Open Bug 425946 Opened 12 years ago Updated 5 years ago
Downloaded files deleted after download completes (anti-virus)
| Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b5pre) | Gecko/2008032605 Minefield/3.0b5pre | on Windows 2003 Server Issue: Unable to download files from sourceforge !!! It looks like, "AFTER" Firefox download a file from sourceforge the file disappears / get blocked. And dont see any more hind on what to do. On IE7 in this case we will get a prompt to add the sourceforge MIRROR site to trusted list, then user will be able to download file. Once we add the MIRROR site to trusted list off IE7, even on Firefox you can download file from same MIRROR site. But on next visit sourceforge will keep switching MIRROR site and user will end up with same situation. I assume this is happening because firefox is using Microsoft malware detection facility for virus scan. If so we may want to get an override option when virus scanner is not reliable/ saying result is unsure. PS: in the attachment block.png you will see I was able to download WinSCP after adding mirror to TRUSTED list. But the next download of 7-Zip from another mirror site it is blocked again.
why do you don't disable the Microsoft mailware scanner ?
(In reply to comment #1) > why do you don't disable the Microsoft mailware scanner ? 1. I dont see any option on GUI to disable/enable it. 2. I believe it will have some use. Wish there is a solution for this in Firefox because IE7 provide one.
Hmm, Bug 416683 should have made it so we do not download the whole file before marking it as blocked... Jim - thought's on what's up?
This isn't related to bug 416683, that was specific to data: schemes. "On IE7 in this case we will get a prompt to add the sourceforge MIRROR site to trusted list, then user will be able to download file. Once we add the MIRROR site to trusted list off IE7, even on Firefox you can download file from same MIRROR site." This makes sense. With bug 408153 we now tie into the security zone stuff in Windows, but we don't have a UI for moving sites from one security zone to another. Users can use the "Internet Options" panel in Control Panel to do that. This circles back around to the original discussions we had about using IAttachementExecute. The download manager is at the mercy of what was up until now IE specific security related settings. I imagine we'll hear more complaints about stuff like this, and about the meta data stuff that gets added to downloads now. Some user's probably won't appreciate us being so "windows conformist" (if that makes sense). We may have to solve the problem of making it simple for users to manage security zone setting without bringing up windows UIs that display the security stuff along with a bunch of IE specific settings. Whatever that solution is though it won't be landing in Fx3. The good news is, this has been in Fx since bug 408153 landed and we've received minimal complaints.
(In reply to comment #4) > The good news is, this has been in Fx since bug 408153 landed and we've > received minimal complaints. Because * not an issue on default WinXP settings * not many users use Windows 2003 server * not an issue for ftp.mozilla.org * issue only on default Win2003 server settings for sourceforge site. * everyday Win2003 users dont download exe files * many times Win2003 users have another PC / boot partition. Then first few times when it happens you BLAME THE WEBSITE !!! That what I did when it happened few weeks ago and I used USB Disk to transfer file as work arround.
(In reply to comment #4) > Whatever that solution is > though it won't be landing in Fx3. So for Fx3, can we get a about:config setting to disable Firefox using IAttachementExecute or equivalent?
yes I'm going to add a pref. I'll post it here when it's finished.
