Closed Bug 427258 Opened 16 years ago Closed 11 years ago

Any downloaded file is immediately deleted if AV integration settings are incomplete

Categories

(Toolkit :: Downloads API, defect)

Product:
Toolkit
Component:
Downloads API
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: pekka, Unassigned)

Details

(Keywords: qawanted) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

Whenever I download a file, the download seems to go OK: *.part is created, the 0byte-placeholder file is created, and the download progresses normally.
However, right after the download is done, both the .part and the file itself are deleted. Download manager seems happy with the successful download.
If I right-click the file entry in the download manager, "Open" is grayed out and "Open Containing Folder" always opens my home directory, no matter where I'd saved the file. This happens with any file type and download origin/save path, I've tried several combinations.

I have enough diskspace (a good 12GB free), and I am absolutely sure no other program is intercepting the file saving (I don't use antiviruses or personal firewalls or any other type of program that would hook file calls), and disabling or even uninstalling all firefox add-ons does not help.

Reproducible: Always

Steps to Reproduce:
1. For me, I just download a file.
Actual Results:  
The file got deleted, as descripted.

Expected Results:  
It should not have deleted the file after the download.

My OS is a normal and up-to-date Windows Vista x86 Home Premium. I'm running with admin privileges, and UAC is disabled.
What does the Download Manager say?  Does it say the download completed successfully, or is there an error?

To verify that a virus scanner isn't doing it, go to about:config and try turning off this preference: browser.download.manager.scanWhenDone

Also, see if it happens regardless of the file type (zip, exe, pdf, etc) and regardless of where you save the file on the hard disk.

This sounds like bug 416683, which was fixed in beta 5.
Version: unspecified → Trunk
I thought this was bug 427008, but you say it gets deleted on completion.  That sounds a lot like bug 416683, but that was fixed with beta 5.  So...is this for all files?
(In reply to comment #1)
> What does the Download Manager say?  Does it say the download completed
> successfully, or is there an error?
It completes successfully, as said in the original report.

> To verify that a virus scanner isn't doing it, go to about:config and try
> turning off this preference: browser.download.manager.scanWhenDone
As said, I do not have any kind of antivirus software installed.
By setting browser.download.manager.scanWhenDone, which apparently defaulted to true, to false, the problem went away.

> Also, see if it happens regardless of the file type (zip, exe, pdf, etc) and
> regardless of where you save the file on the hard disk.
As said in the original report, it happens to all file types and regardless of where I download from, and where I select to save the file to.


(In reply to comment #2)
> So...is this for all files?
Yes.
Version: Trunk → unspecified
If browser.download.manager.scanWhenDone fixed it, than a virus scanner is the problem.  Do you have any virus scanning or security software installed, but disabled?  Or did you have any installed that you have since uninstalled?

If you don't have any security software, it could be malicious software (such as spyware) intercepting downloaded files.  In any case, it seems that this is a problem with your system after Firefox notifies Windows that a file has just been downloaded.
(In reply to comment #4)
> Do you have any virus scanning or security software installed, but
> disabled?  Or did you have any installed that you have since uninstalled?
I haven't had any virus scanning or security software installed at any point.

> If you don't have any security software, it could be malicious software (such
> as spyware) intercepting downloaded files.
I am absolutely positive no malicious software, or anything that would intercept file operations, is installed on my machine. I use kernel-level tools to hand-check my system, and have a hardware firewall.

> In any case, it seems that this is a problem with your system after Firefox
> notifies Windows that a file has just been downloaded.
I don't have any security components installed - I've deactivated and removed the whole security center "feature" too.
I don't know how the security API used by this feature works, but if something else than firefox is deleting the files, then it's windows, and that would be kind of weird (?)
In any case, if the outcome of the "scan-when-done" feature is this random, then I think it should be a lot more carefully configurable (and definitely not a default!)
You are on Vista, so it's likely that windows defender is doing this.  Still odd though, because if it does something to the file, we should know and mark the download as blocked in the download manager UI.
(In reply to comment #6)
> You are on Vista, so it's likely that windows defender is doing this.
I don't have windows defender, I've deleted it, as well as any other such components. Also, all files are being deleted - png, pdf, jpg, exe. I think the problem is exactly that there is no security component.
Can you run the performance reporting program (https://bugzilla.mozilla.org/show_bug.cgi?id=415005) and see if it deletes files too? It closely mimics what the download manager does and it will also tell you if you have installed AV scanners.
(In reply to comment #8)
> Can you run the performance reporting program
> (https://bugzilla.mozilla.org/show_bug.cgi?id=415005) and see if it deletes
> files too? It closely mimics what the download manager does and it will also
> tell you if you have installed AV scanners.
> 

