Firefox's Malicious Download Checker gets Bypass option
Mozilla implemented Google's Safe Browsing technology for downloads in Firefox some time ago. The feature checks downloads that you make in the browser using Google to determine if a file is malicious.
The browser maintains a local copy of the blocklist and checks the file against that list to verify it. If it is flagged by Google, a blocked message is displayed in the download manager and the download is not saved to the local system.
Improving user protection in Firefox is certainly positive but the system is not free of issues. While Safe Browsing catches malicious files, it is plagued by false positives as well.
If you try to download a password program from Nirsoft for instance, a respected and acclaimed developer of Windows software, you will notice that some are blocked by Safe Browsing even though they are not malicious.
This raises validity concerns especially if Google's own Virustotal service reports a program as clean. Even if some services report them as malicious, it does not necessarily mean that they are.
False positives are quite common and while Google is blocking downloads in Chrome as well, it offers an option to unlock the download to bypass the flag and get access to the file anyway on the computer.
Firefox up until now does not offer a bypass option. That's a problem, especially if you know that a file is clean, trust the developer or want to continue because you know what you are doing.
Say, you download the file because you want to run it in a sandbox or a virtual machine. That's perfectly fine but not possible currently if you are using Firefox because it does not offer a bypass option.
This changes in Firefox 39 which ships with an option to unblock files that were blocked by the browser.
The new feature becomes available when you right-click on a file in the browser's download manager.
A click on unblock displays a confirmation prompt that claims that the file in question contains a virus or other malware which I dislike a lot because it is a claim that is not always true.
It reads:
Are you sure you want to unblock this file?
This file contains a virus or other malware that will harm your computer.
You can search for an alternate download source or try to download the file again later.
The message is not overly helpful. First and already mentioned, it claims something that may not be true all the time.
Second, if you have downloaded the file from a trusted source, downloading it from an alternate source or again won't fix a thing.
Considering that this just landed in Nightly versions of Firefox, it may be reworded before it is released in stable versions of the browser.
All in all though, it is a good thing that the unblock option comes to Firefox even though I wished it would have landed with the feature and not months later. (via Sören)
Does this bypass option create a url whitelist, or does it, as I suspect, only create a path to recover the download from the temp folder?
Even with a whitelist, with urls like uploaded.net there is still the pesky 3 hour wait.
Firefox 39?! Try to push it firefox 37 will you!
I don’t think this new bypass option is going to be very useful in the case of downloading from file hosts like “uploaded.to” if you are using their free option. The file once blocked cannot be restarted for 3 hours, and then to be blocked again.
Even with this new option the blocked files once stopped cannot be restarted, or downloaded at all…
It remains that the only option is to again resort to disable/unticking the “blocked reported ……” in security options. So in these cases this new option is a “non-starter” (pun intended)
Or am I missing something here?
I have had downloading from the filehost “uploaded.to” blocked before, this isn’t just theoretical.
My question here is aimed at the author of this article, Martin Brinkmann.
Finally, Firefox returns more control to the user. I never use Safe Browsing since it is provided by Google, but it would be really frustrating to try to download a known clean file only to have it blocked by the browser, with no way around except disabling protection. Now if Mozilla would just let us install unverified addons. Also, the message seriously needs to be reworded.
The “alternate download source” appears to apply to scam sites that repackage software with viruses, so that explains that text – a different download from a trusted site just *may* be safer.
However, I’m not so happy with the “will harm” your computer text, as there are many tools (like Nirsoft’s apps or ZIP password finders, to name a few) that are considered “potentially unwanted programs” because they bypass security, “sniff” TCP/IP packets, or can otherwise be used maliciously as well as for legitimate reasons.
The alternate download text should not be displayed when you download from the author’s website, e.g. Nirsoft.
That’s it!
I’m moving to Google Chrome.
You forgot the “/sarc.”
You are moving to Chrome because Firefox is using Google’s function first installed in Chrome ?
You’re moving to Chrome because Firefox gets a bypass function which gives the user more contral than before? Wow, that makes sense. Not.
What also does not make sense is that you do not understand humor.
“will harm” your computer?
That’s an unfounded accusation. Libelous.
If they went to “may harm” they could get of. But by using “will harm” they are accusing. If the accusation is unfounded, then is libelous, all someone needs is a way to prove loss revenue and those behind Firefox are open to a lawsuit. I like the Mozilla Foundation, but if they do not change that wording, I see a series of lawsuits in their future.
I always disable this kind of setting in Firefox. IMO it is not the browser’s job to tell you if a file is malicious or not; I expect this kind of warning from a dedicated security solution (i.e. antivirus), not from my browser.
Caspy7 March 7, 2015 at 9:18 pm #
If you’re dissatisfied with the text, try filing a bug suggesting that it read “may contain” while pointing out that the (already approved?) text in the download manager says “may contain”.
er? I cannot follow what your saying ” may contain” & ” may contain”
I disabled Google Safe Browsing a while ago and instead use mandatory Anti-virus scan of all downloaded exe/rar/zip/iso and other executable files. I trust my AntiVirus way more than Google.
If you’re dissatisfied with the text, try filing a bug suggesting that it read “may contain” while pointing out that the (already approved?) text in the download manager says “may contain”.
The confirmation prompt does not say may.
This is not a minor thing: saying that an unknown file “WILL” hurt your computer is completely irresponsible, unacceptable, misleading, and harms the reputation of the website it is shown for.
And this isn’t a simple matter of blocking a single download — if you show a message to a user who visits a website saying that the website is trying to get them to install software that “WILL HURT YOUR COMPUTER” you are irrevokably tarnishing that website as dangerous to the user, and many users will run from the website and never return and tell their friends to avoid it because it’s a malicious website.
Even as someone who views lawsuits as the devil’s work — I really hope someone with some money will sue any browser that is being so irresponsible as to show someone a message like this.
I have always maintained, if a browser wants to show someone a message that tells the truth: “This file has not been tested by us and we don’t know anything about it” and gives user a choice of what to do, I have no objection to that. But saying that an unknown file “WILL” harm your computer is a blatant lie designed to scare — and has no place in this world.