(In reply to comment #4) > The good news is, this has been in Fx since bug 408153 landed and we've > received minimal complaints. So I will do a little complaining ;-) In general I think it's not a solution, that FF users have to go to internet options panel, to to security sites and type in the site again. The bad thing, that happen often, when you are downloading from a popup window, where address bar is hidden, you have to guess the location you want to allow. Or just think about these download farms of software sites like 'pcwelt.de' or whatnot. When I got my 'first blocked file', I was some kind of shocked, cause I don't see any relations between IE and FF. And additionally I don't want to have any relations between these two. When reading all the related bugs here, it seams to me, that there will be no way back. But just making a switch, somewhere in about:config is not an option IMHO. I propose, there should be a "real" switch in the preferences dialog for dis/enable 'advanced security checks for downloading files (using windows zones configuration)'. Second, in the download dialog, should be an option in context menu of blocked files, like 'I'm sure about the risk, download this blocked content.'. Cause, I don't want to add every site into my exclude or trusted site list only because I've just want to download one file once in my life from this specific server. So summarized I want to say, please make the usage of this zones stuff much more user friendly or deactivate by default. Regards Martin
> * not many users use Windows 2003 server OK, thats true. But I'm one of them. > * not an issue for ftp.mozilla.org Why? This is not a default site in trusted sites list. > * issue only on default Win2003 server settings for sourceforge site. As an admin I'm using Win2003. > * everyday Win2003 users dont download exe files This is somehow not true. As a developer my download folder contains ~150 files, mostly related from my daily usage tools or other developer related stuff. There are ~46% executables (exe, msi), ~45% packed (zip, gz, bz2, rar) and some others (htm, iso ...). > * many times Win2003 users have another PC / boot partition. What's that? I don't want to switch into another OS just for downloading files. Nor boot another OS. > Then first few times when it happens you BLAME THE WEBSITE !!! Not true. I'm using Firefox/Mozilla for years and have my IE blocked everything. When switching to FF3 beta5, it was 100% clear, the not www.totalcommander.com is blocking my download, but FF. > That what I did when it happened few weeks ago and I used USB Disk to transfer > file as work arround. Sorry man, this is not an option. I don't want to sacrifice myself. I want 'Firefox - rediscover the web' ;-) To me, this new behavior is a big cut into my freedom to stay away from IE. I like my IE have blocked everything, cause to many applications are using an 'IE Control' to manage there update stuff or whatnot. If you would have to manage a big SAP customer site, you would know what I mean ;-) Regards Martin
Erm, did someone clobber a post with a mid-air collision? (In reply to comment #4) > The good news is, this has been in Fx since bug 408153 landed and we've > received minimal complaints. > Um, have you seen MozillaZine  lately? ;) It's really the landing of bug 430566 that really triggered problems, and as you know, that was very recent. The big problem here isn't with virus scanning, but with the Windows execution policy. If a zone's attachment execution policy is set to disable execution, not only does it prohibit execution, it also prohibits the *download* of executables. This makes sense, of course, since if an IT administrator is really worried about people running files from the Internet, then it's necessary to also close the "save to Desktop and then run" loophole. Since we weren't checking policy correctly until bug 430566 landed, we haven't been able to collect feedback from users about this new adherence to security zone policies until only about a week before the RC1 freeze. Here are the problems that I see: 1) Win2K3's default IE lockdown mode prohibits the download/execution of executables. I didn't even realize this until a friend IMed me the other day to express his anger over the new Firefox behavior causing him to jump through hoops on a server that he operates. 2) The security settings talk about disabling execution, but it doesn't say that it also disables downloads. That one necessitates the other is not obvious to most people. This is a fault with Microsoft's wording, of course, but the reactions that I've seen so far indicate the blame gets channeled towards Firefox. 3) There are websites that have issued poor advice based on the (false) assumptions that disabling execution will somehow make IE safer (it doesn't) and that 3rd-party browsers will continue to ignore system security settings (which Firefox no longer does), and these websites having telling people to disable attachment execution, and now people are failing to download executables and don't know why (and this ties in with #2). I think that new the behavior is correct, but there is a lot of frustration over this, and I think that it would be good if it's easier for users to change the setting and/or if users could be educated about what is going on here.  http://forums.mozillazine.org/viewtopic.php?t=645496
(In reply to comment #10) > ... > I think that new the behavior is correct, but there is a lot of frustration > over this, and I think that it would be good if it's easier for users to change > the setting and/or if users could be educated about what is going on here. I fully agree, that respecting such security stuff is a good thing. But also it should be easy the configure that. And not jumping down up to ten extras -> preferences -> internet options -> connection -> network -> advanced -> expert mode -> security -> more -> ... Personally I think, educating users is a fight you will never win. <joke> Each time you think you find the greatest idiot, god (and or evolution) proves that you are wrong. See http://www.southparkstudios.com/episodes/166179 if you don't believe ;-) </joke> Even in software development there is a rule: Don't repeat yourself. And I also map this to my browsing experience. I mean, going somewhere to download a trail version of an app I'm interested in, clicking through a 10 pages wizard, to end up, that the file gets blocked is somehow not nice. But if I have to create somewhere else (deep hidden in settings) an exception rules to make this wizard again is frustrating. What I want to say: There should be disable button for this feature ;-) Regards Martin
> What I want to say: There should be disable button for this feature ;-) We have not had many complaints yet about virus scans doing strange things, but a hidden pref would make debugging simpler. I think that's going to be the simplest solution.
