How to prevent Firefox from sending downloaded file information to Google

Martin Brinkmann
Jul 23, 2014
Updated • Jul 24, 2014

Starting with Firefox 32, Mozilla will check file downloads against Google's application reputation database which is powering Chrome's Safe Browsing feature since 2012.

If you have read the release notes of Firefox 31, you may have noticed the entry "block malware from downloaded files" under What's New.

The integration of the feature in Firefox 31 is the first step in the implementation which will be completed when Firefox 32 is released to the public in six weeks.

In Firefox 31, a local list is used to determine whether a downloaded file is malicious or not. This downloaded list is updated regularly, ans whenever a download is being made, that download is checked against the list to make sure it is not malicious in nature.

Note: Firefox will only check executable files and not other file types.

From Firefox 32 on, downloads are checked against the local list and a remote list if the local list does not return a hit. This remote list is maintained by Google, and to access it, information about the download are submitted in the process.

While the file itself does not get transferred, its SHA-256 hash value as well as other information such as the suggested file name for the download, the length of the file in bytes and the url the file was downloaded from are.

Example screenshot of a download that Chrome blocked as malicious

chrome is malicious

How to block the sending of information to Google

While the implementation of download checks in Firefox may help some users avoid malware downloads, others may dislike the integration of the feature.

A core reason is privacy since information about file downloads are submitted to Google. Not only are information submitted, but the request itself will reveal additional information such as the IP address of the computer the request came from.

If you have deployed antivirus software on your system, it may also be unnecessary to use the Firefox implementation as the software may protect the system from malicious downloads automatically.

Last but not least, false positives are also a possibility.

To disable the application reputation check in Firefox, do the following:

  1. Type about:config in the browser's address bar and hit the enter key.
  2. Confirm that you will be careful if a warning message is displayed.
  3. Search for browser.safebrowsing.appRepURL.
  4. Double-click the preference and replace its value with a blank.

disable file download checks

Removing the address from the preference blocks the sending of information to Google.

It is alternatively possible to disable Safe Browsing completely.

  1. Load about:preferences in Firefox's address bar.
  2. Switch to Security in the sidebar on the left.
  3. Disable the entries "Block reported attack sites" and "block reported web forgeries".

Additional features about the application reputation feature are available on Mozilla's Wiki.

Now Read: An in-depth Firefox security guide

How to prevent Firefox from sending downloaded file information to Google
Article Name
How to prevent Firefox from sending downloaded file information to Google
Find out how to block Firefox from sending information about downloaded files to Google.

Tutorials & Tips

Previous Post: «
Next Post: «


  1. gogoleis said on March 1, 2017 at 5:10 am


    Evil mask Destroy all

    with calming blankkkkkkkkkkkkkkkkkkkkkkkkkkkkkk

  2. R2D2 said on December 18, 2016 at 8:29 pm

    In FireFox ver 50 there are 2 reporting addresses. Look for these two:

  3. Martin said on August 17, 2015 at 12:42 pm

    Danke !!

  4. Declan said on October 23, 2014 at 12:47 pm

    It’s still not there in the latest 33.0 revision. ?

  5. Tammo said on September 27, 2014 at 10:23 am

    Not just Bindee

    I installed the latest 32.0.3 that came out a couple of days ago and it no longer shows.

    Have they hidden it or renamed it , maybe Martin Brinkmann could look into it ?

    1. Martin Brinkmann said on September 27, 2014 at 10:43 am

      I just checked in Firefox Stable and it is not there anymore. It still exists in Firefox Nightly though. Maybe Mozilla removed it from stable versions of the browser?

      1. Bindee said on September 27, 2014 at 10:50 am

        Thanks both for confirming it.

        Lets hope it has been removed and not set to be permanently enabled.

  6. Bindee said on September 25, 2014 at 12:40 am

    Firefox 32.0.2 – standard web update.

    Just checked my two desktops and a laptop all running standard installs of the latest firefox 32.0.2 web version and none show *..appRepURL in about:config ?

    The laptop is windows XP 32bit and the desktops are Win 8 64bit.


    1. Bindee said on September 25, 2014 at 7:14 am

      I should point out i meant ” browser.safebrowsing.appRepURL ” and not the short version of *..appRepURL in my post incase that gave the impression that is what i was looking for.

      It existed before i upgraded to 32.0.2

      I done a fresh install , i wonder if it would have still shown in the config if i had just installed over the previous version?

  7. Bindee said on September 24, 2014 at 10:58 am


    This no longer shows in the latest version of firefox , Has it now been disabled by default or has the name changed ?


    1. Martin Brinkmann said on September 24, 2014 at 11:21 am

      Still listed in my version of Firefox (latest Nightly).

  8. p3t3r said on July 27, 2014 at 7:34 am

    Hi @all!

    Currently i’m testing Firefox 31 esr. I had disabled the above mentioned safety-options in firefox. Under FF31 i disabled the adblock-addons and i use only Ghostery and NoScript. Together with the new engine FF starts faster and reacts smoother while surfing or streaming video.

