investigate why some AV's flag us, and prevent it

RESOLVED FIXED in Firefox 2

Status

()

RESOLVED FIXED
13 years ago
5 years ago

People

(Reporter: fritz, Assigned: tony)

Tracking

({fixed1.8.1})

unspecified
Firefox 2
fixed1.8.1
Points:
---
Bug Flags:
blocking-firefox2 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

13 years ago
"I just got thiis very odd alert from my antivirus at home: goog-black-url.sst  was identified as having a signature PHISH.Ebayfraud.AX. The antivirus is AntiVir Free Personal Edition (http://www.free-av.com/ ). "

Updated

13 years ago
QA Contact: nobody → safe.browsing

Comment 1

13 years ago
The same AV engine just hit me with 
PHISH/Bankfrau.BH.2
in urlclassifier.sqlite-journal.
I guess it's adding the urls to it's phishing specs, just like we do.

Comment 2

13 years ago
Thinking about it, can we fix this for beta? It'd be really embarrassing to see
"safebrowsing" triggering virus alerts.
Note, that particular AV is really popular in Germany and beta is likely to be the
first release we do with l10n, so dupes of this bug may be #1.
Flags: blocking-firefox2?
Tony, any ideas here?
(Assignee)

Comment 4

13 years ago
(In reply to comment #3)
> Tony, any ideas here?

Hmm, we're not currently encrypting the blacklisted URLs, but we can (e.g., we encrypt the licensed urls).  I'll talk with Niels and the rest of the team and see if they have any other suggestions.  The down sides with encrypting is that it's a little slower and it's not as transparent.
(Assignee)

Updated

13 years ago
Status: NEW → ASSIGNED
Whiteboard: SWAG:3days
Assignee: nobody → tony
Status: ASSIGNED → NEW
Flags: blocking-firefox2? → blocking-firefox2+
Target Milestone: --- → Firefox 2 beta1
(Assignee)

Comment 5

13 years ago
(In reply to comment #1)
> The same AV engine just hit me with 
> PHISH/Bankfrau.BH.2
> in urlclassifier.sqlite-journal.
> I guess it's adding the urls to it's phishing specs, just like we do.

Hmm, so I'm having a hard time reproducing this.  I'm running AntiVir / Linux Version 2.1.7-18 with VDF version: 6.35.0.22 created 12 Jun 2006.

I tried scanning the old style plain text files (*.sst) and the new sqlite files (urlclassifier.sqlite-journal on a full update and urlclassifier.sqlite) using the following command:
  antivir ~/work/avtests/*

Any suggestions (maybe a different OS)?
pushing out non-critical-path bugs to b2
Target Milestone: Firefox 2 beta1 → Firefox 2 beta2
Seems to be WFM?  Moving off blocking, renominate if there's a real problem here.
Flags: blocking-firefox2+
I've been seeing warnings about viruses in much more frequently lately. I'm using:

AntiVir (Windows)
Virus definition file: 6.35.00.235
Search engine: 7.01.00.21

Unfortunately I'm not able to reproduce consistently. If I see it again, I'll try to save the urlclassifier.sqlite file that triggered it.
Any time this file is accessed I get the "A virus or unwanted program was found" dialog, using the same versions as in comment 9. I got this file by using a branch build and waiting until I got the alert, then copying the file while the alert was still displayed. Strangely enough, scanning the file directly using the AntiVir UI shows the file as "clean".
The name that AntiVir gives to that file's "virus" is "PHISH/EbayFraud.CS"

Comment 12

13 years ago
I can confirm this bug in Windows XP with Avira AntiVir.
I'm getting ebay-fraud warnings on urlclassifier.sql regularly,
and a google search on the file name[1] returns lots of forum entries of people using the beta who are afraid of their data due to this "virus".


[1] http://www.google.de/search?q=urlclassifier.sqlite&ie=utf-8&oe=utf-8&rls=org.mozilla:en-US:unofficial&client=firefox-a 
(Assignee)

Comment 13

13 years ago
I send an email to Avira and they said we should encrypt the urls and "ROT13 would be absolutely sufficient".

Comment 14

13 years ago
I got hit by this on a test system I rounded up that had Avira running on it.  

Pretty confusing, and it took a while for me to track down.  On Wed afternoon I installed the korean and a few other Intl builds, and on Thursday morning at 4:00a Avira pops a dialog that says 

  "C:\path to my profile\urlclassifier.sqlite-journal

Enthalt Signatur der Phish-Datei/Email PHISH/PaypalFruad.U

Then check boxes to:

repair
move to quarantine
rename
access deny
ignore 

It also had a link to search the Avira site for more info on 
PHISH/PaypalFruad.U , but that search returned 
"No Threats were found matching your criteria"

This is going to leave users pretty lost....

Flags: blocking-firefox2?

Comment 15

13 years ago
move to quarantine is the selected default for users that might hit return....

would that just cause urlclassifier.sqlite-journal to be re-generated? then set up the condition for same warning the next morning when the scan runs again?
or might it do something much worse like hose my profile for anti-phishing stuff? 

Comment 16

13 years ago
No, the file would be re-generated and phishing protection would still function properly, I think. See bug 346184 and bug 334174.
Whiteboard: SWAG:3days

Comment 17

13 years ago
Note that the default action for me is "deny access", if I just saw that dialog correctly.

Which notes that this is a major problem, I just clicked away a warning message of my virus scanner assuming that it's just the shupid antiphishing file. Without thoroughly looking at it or making a conscious decision. That's evil.
Flags: blocking-firefox2? → blocking-firefox2+
Target Milestone: Firefox 2 beta2 → Firefox 2
(Assignee)

Comment 18

13 years ago
I'll try to make a patch for this today . . .
(Assignee)

Comment 19

13 years ago
I'm switching to a new filename, which will force the tables to be downloaded again.

Should I go ahead and delete the old file?  Seems like a small number of users would still have it.
Attachment #236443 - Flags: review?(darin)

Comment 20

13 years ago
If you're changing the filename anyway, would it make sense to call it phishing-protection.sqlite or some other name that a user might understand if their AV still flags it?
(Assignee)

Comment 21

13 years ago
Oops.  V1 changed the select and insert statements, but missed the delete statement.  This picks up that as well.
Attachment #236443 - Attachment is obsolete: true
Attachment #236449 - Flags: review?(darin)
Attachment #236443 - Flags: review?(darin)

Updated

13 years ago
Attachment #236449 - Flags: review?(darin) → review+
(Assignee)

Comment 22

13 years ago
on trunk
(Assignee)

Updated

13 years ago
Attachment #236449 - Flags: approval1.8.1?
Comment on attachment 236449 [details] [diff] [review]
v2: rot13 key in delete as well

a=beltzner on behalf of 181drivers
Attachment #236449 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Comment 24

13 years ago
on branch
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.