Biju, I just discovered we do have a virus disable pref in the code - browser.download.manager.scanWhenDone Setting this to false may fix your problem. If not, then it's something unrelated to virus scanning, or it's related to a check policy call which ignores this pref. I'll be posting a patch for that here in a bit.
This ties the initial call to CheckPolicy with the scanWhenDone pref.
Comment on attachment 327821 [details] [diff] [review] checkpolicy pref shunt patch v.1 I don't like the idea of giving the users the ability to disable policy checking. We finally became more IT friendly by honoring these settings, and now we are going to give users a way to workaround what IT departments have setup? Please let me know if I misunderstand the implications of this patch.
Attachment #327821 - Flags: review?(sdwilsh) → review-
> I don't like the idea of giving the users the ability to disable policy > checking. We finally became more IT friendly by honoring these settings, and > now we are going to give users a way to workaround what IT departments have > setup? Please let me know if I misunderstand the implications of this patch. Well, scanWhenDone disables the final policy check. This little chunk of code was a stop gap to catch downloads before they start. I agree with what your saying, and so far, we haven't had numerous complaints, but we have had a few. There is the option of pref locking for corporate environs if needed which could prevent those users from disabling this. This was more for average users who run into trouble on os's that set that exe download restriction flag by default.
Hmm, we have pref locking? I was unaware of this. Are there docs on it?
Yeah Mike mentioned this to me recently since we'll be doing more work for corp environs in the future. http://kb.mozillazine.org/Locking_preferences
Hrm, that looks like it's still easy to get around - all someone has to do is modify all.js.
Ok, lets let it set here for a while and see what kind of feedback we get. We have it if we need it.
(In reply to comment #20) > Ok, lets let it set here for a while and see what kind of feedback we get. We > have it if we need it. > I think you do want to address this. Mozillazine has more than a few posts about this. There are over 57000 entries in google for the error message lookup and mozilla is the top page of results. I disagree about the whole internet zone thing and mozilla. There is a difference between internet zones and whole operating system security zone settings but in Windows and IE we don't have that option. For FF3 to buy into this option means FF3 has bought into the whole security shambles that M$ have with IE being part of the integrated OS. You either have an unworkable experience (vis-a-vis adding a zillion sites to trusted sites areas re the discussion over source forge above) or you have to lower security for your entire OS. My complaint can be seen here http://forums.mozillazine.org/viewtopic.php?f=38&t=673575&p=3791075#p3791075 I wouldn't sit on your hands re this. As a security specialist / virusbuster type supplier I will not be recommending FF3 until I can leave the security settings for IE high without crippling FF. I am currently repartitioning my brand new acer laptop to allow me to run linux as my refereed os just because I will not downgrade my security and with FF crippled I am ready to throw the entire system through a window as three hours of effort later I am finaly out of options on how to get a decent web experience for downloading the tools, patches and dev software I need off the net without crazy work arounds. Regards, Shane
(In reply to comment #19) > Hrm, that looks like it's still easy to get around - all someone has to do is > modify all.js. > But all.js exists under Program Files. If someone has write access to that part of the system in the first place, then any form of administrative lockdown would be moot.
>You either have an unworkable >experience (vis-a-vis adding a zillion sites to trusted sites areas re the >discussion over source forge above) or you have to lower security for your >entire OS. Shane, what os and environment are you using? Obviously this is not an issue for a very large majority of users who have already downloaded Fx3 so far. I'm guessing this may be related to some sort of zone setting that if turned off, would eliminate the problems you're seeing for all sites.