    My two cents for safe browsing:

    Ghostery needs a little modification of settings, because not all known cookies and trackers are blocked by default. Also the Ghostrank-checkbox should be deactivated for privacy reasons and performance (traffic).

    NoScript is able to block most of advertising, so adblock seems obsolete. ABP is known as a RAM-Hog. I didn’t have the time to check all my facourites regarding ad-free behaviour under NoScript.

    In common it makes more sense to check a file with an AVP after downloading.

    Otherwise it would make sense to work with different profiles: a slim one when browsing on well-known sites you can trust and a “Fort-Knox-Hi-Security-Profile” when surfing thru the net on the search for “warez’n’stuff”.

    Kind regards


  9. Smith said on July 24, 2014 at 8:08 pm

    Is there any way to

    1. have safebrowsing for websites enabled, and,
    2. have this local-anti-malware function enabled also, but without sending new files to google?


  10. MozillaTards said on July 23, 2014 at 9:55 pm

    Mozilla has become dodgy as fucking scum like Google.

  11. David said on July 23, 2014 at 9:05 pm

    My version of Pale Moon (24.6.2 (x64)) has those entries with addresses. I just followed Martin’s advice and also set the following entries to false.


  12. racorbin said on July 23, 2014 at 2:34 pm

    Should the entries

    browser.safebrowsing.malware.reportURL be blanked out also???

    For those interested Pale Moon (and Pale Moon for Linux) currently do not have these entries.

    1. Martin Brinkmann said on July 23, 2014 at 2:47 pm

      If you don’t require safebrowsing then you can simply disable the feature completely by setting browser.safebrowsing.enabled and browser.safebrowsing.malware.enabled to false.

      1. Chris said on July 25, 2014 at 8:12 am

        Does firefox’s “block reported attack sites and web forgeries” check a local block list or send URLs to the cloud?

        Mozilla is getting less trustworthy with every new release. How do we know Firefox Sync is really off? Is Mozilla collecting history and bookmarks to sell to Google?

      2. racorbin said on July 23, 2014 at 2:59 pm

        Yes, that makes sense. But I like the safe browsing idea of checking against a list on my PC (or against Web of Trust). What I dont like is sending anything to Google. A previous comment by “mike” indicated that if safebrowsing is enabled, google will be contacted regardless of these config changes.

        Another question: if Web of Trust is enabled, is that “sufficient” for protection?

      3. Martin Brinkmann said on July 23, 2014 at 3:08 pm

        Web of Trust is only offering reputation ratings for websites, not downloads as far as I know.

  13. ken said on July 23, 2014 at 2:13 pm

    can I allow download anyway or it’s blocked for good I mean what options are hidden under dismiss scrolldown menu?

    1. Martin Brinkmann said on July 23, 2014 at 2:15 pm

      In Chrome, none at all. In Firefox, no idea as the feature is not available yet.

      1. ken said on July 23, 2014 at 2:48 pm

        even in nightly? so how you disable it in chrome then if at all possible?

      2. Martin Brinkmann said on July 23, 2014 at 2:49 pm

        You need to disable “enable phishing and malware protection” on the chrome://settings/ page.

  14. mike said on July 23, 2014 at 1:50 pm

    if the one has safebrowsing enabled then data will reach google anyway and same if he or she uses virustotal you know.

  15. xtremezz said on July 23, 2014 at 10:37 am

    As if getting rid of that obstinate Google PREF cookie wasn’t hard enough already. Ironic given that the first page you see on upgrading to FF 31 mentions Firefox being #1 in privacy, if I recall correctly.

    Disabled it yesterday, but let’s be honest, how many people actually read release notes?

    At any rate, “block malware from downloaded files” sounds better than “have Google check every file you download”.

  16. kktkkr said on July 23, 2014 at 9:53 am

    I’m still not a fan of blocking the download options entirely, especially with the possibility for massive inconvenience in the case of a false positive, and the notion of it sounds a little like censorship (even though Firefox already does the blocking similarly for websites).

    The part that interests me is that the Mozilla Wiki article (and the original tracking bug it links to) makes no mention of the impact of add-ons. Can an add-on bypass the usual route for file downloads and thus avoid this malware check? An add-on which does this probably will not get approved by the AMO repository, but if it is possible it might weaken the protection offered by this feature.

  17. John P said on July 23, 2014 at 9:52 am

    Can you write up one for IE’s SmartScreen Filter? It’s basically the same thing, but sending info to MS’s database.

    1. Martin Brinkmann said on July 23, 2014 at 10:47 am
      1. Niks said on July 23, 2014 at 3:14 pm

        This post is about the local list method or remote list method ? :/

      2. Martin Brinkmann said on July 23, 2014 at 3:21 pm

        According to Mozilla’s wiki, setting the string to blank disables the application reputation checks.

      3. Niks said on July 23, 2014 at 2:41 pm

        Any way to disable remote list checking ?

      4. Martin Brinkmann said on July 23, 2014 at 2:47 pm

        In Firefox? By setting the url to blank.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.