It crashes right away.
Well, not right away, I should've been more precise. It crashes after printing a GUID, and never creates any files. Exception code is c0000005 (or 0000179e, not exactly sure since the crash dialog's translations don't really make sense):
  Vikamoduulin nimi:	ScannerTimer.exe
  Vikamoduulin versio:	0.0.0.0
  Vikamoduulin aikaleima:	47a6a28d
  Poikkeuskoodi:	c0000005
  Poikkeuksen poikkeama:	0000179e
What GUID does it print? If it's printing a GUID, then you have an antivirus scanner that is registered. If it's crashing then that scanner is probably not registered right or is buggy. In that case, firefox is catching the crash and reporting it as a failed scan (after trying to clean up), so the download should be set to the finished state. The fact that you are on Vista and yet don't have the IAttachmentExecute interface available is entirely unexpected. It's possible that the AV scanner (which we may be able to identify once we have the GUID) is not handling that well.
(In reply to comment #11)
> It's possible that the AV scanner (which we may be able to identify once we
> have the GUID) is not handling that well.
The AV scanner that doesn't exist, you mean. It's probably windows defender, which I don't have any more, I've deleted it, as well as disabled any security services. I think I've repeated that in every message so far.

{ 0x2781761e, 0x28e0, 0x4109, {0x99, 0xfe, 0xb9, 0xd1, 0x27, 0xc5, 0x7a, 0xfe} }

I know this is caused by what I've done, but still, if at all possible with the security interface, I think an unexpected condition like this should be handled better. I'll say one more time that there is no AV, and no malware, and the file deletion is not caused by a third party. I can get proof of this with filemon and process explorer if that's what it takes.
Right, I wasn't doubting that you'd removed it, just that it was removed properly. There's registry key you can delete to probably avoid this behavior entirely if you'd like.

Without having a machine to debug this on, it's hard to know where the point of failure is. It could be in the call to create the scanner, the scan itself, the cleanup of the scanner or the cleanup of COM. What steps did you take to remove the security center?
(In reply to comment #13)
> Without having a machine to debug this on, it's hard to know where the point of
> failure is. It could be in the call to create the scanner, the scan itself, the
> cleanup of the scanner or the cleanup of COM.
I can compile and debug the performance tester if you'd like, if it doesn't need any special SDKs or headers. I'm on VC++ 2005 with vista platform headers.

> What steps did you take to remove the security center?
I've deleted the relevant files in safe mode, and disabled the firewall svc.

(In reply to comment #14)
> (In reply to comment #13)
> > Without having a machine to debug this on, it's hard to know where the point of
> > failure is. It could be in the call to create the scanner, the scan itself, the
> > cleanup of the scanner or the cleanup of COM.
> I can compile and debug the performance tester if you'd like, if it doesn't
> need any special SDKs or headers. I'm on VC++ 2005 with vista platform headers.

It really has to be firefox actually. There's a lot of extra code to handle the crashes that the performance tester program gets and there's some side effect of the crash that is deleting your download.

> 
> > What steps did you take to remove the security center?
> I've deleted the relevant files in safe mode, and disabled the firewall svc.
> 

What are the relevant files? Unless I'm mistaken, the security center is a part of the OS that is not meant to be removed. Also, how did you remove Windows Defender? There is clearly some stuff left over which seems to be causing your problem.


(In reply to comment #15)
> What are the relevant files? Unless I'm mistaken, the security center is a part
> of the OS that is not meant to be removed. Also, how did you remove Windows
> Defender? There is clearly some stuff left over which seems to be causing your
> problem.
I honestly cannot remember, I did this when I had just installed the OS. But yeah, it was not a standard way of removing those parts, because there is no standard way to do so, as they're not meant to be removed. Windows defender is a clearly external component though, I think it resided in program files.
There's still a "Launch windows defender" link in my control panel's "security" section, but clicking it gives me the GUID and says "component not found". I couldn't find the GUID in the registry though, can you point me to the correct place?