I think he's trying to lock down IE but let Firefox "roam free".
>http://forums.mozillazine.org/viewtopic.php?f=38&t=673575&st=0&sk=t&sd=a I'm still going through these but so far most have the same issue with IE. I'm guessing either they are in a corporate environment where these settings have been set by admin policy, or they are users who locked down IE at some point due to security concerns with that browser. But now that we respect those settings, they run into problems downloading files. I understand the frustration, especially in the second case. I'm torn though on how to deal with it. I agree with Shawn that we should respect these settings, especially in corporate environments. But I also think it sucks that we have tied Fx3 closer to settings that are perceived to be IE specific.
So if there's pref locking, can we add a pref to disable relying on the system settings and ship with the system integration disabled as the default?
>So if there's pref locking, can we add a pref to disable relying on the system >settings and ship with the system integration disabled as the default? Well virus scanning and security policy settings are connected through the same call (the attachement execute interface). The patch above is a quick fix that uses scanWhenDone as the pref. If we decide to add this, we might consider seperating these out. We'd have to do some work in the virus scanning code to fall back on the old virus scan interface and not use IAE when this new security policy opt out pref was set. Although, that sort of kills any additional security we get from IAE related to virus scanning.
Under some circumstances even administrators are not able to access the appropriate controls from the Control Panel. Some users are also having to **install or reinstall IE7** to get this to work. See http://kb.mozillazine.org/Unable_to_save_or_download_files#Reset_system_Internet_security_settings_-_Windows . If this bug just provides a workaround and does not cleanly fix the problem, then maybe there needs to be a separate bug report.
Some aidditional information from some admin folks at MS on where this setting is in the registry and how to manage it and edit it manually - http://blogs.technet.com/askperf/archive/2007/11/27/managing-the-launching-applications-and-unsafe-files-setting.aspx
Spun off bug 445158 for discussions related to adding a pref to firefox that controls this setting.
(In reply to comment #29) Thanks. This information has been added to the Knowledge Base article. See http://forums.mozillazine.org/viewtopic.php?p=3846715#p3846715 . It's looking like this is a Windows bug.
For what it's worth, I am told that uninstalling IE7 can cause the needed Windows UI to disappear. See http://forums.mozillazine.org/viewtopic.php?p=3847825#p3847825 . Unfair but apparently true. Sorry if this has been covered before.
Yes I'[m seeing a lot of that too. Apparently a bug in their uninstall, or maybe they just didn't care.
Summary: [RFE] Ask user what to do when virus scan result is not reliable. → Downloaded files blocked due to lack of security zone rights
Just trying to keep things organized - this bug is specific to the lack of UI related to manipulating sites in security zones. There are other bugs (linked to the parent) that relate to other issues revolving around virus scanning and security zone policy.
Hi, Two things to cover here. We are running XP and Vista (SP 2 and 1 and 3). We have hardened our PCs by putting the windows IE settings to high to stop active x running. This cripples FF3. Again IE is not the operating system. We users of FF should no more obey IEs zone settings (after the initial import maybe) than we should continually update cookies, history, forms history, password listings and caches from IE after the initial FF setup. IE does not equal the operating system despite microsofts inisitence on tieing the two together. Second. We have serviced over 300 machines in the last 6 months with spyware / malware or viruses on them. The majority were virused via internet explorer (6 and 7) via active X/ We hardened the machines by pushing the Internet Zone to high to stop active X running (except for a few selected sites put in the trusted zone). We have had no hardened machines returned for rework re viruses or spyware in that time. We did change their browsers to FF2 as part of the safety upgrade. However we can no longer do that with FF3. Either the users have to add tons of sites to their trusted zone or we have to de-harden IE making it (and the operating system) vulnerable. We are currently sticking with FF2 for customers and testing opera if we can get no resolution. Please please please remove that setting. IE IS NOT THE OPERATING SYSTEM!! DONT treat it as such - please!!!!!!!!!!!!
