Closed Bug 520925 Opened 16 years ago Closed 16 years ago

AVG reporting virus when user tries to download Firefox

Categories

(mozilla.org :: FTP: Mirrors, task)

Product:
mozilla.org
Component:
FTP: Mirrors
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 520895

People

(Reporter: rbango, Assigned: justdave)

References

Details

Attachments

(2 files)

Firefox AVG threat message screenshot
166.79 KB, image/jpeg
Details
Fiddler dump screenshot
167.49 KB, image/jpeg
Details
Got an email from a person trying to download Firefox. It seems that AVG is detecting some form of threat when he tries to download the file. See attached screenshot. Here's the email from the user: "I just went there again, this time being sure to navigate from mozilla.org to the firefox link there (which redirects to what I just typed in before: www.firefox.com => www.mozilla.com/en-US/etc...). Same thing. I've attached a screen cap for you. Notice the filename in the AVG alert. This URL is different than the last time I tried, so there is some definite hijacking going on, and it looks like they are cycling the destination URLs." User also sent over a screenshot of a Fiddler dump. I've attached that as well.
Attached image Fiddler dump screenshot
Tomcat is looking into this I believe.
Is the file 4 MB by any chance? I think we wound up with a truncated copy being distributed somehow... the anti-virus mistakenly identifies it because half the file is missing.
md5sum of the truncated file that we know about: 863f2d76b34b6578e9a630e3a2ff89b9 Firefox Setup 3.5.3.exe md5sum of the real file: 1aec20f9d8e2fc11a93cd483b02b98bb Firefox Setup 3.5.3.exe
My suspicion of what happened is one of the rsync hubs had something go wrong that caused this file to get truncated, and because it was a hub, it propagated to several mirrors before it eventually re-synced the correct file from the source server. I just checked all of the rsync hubs, and they all *currently* have the correct file. This condition shouldn't have lasted more than an hour on one of the hubs, but some of the remote mirrors don't sync all that often.
its a confirmed false positive by AVG and they will update the signatures (see https://bugzilla.mozilla.org/show_bug.cgi?id=520895#c5) also its dupe :)
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: