Lenovo's SuperFish Removal Tool on GitHub

I hate to collapse the high level of discussion on HN all the way down to the least common denominator &quot;my computer doesn&#x27;t work&quot; discussion, but ...<p>There is no such thing as cleaning your PC or removing the malware or removing the virus(es).<p>You reload the OS, from scratch, with non-OEM (that is, generic) OS media. Otherwise you will lose.<p>This has been true for 20 years and it only gets more true as OS software becomes more abstracted and tightly coupled to hardware.<p>Do not remove superfish. Do not &quot;clean&quot; your PC. In fact, don&#x27;t even upgrade your OS from one major revision to the next. Wipe your system, install from generic media.<p>Tell everyone you know.

<i>&gt; return ( (Issuer.ToLower().Contains(&quot;superfish, inc&quot;)) || (IssuerName.ToLower().Contains(&quot;superfish, inc&quot;)) );</i><p>While in this case, it might be ok, please never do this in your own programs. Before deciding to act on something, make sure that you are as precise as possible before taking action.<p>In this case, as all machines had the same certificate, use the key fingerprint or the whole certificate for comparison. And failing that, do an equality match on the name. A case insensitive substring match is way too wide and you might be accidentally removing things you didn&#x27;t want to remove (&quot;pilif&#x27;s Superfish, Including production&quot; is an issuer name of a certificate that would be removed by Lenovo&#x27;s code).<p>It&#x27;s easy to be accurate when checking. It&#x27;s hard to undo accidental damage. And no matter how much time it takes you right now to go the extra length, it will pale in comparison to the hell you will have to go through once the accident happens.

Wow. Releasing the source to the removal tool might be the first right (rather than actively wrong and then merely a little less wrong) thing Lenovo has done in this entire disaster.<p>It feels like I can almost hear the screams of the engineers explaining why a black-box removal tool is nowhere near enough.

I just followed Lenovo’s instructions [0] to uninstall SuperFish on a friend’s computer (Lenovo Yoga 2, Win 8.1). These instructions are NOT sufficient. After uninstalling SuperFish through the normal windows uninstallation program, and the Root CA certs for IE and Firefox, suddenly none of the HTTPS sites worked! The browser complained (rightly), that the the certificate is wrong because it is signed by SuperFish.<p>I had to do some research to detect, that there is still a service called VisualDiscovery, which is activated on startup. Looking in the properties I can see that it starts “C:\Program Files (x86)\Lenovo\VisualDiscovery\VisualDiscovery.exe”. I stopped it and now it works as supposed. But I still have to find a way how to uninstall this stuff.<p>I’m a Linux guy, but I find it crazy, that after uninstalling VisualDiscovery&#x2F;SuperFish there are still executables and a service remaining on the disk. This is crazy.<p>[0] <a href="http://support.lenovo.com/us/en/product_security/superfish_uninstall" rel="nofollow">http:&#x2F;&#x2F;support.lenovo.com&#x2F;us&#x2F;en&#x2F;product_security&#x2F;superfish_u...</a>

They should have also registered rmvr.io and added &quot;Fork me on github&quot; and all that. Then they&#x27;d be hip.

Well, that&#x27;s nice, but apparently Microsoft already pushed a Windows Update that deletes Superfish and its stupid cert, so...<p>Go Microsoft!<p>... That was weird.

As I see many people complaining about the code quality and the lack of tests et cetera:<p>You have to cut the developers some slack considering the time they had to develop this.<p>They clearly intended to finish it while the issue was still hot and in 2-3 days you can&#x27;t easily build good software with a plethora of tests.

Is this project really from Lenovo? The github profile has just this 1 project?

From [1]:<p><pre><code> Joined on 20 Feb 2015 </code></pre> Welcome to Github Lenovo!<p>[1] <a href="https://github.com/lenovo-inc" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;lenovo-inc</a>

Why would you trust Lenovo on this?

So this is Lenovo&#x27;s first github repo. Please don&#x27;t tell me that it is their first free&#x2F;open source project developed by their own.

Better install Linux.

The last thing I would advise any non-technical (and even technical!) person to do is to go to github and download a bunch of executables and see what happens.<p>Zero kudos Lenovo.