(In reply to comment #23) > >You either have an unworkable > >experience (vis-a-vis adding a zillion sites to trusted sites areas re the > >discussion over source forge above) or you have to lower security for your > >entire OS. > > Shane, what os and environment are you using? Obviously this is not an issue > for a very large majority of users who have already downloaded Fx3 so far. I'm > guessing this may be related to some sort of zone setting that if turned off, > would eliminate the problems you're seeing for all sites. > IE zone is set to high - this is to stop Active X running. 99% or higher of the 300 virused machines we worked on in the last 6 months were hit via activeX , mostly from websites. at the moment the Zlob / Smitfraud type viri / spyware are the most prevalent and troublesome. New version came out last week and it is a complete sod to remove. These get in via infected or malicious web sites. The sites people are being infected by are not mostly porn or gaming or haxor sites as was the case in the past, we get a lot of 'porn free' pcs belonging to older people (not just teens and horny males) who have not been near porn and haxor sites. Stdies suggest over 3% of all google search returns link to bad sites. Most of that is activeX based that runs in IE and not FF. To lower IE's internet zone from high is to invite infection. To not do it cripples FF3. HTH Shane
(In reply to comment #33) > Yes I'[m seeing a lot of that too. Apparently a bug in their uninstall, or > maybe they just didn't care. > probably a tie in to their com / ole / activeX shared stuff on a PC. Uninstalling the IE removes some quite critical dlls and ocx etc files which are used through out the OS. While reverting the fiels should be a part of the uninstall MS sees IE as part of the operating system. IE, Windows Explorer and the Desktop are the same base executable structure. You cannot affect one without affecting the others. That's what the anti trust stuff of netscape verses Microsoft was all about. We are now facin a second round (or third, fourth, millionth) of the same tie in issue.
You can fine tune the internet settings to disallow ActiveX but enable file downloads. Does that help to solve your problem? If you want to disallow users to run IE altogether, I think that you can simple remove the appropriate permissions from the executable.
>We are running XP and Vista (SP 2 and 1 and 3). We have hardened our PCs by >putting the windows IE settings to high to stop active x running. This cripples >FF3. Again IE is not the operating system. What are the specifics of this crippling? Setting the security zone level to high should not be preventing Fx from accessing a web site. We do not honor trusted, untrusted, intranet related settings as it relates to what sites Fx will display. The setting we honor relates only to file downloads. Can you give some more details on the problems you are seeing in Fx?
When you p(In reply to comment #39) > >We are running XP and Vista (SP 2 and 1 and 3). We have hardened our PCs by > >putting the windows IE settings to high to stop active x running. This cripples > >FF3. Again IE is not the operating system. > > What are the specifics of this crippling? Setting the security zone level to > high should not be preventing Fx from accessing a web site. We do not honor > trusted, untrusted, intranet related settings as it relates to what sites Fx > will display. The setting we honor relates only to file downloads. Can you give > some more details on the problems you are seeing in Fx? > Basically we set the internet zone to high, or some where between medium high and high. We then set the trusted zone to allow eset.com, microsoft.com, windowsupdate.com and airnewzealand as trusted sites (medium level). In FF3 the downloads start and then fail very early on or it completes and then the file does not exist after download is completed. We also get the "This download has been blocked by your security zone policy" message. HTH, Shane
In my opinion, it's wrong to follow Internet Explorer's download policies in Firefox 3 - it's not Windows' setting, but Internet Explorer's one, otherwise it would be enforced automatically by the system. The Security Zone policies are and should be IE-specific - we can implement something similar in Firefox, but it shouldn't depend on IE's setting. (The title of the window, "Internet Options" is misleading, as it implies that Internet = Internet Explorer. Don't be fooled by it!) Another "IE integration" bug I have noticed: When I download an executable file with Firefox, and press the Open button, I get a warning from Firefox that it might be a virus. I can dismiss, or even disable this warning, but then IE's (not Windows', as it's clearly due to the IE/Windows Explorer integration) warning message also pops up - and that one can't be disabled. One message is a warning - two messages are a nag.
