Let's assume that someone broke into Intuit's web server and injected malware/viruses into the download. Then let's assume you disabled malware/antivirus checking. Then let's assume you run the download to install TurboTax.
With these assumptions, when the downloaded installer runs, you are running malware. Since you will be entering super sensitive info like socsecurity # and your income ... malware now has that info.
This is why you don't disable antivirius/malware checking.
This is also why Intuit is supposed to provide antimalware vendors with their trusted signatures.
This is also why Intuit digitally signs the installation app. But their signatures use SHA1 digest ... which has not been trusted for a decade.
This is also why Intuit should provide the filehash of their installer.
Intuit, guys, you are expecting us to trust you. Do better!
