shame
Let's also not forget the multiple 100+ line methods and try-catches which
don't even bother to log or handle the error they catch.

There also doesn't appear to be tests, at least at first glance.

Edit... Taking a closer look there is clear copy-pasta and several potential
bugs

------
fpgeek
Wow. Releasing the source to the removal tool might be the first right (rather
than actively wrong and then merely a little less wrong) thing Lenovo has done
in this entire disaster.

It feels like I can almost hear the screams of the engineers explaining why a
black-box removal tool is nowhere near enough.

~~~
nkozyra
Their hand was forced. I'm sure this is going to cost some money, possibly by
both sides.

The notion they were unaware of what Superfish was and did is simply
implausible. This is damage control, full force.

~~~
Ded7xSEoPKYNsDd
> The notion they were unaware of what Superfish was and did is simply
> implausible.

They certainly knew they were installing creepy adware for money, there is no
doubt about that.

I don't think we know whether they looked close enough to see that they were
MITM-ing SSL connections. I don't think they'd have objected either way, but
I'm not certain.

I'm sure they didn't know about the security issues. (Mostly because they
wouldn't have thought to look for them, but still.) Even after that disastrous
CEO statement that called the security issues 'theoretical' I don't think
they'd knowingly ship software as broken as that. (It might be different for
government backdoors, but those are more likely in the hardware, firmware or
hardware drivers just because the interesting enterprise and government
customers would never use a Lenovo-provided image with Superfish anyway. And
most likely Lenovo the company doesn't know about the backdoor either, only
the single engineer that built it.)

~~~
CountSessine
_Even after that disastrous CEO statement that called the security issues
'theoretical'_

I think this is the real outrage here - that the company is run by an asshat
who thinks that little of his customers. I refuse to recommend Lenovo or any
of their products until this guy either demonstrates unreserved contrition
(and by contrition, I mean a clear apology that acknowledges that the very
concept of installing such an intrusive and obnoxious program on their
customers' computers is wrong), or is sacked. Buying or recommending anything
from Lenovo under the current circumstances is unacceptable.

------
reirob
I just followed Lenovo’s instructions [0] to uninstall SuperFish on a friend’s
computer (Lenovo Yoga 2, Win 8.1). These instructions are NOT sufficient.
After uninstalling SuperFish through the normal windows uninstallation
program, and the Root CA certs for IE and Firefox, suddenly none of the HTTPS
sites worked! The browser complained (rightly), that the the certificate is
wrong because it is signed by SuperFish.

I had to do some research to detect, that there is still a service called
VisualDiscovery, which is activated on startup. Looking in the properties I
can see that it starts “C:\Program Files
(x86)\Lenovo\VisualDiscovery\VisualDiscovery.exe”. I stopped it and now it
works as supposed. But I still have to find a way how to uninstall this stuff.

I’m a Linux guy, but I find it crazy, that after uninstalling
VisualDiscovery/SuperFish there are still executables and a service remaining
on the disk. This is crazy.

[0]
[http://support.lenovo.com/us/en/product_security/superfish_u...](http://support.lenovo.com/us/en/product_security/superfish_uninstall)

~~~
DAllison
(Apologies if the formatting is problematic, my first post).

1\. Stop the service:

    
    
        sc stop VisualDiscovery
    

2\. Open up your favourite process manager and remove any superfish processes
(containing the word superrfish).

3\. Perform the uninstall via Add/Remove Programs (under superfish)

4\. Confirm %ProgramFiles%/Lenovo/VisualDiscovery is deleted.

5\. Open System32 and confirm there are no files beginning with
VisualDiscovery

6\. Open AppData and confirm that no files start with VisualDiscovery

7\. Remove certificates (Firefox and Global).

8\. Remove from Registry: HKLM\SOFTWARE\Wow6432Node\VisualDiscovery.

After that, VisualDiscovery should be fully removed.

~~~
reirob
Thank you, I'll try this.

But why is it not in Lenovo's instructions? After following only their
instructions, you are in a worse state than before, i.e. SuperFish still
working, but without root CAs, browsers shouting (good so), and users
panicking.

~~~
sharth
There's also these instructions from Ars Technica:
[http://arstechnica.com/security/2015/02/how-to-remove-the-
su...](http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-
malware-what-lenovo-doesnt-tell-you/)

~~~
reirob
Thanks. But it omits the step of how to uninstalling the service, that is
still running when following all the steps. Maybe it is something just limited
to the Yoga 2?

------
vvpan
They should have also registered rmvr.io and added "Fork me on github" and all
that. Then they'd be hip.

------
kentonv
Well, that's nice, but apparently Microsoft already pushed a Windows Update
that deletes Superfish and its stupid cert, so...

Go Microsoft!

... That was weird.

------
chmod775
As I see many people complaining about the code quality and the lack of tests
et cetera:

You have to cut the developers some slack considering the time they had to
develop this.

They clearly intended to finish it while the issue was still hot and in 2-3
days you can't easily build good software with a plethora of tests.

~~~
chris_wot
My sympathy is limited given this malware was bundled by Lenovo.

When are laptop vendors going to stop shovelling crapware on laptops?

------
w-ll
Is this project really from Lenovo? The github profile has just this 1
project?

~~~
taspeotis
Yes, Lenovo link to it themselves [1].

[1]
[http://support.lenovo.com/us/en/product_security/superfish_u...](http://support.lenovo.com/us/en/product_security/superfish_uninstall)
"Automatic Removal Tool Source code"

~~~
cma
Also possible that a Lenovo employee was at a coffee shop using wifi connected
to the corporate CMS using http"s" and someone unrelated to Lenovo linked
their fake repo on his/her behalf.

------
gulbrandr
From [1]:

    
    
      Joined on 20 Feb 2015
    

Welcome to Github Lenovo!

[1] [https://github.com/lenovo-inc](https://github.com/lenovo-inc)

------
jmount
Why would you trust Lenovo on this?

------
dengnan
So this is Lenovo's first github repo. Please don't tell me that it is their
first free/open source project developed by their own.

------
sslnx
Better install Linux.

------
codezero
The last thing I would advise any non-technical (and even technical!) person
to do is to go to github and download a bunch of executables and see what
happens.

Zero kudos Lenovo.

