Open Bug 1806183 Opened 2 years ago Updated 2 years ago

Antivirus Programs deem Firefox Installer to be Unsafe

Categories

(External Software Affecting Firefox :: Other, enhancement, P2)

enhancement

Tracking

(Not tracked)

REOPENED

People

(Reporter: ahkhackglobal, Unassigned)

Details

Steps to reproduce:

https://www.mozilla.org/en-US/firefox/download/thanks/

Actual results:

There is a malicious script inside your product.

Expected results:

There should of been no trojan related threats.

Are you saying that some antivirus software is reporting that there's something wrong with Firefox? What antivirus software is that? What OS are you using?

Group: firefox-core-security
Flags: needinfo?(ahkhackglobal)

Yes, that is the initial way I found it. You can then analyse the script.

I have a windows OS along with most other OS.

I wanted to share because you can check it out and see if there is any reputation based impacts here.

Flags: needinfo?(ahkhackglobal)

I have run the Firefox Installer through https://virustotal.com and it says that MaxSecure calls the installer a trojan and Cylance calls it unsafe so this problem is very valid

Summary: malicious script → Antivirus Programs deem Firefox Installer to be Unsafe
Status: UNCONFIRMED → NEW
Ever confirmed: true

Do you require any more information to resolve this?

What antivirus software was causing you problems? It is most likely an issue with a false report from the antivirus, so we need to know what vendor it is to contact them.

Flags: needinfo?(ahkhackglobal)

virustotal

Flags: needinfo?(ahkhackglobal)

Thanks. I'll try to figure out how we deal with these kinds of issues.

Component: Untriaged → Other
Product: Firefox → External Software Affecting Firefox

Thank you. I am here if needed

Component: Other → Untriaged
Product: External Software Affecting Firefox → Firefox
Component: Untriaged → Other
Product: Firefox → External Software Affecting Firefox

Haik, do you know what we do for these kinds of issues? Thanks.

Flags: needinfo?(haftandilian)

(In reply to Andrew McCreight [:mccr8] from comment #9)

Haik, do you know what we do for these kinds of issues? Thanks.

Both 1) check if the AV company has a means to report false positives and use that and then 2) try to contact them directly and let them know.

In this case, I found a way to report a false positive to Cylance using the instructions here. We've had trouble getting in contact with them for bug 1799562.

For MaxSecure, I don't see anything similar. So we'll try and contact them. It would help to know specifically which installer triggers the problem.

@ahkhackglobal, could you provide an md5sum of the file you downloaded? We have 32-bit and 64-bit and MSI installers for Windows.

Severity: -- → S3
Flags: needinfo?(haftandilian) → needinfo?(ahkhackglobal)
Priority: -- → P2

I've run the latest en-US versions (32-bit, 64-bit, aarch, with/without EME) of our Windows installer through virustotal.com and all are coming back clear.

@anhkhackglobal, please let us know if you continue to see this problem and include the AV vendor and a checksum and version of the installer file you downloaded.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME

sorry, I don't know how to get that. If a false positive, good to hear

Flags: needinfo?(ahkhackglobal)

Was this resolved?

I ran the Windows 64-bit installer through VirusTotal and it says that MaxSecure says it has "Trojan.Malware.121218.susgen". Reopening. Here are the details of the file from VirusTotal:

MD5 30fe8777c8b1cdcbbc4ffcacd124a760
SHA-1 63c9543f3201f0912eb7941950a021140e0726d2
SHA-256 ddade42a581574c9d9dcdd2e66930670059e76e8adab8dc1e4cff9a7b1a83fee
Vhash 03503e0f7d7bz401=z
Authentihash 0ecdb331fe1e19c548e63a3d743bb79510263617d318403f466ca23c31f4c33b
Imphash 05d3dce2be32df01ca249872dd2cc117
Rich PE header hash 4521e08526986ee3edb995c49de9ff82
SSDEEP 6144:waVWdyzOxeA1DfdwX3MmIOCKri827e8VHzlyLr+2RBaUml:wMROxdDfOnMmXCKW8j8VHhy/aUml
TLSH T1E97422FD66884CC5D1D0ED32291D425BCFA1AE176004C8B35A3AF5A47F2F9933395322
File type Win32 EXE
Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID UPX compressed Win32 Executable (39.9%) Microsoft Visual C++ compiled executable (generic) (24.3%) Win32 Dynamic Link Library (generic) (9.7%) Win16 NE executable (generic) (7.4%) Win32 Executable (generic) (6.6%)
DetectItEasy PE32 Installer: 7-Zip (1.0) Packer: UPX (3.95) [NRV,brute] Compiler: Microsoft Visual C/C++ (6.0) Archive: 7-Zip (0.4) Linker: Microsoft Linker (6.0*) [GUI32,signed] Overlay: 7-zip Installer data
File size 341.80 KB (350008 bytes)
PEiD packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

Do you require anything else from my side? Also, can I just confirm that the file is actually safe to download?

Thank you kindly.

(In reply to ahkhackglobal from comment #16)

Do you require anything else from my side? Also, can I just confirm that the file is actually safe to download?

We have no reason to believe there are any malware issues with any Firefox installers. Be sure to download the installer from mozilla.org and not an untrusted third-party site.

This appears to be a repeating problem with MaxSecure. I've checked the three most recent installer versions (110, 110.0.1, and 111) and VirusTotal does not report any problems with MaxSecure. We have no reason to believe any of the Firefox installers have any malware.

Additionally we are trying to communicate with MaxSecure because this is a reoccurring issue with the MaxSecure product where it falsely labels the Firefox installer as containing malware.

Searching online, there are many examples of MaxSecure reporting Trojan.Malware.*.susgen false positives with other products.

You need to log in before you can comment on or make changes to this bug.