> I can dismiss, or even disable this warning, but then IE's > (not Windows', as it's clearly due to the IE/Windows Explorer integration) > warning message also pops up - and that one can't be disabled. One message is > warning - two messages are a nag. Good note. We are aware of this and have a patch. It didn't get blocking 3.1 status but it will land at some point. (bug 426544)
(In reply to comment #41) > IE's > (not Windows', as it's clearly due to the IE/Windows Explorer integration) > warning message also pops up - and that one can't be disabled. > This warning comes from saving in the NTFS ADS for the file information about the origin of the file. This can be disabled with twiddling in the group policy. And this warning is probably the most non-IE-specific of them all. If, for example, you copied a file in Windows Explorer over the network from a destination that was classified as "Internet" instead of "Local Intranet", you'd get the same sort of warning. FWIW, other apps, such as Google Talk will also save the origin info in the ADS and file transfers done over GT will give you the same warning when you try to execute them.
>Basically we set the internet zone to high, or some where between medium high >and high. We then set the trusted zone to allow eset.com, microsoft.com, >windowsupdate.com and airnewzealand as trusted sites (medium level). Ok, and the types of files you have trouble with, are these all exe's and msi's and the like, or are you seeing problems with other types of files? (zips, txt, png, etc..)
Shane - >We also get the "This download has been blocked by your security zone policy" >message. Is this the only message you are seeing? The original author of this bug was running into trouble after the download completed. The message they received was "Blocked: Download may contain virus or spyware - xyz.com". We may need to split this off again into another bug as I think we are potentially dealing with two different issues.
Kai Liu - >FWIW, other apps, such as Google Talk will >also save the origin info in the ADS and file transfers done over GT will give >you the same warning when you try to execute them. Do you know if GT also supports the download executable content restriction on attachements?
(In reply to comment #45) > Shane - > > >We also get the "This download has been blocked by your security zone policy" > >message. > > Is this the only message you are seeing? The original author of this bug was > running into trouble after the download completed. The message they received > was "Blocked: Download may contain virus or spyware - xyz.com". > > We may need to split this off again into another bug as I think we are > potentially dealing with two different issues. > The error message changed from Fx3Beta5 to Fx3RC1. See my post here: http://forums.mozillazine.org/viewtopic.php?p=3372750#p3372750 Posted 16 May 2008 07:42 am Quote: I just updated to Firefox 3 RC1 on Windows XP sp2: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0 I still get an error downloading executable files if Launching applications and unsafe files (under Internet Options, Internet Zone, Miscellaneous) is set to "Disabled". With Fx3 RC1 the error message is: "This download has been blocked by your Security Zone Policy" The Fx3 Beta 5 error message was: "Blocked: Download may contain a virus or spyware" Documented here: http://kb.mozillazine.org/Unable_to_save_or_download_files#Reset_system_Internet_security_settings_-_Windows --- From http://kb.mozillazine.org/index.php?title=Unable_to_save_or_download_files&oldid=36496 Revision as of 06:21, 16 May 2008 Quote: Reset system Internet security settings - Windows Starting in Firefox 3: When you attempt to download an executable file (e.g., an .exe or .msi file) you may see a Firefox Downloads window showing an error under the filename with the message, "Blocked: Download may contain a virus or spyware" (Firefox 3 Beta 5) or "This download has been blocked by your Security Zone Policy" (Firefox 3 RC1) . This issue does not occur in Firefox 2 or earlier. Image: http://kb.mozillazine.org/image:Fx3exeDLblocked.png (Fx3Beta5) Image: http://kb.mozillazine.org/Image:Fx3exeBlocked.png (Fx3RC1)
Summary: Downloaded files blocked due to lack of security zone rights → Downloaded files deleted after download completes (anti-virus)
Doesn't really meet the "wanted" criteria (security, stability, regression from maintenance release) for 1.9.0.x. However, we'll look at a reviewed and baked patch.
Flags: wanted1.9.0.x? → wanted1.9.0.x-
This isn't coming up enough to warrant blocking status.
Flags: blocking1.9.1? → blocking1.9.1-
so people have this problem since 2008 uh up !
You need to log in before you can comment on or make changes to this bug.