Closed Bug 393792 Opened 14 years ago Closed 14 years ago

Add UI for antivirus scanner

Categories

(Toolkit :: Downloads API, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: jonathan_haas, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007082505 Minefield/3.0a8pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007082505 Minefield/3.0a8pre

Firefox tries to scan downloaded files automatically since Bug 103487.

In my opinion we need UI to disable antivirus scanning and also allow the user to select a scanner. If the System provides multiple scanners (which should be possible if I understand bug 393305 correctly) the user should be able to select one (or even more) of them. The user should also be able to select a custom application for scanners which don't use the API.

Reproducible: Always

Steps to Reproduce:
1. Notice that there is no such preference in options.
Actual Results:  
Users may want to change or disable the scanner for downloads, because 

a) it is very slow
b) they want to select their prefereed scanner if multiple ones are installed
c) the scanner reports a false positive
d) the scanner doesn't work/hangs/crashes Firefox/etc.
Depends on: 103487
(In reply to comment #0)
> The user should also be able to select a
> custom application for scanners which don't use the API.
Absolutely not.  If virus scanners want to participate, they need to provide the windows api.  We will not accept code that allows X to also participate in scanning when they can just as easily patch their own code.
In my opinion it's not the anti virus scanner who wants to participiate, but Firefox who wants to use the scanner. 

But even if you decide, that the user should not be able to select a custom scanner (which could be implemented as an extension, too), the user should at least be able to disable scanning.
(In reply to comment #0)

> In my opinion we need UI to disable antivirus scanning and also allow the user
> to select a scanner. If the System provides multiple scanners (which should be
> possible if I understand bug 393305 correctly) the user should be able to
> select one (or even more) of them.
> The user should also be able to select a custom application for scanners
> which don't use the API.

I agree with Shawn that custom applications should implement the Windows API. It's not terribly difficult to do so and there is some sample code (though it's written in Pascal/Delphi) floating around somewhere. I don't want to have to maintain a Firefox anti-virus API; we have enough APIs to maintain as is.

> a) it is very slow

We run the scan in a separate thread to help alleviate this problem. 

> b) they want to select their prefereed scanner if multiple ones are installed

Having multiple anti virus providers is a dangerous thing, just like multiple firewalls (even firewalls and anti virus providers don't always play nicely). This is probably a rare condition (save for Windows Defender on Vista which doesn't seem to detect viruses, only spyware). If the user really does have a preferred scanner, then why do they have others? (ok, they could be paranoid)

> c) the scanner reports a false positive

The user has a poor scanner then. If they know this, then they should upgrade. If they don't know this, then I'm not sure they'd know to disable scanning anyways (even if we allowed it). It's also likely that the anti-virus scanner would be scanning all new files anyways (I know mine does), so even if Firefox didn't tell the scanner about the file, it would find it anyways.

> d) the scanner doesn't work/hangs/crashes Firefox/etc.

The scanner cannot hang Firefox except possibly during shutdown. If the scanner doesn't work, then that's really not something we can deal with. The user ought to know that and get a better scanner. There may be some COM tricks we can do to prevent crashes, I'm not sure.

(In reply to comment #2)
> In my opinion it's not the anti virus scanner who wants to participiate, but
> Firefox who wants to use the scanner. 

Firefox is not the only application who wants to use the scanner; nearly every MS Office product uses the same interface.

> 
> But even if you decide, that the user should not be able to select a custom
> scanner (which could be implemented as an extension, too), the user should at
> least be able to disable scanning.
> 

What kind of virus scanner would be implemented as an extension? Also, allowing users to disable scanning is very dangerous to their security.
(In reply to comment #3)

> What kind of virus scanner would be implemented as an extension? Also, allowing
> users to disable scanning is very dangerous to their security.

I meant the ability to select a custom scanner could be implemented as extension.

And allowing users to disable scanning is not very dangerous. Many advanced users don't even use a antivirus scanner.
Blocks: 103487
No longer depends on: 103487
>In my opinion we need UI to disable antivirus scanning..

I'd just note IE7 does not offer this option. If users have spyware/virus scanners installed, they can disable scanning by uninstalling those programs. Otherwise we should do the right thing and scan. 

>... and also allow the user to select a scanner.

If I remember correctly from testing in bug 103487, there was no way to get a proper vendor string for display from the scanner clsid list. So that might create a problem in offering the user the option of choosing.

From bug 103487's testing, Defender only took a split second or two on large files, and Norton was only taking 5-7 seconds on 80MB+ files. That was in a VMWare image too so I don't see why the delay would be much of a problem to users.
 
WONTFIXing this per comment 5, and comment 3.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Duplicate of this bug: 412094
Duplicate of this bug: 418988
Product: Firefox → Toolkit
Duplicate of this bug: 459594
You need to log in before you can comment on or make changes to this bug.