> The second category, uncommon downloads, covers downloads which may not be malicious or unwanted but that are simply not commonly downloaded.
> it is possible that you have been tricked into downloading a malicious file from a phishing site which has not yet been identified as such by the Google Safe Browsing service.
Does this mean that sites that have some kind of personalized downloads or downloads that are created on the fly (like generated PDFs for example, or watermarked content) will always create a warning for the user on download?
Still something I'd consider an anti-feature, as it both punishes small software authors/projects and creates confusion on new releases even for bigger projects.
Browser security and anti-malware in general is increasingly a nightmare for small ISVs that release software that does anything remotely suspicious (eg DLL injection).
As a personal anecdote, my website has been blacklisted multiple times by safebrowsing, downloads have been blocked as "XXX is malicious", multiple AV products have found "malware" in a program that's never even been released before, etc. I have to email 10-20 different anti-virus companies with samples every release and then deal with the ones who want it in a different format or submitted through a web portal instead.
Then we have the problem that contacting any human about safebrowsing false positives is nigh impossible. Take a look at the report right now - https://www.google.com/transparencyreport/safebrowsing/diagn... - "Some pages on this website send visitors to dangerous websites. Some pages on this website install malware on visitors' computers." yet it says "Current status: Not dangerous". And Webmaster tools can't seem to find anything specific: http://i.imgur.com/HzT8xfC.png
Just today I was having trouble making a Windows installer flash drive because Trend Micro didn't like Rufus trying to make an autorun.inf file. Had to add it manually.
I'm not sure if the "Windows 10 Media Creation Tool" also has this problem since it doesn't recognize Sandisk flash drives as being flash drives (presumably Sandisk's fault). If anyone's run it on a computer with Trend Micro I'd be curious to hear.
We ship an nw.js-wrapped version of one of our apps for offline use in the field, and it certainly does provoke the "uncommon download" warning in Chrome. We've had people raise concerns about it. Market positioning insulates us from serious ill effect, but I can absolutely see how it could impair companies that aren't.
We don't know how Google's grading works, but you may be on to something. I publish several free tools and games for Windows, and they're all raw executables without any kind of code signing.
Internet Explorer continuously blocks them and scares the users away from them.
Neither Firefox nor Chrome trigger a warning on them and seem to recognize them as harmless.
I can see this being useful to the average user who is encouraged to download "video.mp4" from Popular-File-Upload-Site, but thanks to a dark pattern on the website, is presented with a "video.exe" download instead.
There is nothing "anti-Windows" about my post. It isn't a biased take, it's not propaganda, it's just fact.
There is somewhat of a logical inconsistency in trying to avoid spyware on Windows 10 that is hopefully explained by lack of knowledge. The purpose of my post is to inform. Not everyone is aware.
Please don't use these without fully understanding the impact of them. You may also be disabling parts of Windows Update at the same time.
From the open source one:
"Note: Windows Defender may report the EXE as a trojan (Win32/Pocyx.C!cl), and may therefore prevent you from extracting the EXE to anywhere on your computer. Set up an exclusion in Settings > Update & Security > Windows Defender > Exclusions by adding the folder you intend to extract the EXE to."
The one thing I've always wanted is for the browser to automatically verify the file hash if it is provided on the download page .. Any plans in this direction, Mozilla ?
Is it possible to whitelist certain domains from the safe browsing feature in Firefox?
One of the sites I frequent has all their torrents marked by safe browsing as malware (mistakenly AFAIK), so ideally I'd like to whitelist that one site without opting out of the feature entirely.
Not possible. Normal torrent sites work fine and aren't marked, so that's weird. You do get the occasional blacklisting for ads that inject malware. Maybe you're not seeing them due to an Adblocker?
I always disable the "Block reported attack sites" and "Block reported web forgeries" protections in the settings... I don't need my browsing history to be sent to yet someone else...
But these features don't send your browsing history anywhere. The Firefox safe browsing service downloads a list of bad URLs in form of hashed prefixes from the Google service. Then every page you visit is compared against the downloaded list (offline). If there's a match, Firefox sends the hashed prefix up to Google and downloads a list of all full URLs that match that hashed prefix. There's another offline comparison and if the web page you are visiting still matches, then the page is blocked and the phishing/malware warning is shown. At no point is an actual URL sent to Google or anyone else.
Microsoft introduced a similar feature in 2010. In that scheme, "file identifier" and the signature, if the application is signed, is sent to a cloud service [1][2][3]. Therefore they can track attempts for downloads, without having to know the URL itself.
So if they want to know if you visit a specific site, all they need to do is add it to the list (a hash prefix is probably often enough to be very specific)... Wikileaks was added and removed from the list lately... I will just leave this feature off. Also, I don't follow Firefox' code close enough and the behavior might change at any time.
I wonder how they're gathering that information and using it to alert the user. Is it a checksum of the file that Firefox is comparing to a central database? Or is the check entirely client-side?
Yay, another shitty feature to disable in about:config.
Signature based systems are still useless. And you send more data to google!
(Yes, yes they probably download lists and don't directly send the hash. The lists are most likely still sharded enough to get an idea, as it is with the regular safe browsing crap)
Useless? Except that they aren't. Because the vast majority of users are only ever downloading very popular things which have already been scanned and confirmed safe. We're edge cases.
> Yay, another shitty feature to disable in about:config.
As a minor plus, if you've already disabled the existing blocking options in previous versions of Firefox, then these new ones are automatically disabled.
Do you have a better solution, then? Signature-based is very effective for known malwares out there. There is not much a browser can do without becoming a full-blown AV scanner.
> it is possible that you have been tricked into downloading a malicious file from a phishing site which has not yet been identified as such by the Google Safe Browsing service.
Does this mean that sites that have some kind of personalized downloads or downloads that are created on the fly (like generated PDFs for example, or watermarked content) will always create a warning for the user on download?