Also, I guess I could set up the whole firefox build environment, if there's no other way..
In HKEY_CLASSES_ROOT\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} there is a key/folder named Implemented Categories. Inside that folder is a GUID that starts with {56FFCC30...}. Deleting that folder should keep defender from being enumerated as an AV scanner.
fwiw, i believe we should fix this. whether we choose to give a detailed message to users that their scanner is misconfigured may be optional, but we really shouldn't assume that paths like these are in fully working order.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Thanks for the reg key. Although now that the problem doesn't occur, I can't debug it either.
I agree with timeless - If possible at all, something like this should be handled better. I for one wouldnt've had any idea what's going on if you hadn't pointed me to the auto-av feature (which I didn't even know about - is it a good idea to default to "true"..?)
(In reply to comment #19)
> I agree with timeless - If possible at all, something like this should be
> handled better. I for one wouldnt've had any idea what's going on if you hadn't
> pointed me to the auto-av feature (which I didn't even know about - is it a
> good idea to default to "true"..?)
Yes, it's a good idea.  Most users won't run into the issues that you hit.  I'm concerned that we didn't handle the error well, but at the same time, looking at the code I don't know how that result came about.
it should be possible to use regmon http://www.microsoft.com/technet/sysinternals/processesandthreads/regmon.mspx to get a log of all the keys/values used from a working system.

in order to make this *interesting*, you should try to create a nearly identical set of keys with your own ids, but do them one at a time, building .reg or .inf files which can be imported/removed in order to establish each state. find out what works or breaks at each point. document it.

ideally automated testing can then install/remove each .inf file and verify that things are well handled.
Keywords: qawanted
Summary: Any downloaded file is immediately deleted → Any downloaded file is immediately deleted if AV integration settings are incomplete
Product: Firefox → Toolkit
Same problem upon "Save Attachment" with Tb 3.0.4 on Windows Vista was reported to a forum in Japan. Phenomenon was "file size=ZERO even though successful save". And, browser.download.manager.scanWhenDone=false was effective workaround of the Tb3's problem. In his case, he doesn't use Firefox(he uses Netscape and some others as Web browser because business use), so he experienced this bug with Tb 3.0.4 after upgrade from Tb 2.0.x because Tb 3.0 started to use same Download Manager as Fx3.

browser.download.manager.scanWhenDone(default is true) was introduced by bug 412204.
browser.download.manager.scanWhenDone=tre should be ignored if Virus Scanner is not enabled on System.
Can anyone still reproduce this issue?

Removing qawanted since the tool specified in comment 21 is not longer available. If there is still a need for qa here, please re-add the keyword and specify what is needed.
Keywords: qawanted
This appears to still be a major issue.  I downloaded first FF standalone portable ESR 24.1.1 from portable apps; then Comodo portable, then even installed FF ESR 24.1.1.  The same thing happened each time.  It kept deleting everything I downloaded.  I have no AV installed; preferring to use sandboxes, behavior watchers, and HOSTS files with known malware instead.  The following is another recent user who had the same problem:

https://support.mozilla.org/en-US/questions/946286

I am using Win7 32-bit.  I suggest making sure it works with no antivirus installed.
BTW: browser.download.manager.scanWhenDone=false also fixed my problem.
I've got further insight on this.  I don't usually use IE, but I tried downloading something it by accident.  IT popped a message saying that the antivirus scanning detected the file as infected; and it has been deleted.  It turned out I had a ZeroAccess variant that I was only halfway through cleaning up; and the Windows Defender service, as well as Win Updates, Firewall, and some other stuff had been turned off.  After the cleanup, I ran tweaking.com's Windows Repair, and I can now download stuff without it getting deleted.  This is a widespread malware; not long ago infecting some 15% of US IP's.

I believe the real fix then, is to make FF pop up a message when the AV scanner reports it as infected, before it is deleted.  It may be more helpful yet, to mention that some malware can turn off the AV scanner, and make it reported as infected, even when it is not.
Marking as Wontfix per bug 415005 comment 43:
the download scanner will be removed entirely: https://mail.mozilla.org/pipermail/firefox-dev/2013-August/000848.html
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.