Closed Bug 576461 Opened 14 years ago Closed 8 years ago

zonealarm triggers confusing network access prompt for plugin-container.exe resulting in user breaking oopp for firefox

Categories

(Plugins Graveyard :: Checkpoint Zonealarm, defect)

Product:
Plugins Graveyard
Component:
Checkpoint Zonealarm
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
trivial

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: timothyklaver, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

With Firefox 3.6.4 and 3.6.6, there is a new feature added that either needs to be removed or else repaired so that safety is regained and it continues to work as effortlessly as previous versions. When I access most pages with either of these two versions, the Plugin Container wants to access something-or-other (notified by ZoneAlarm), and Avira Antivir sends me a message "PLUGIN-CONTAINER.EXE contains malicious code and was prevented from running." Once it does this, Firefox stalls and will not do anything else. You have to terminate it and restart it, in which you go through the same process over again.

3.6, 3.6.2, and 3.6.3 do not have this Plugin Container. I have wiped Firefox and installed each of these versions in turn, isolating this problem to the latest two versions. The three former versions do not include this file in the Firefox directory as the latter two do. Hopefully this issue is resolved with 3.6.7.

Reproducible: Always

Steps to Reproduce:
1. Install Firefox 3.6.4 or 3.6.6.
2. Have a decent firewall and virus program installed and running.
3. Try accessing most pages (i.e. YouTube).
4. Firewall asks for permission. Given or denied...
5. Anti-virus informs of malicious code and Firefox stalls, not letting you do anything. Only response is to terminate it and restart, in which you just repeat what you already went through.
Actual Results:  
"PLUGIN-CONTAINER.EXE contains malicious code and was prevented from running."

Firefox stalls (gives the Not Working message at top) and will not allow you to do anything else with it. All pages opened take on this state.
It seems this is a case of false positive detection by your antivirus and firewall. Plugin-container.exe is part of the new Firefox. It's essential for running Out Of Process Plugins (OOPP) starting with Fx 3.6.4. You can try: a) On Firefox 3.6.4+, disable OOPP as explained here https://support.mozilla.com/en-US/forum/1/703573?&comments_offset=20#threadId708295 or here http://forums.mozillazine.org/viewtopic.php?p=9530495#p9530495

b) In your firewall, give permission to plugin-container.exe to access the net; check "remember this decision"; In your anti-virus, make sure you have the latest virus definitions; if it still detects plugin-container.exe as a threat, add a permanent exception to it.

I'm using Avira Antivir and never had any problem with it detecting plugin-container.exe as a threat. O_o
As carlos already wrote, PLUGIN-CONTAINER.EXE is a new feature and it's normal that it wants to access the net if a plugin like flash wants to access the net.

Please report your issue to your AV vendor and let them check the file.
Something else must have modified the file if it really contains Malicious Code but I suspect that this is a false positive (as usual).

marking invalid
Severity: critical → normal
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Got to read the release notes for Firefox 3.6.4 and 3.6.6 and read this:
https://support.mozilla.com/en-US/kb/What%20is%20plugin-container

In addition to invalid, maybe AV programs are causing a hang that maybe SUMO needs an article update for plugin container.
Correction on the notification: It is ZoneAlarm that notifies me of the malicious code and it denies it automatically, which freezes Firefox.

Also, my downloads came directly from the Firefox website, and my Firefox upgrades directly from the Firefox site. The code is as was delivered. I just provide the results I'm receiving, which I have never received in the past. And since my ZoneAlarm doesn't have built in anti-virus or spyware, if it's detecting something, it's obviously very serious. Even if the code is badly written that it resembles something malicious while perhaps not being intended as such.

But features such as that should have an option in the Tools to be shut off completely, rather than having to go through coding. If your grandmother was having this issue, do you think she'd want to screw around with trying to find that line and change it to "false"? I don't think so. When it asks ZoneAlarm for permission and I deny it, it shouldn't disable Firefox from running, which is also what it does. Seems rather counter-productive. I don't let anything on my system update automatically except Firefox, Thunderbird, and my Anti-virus definitions. There is no need for it. If I think an update is worthwhile, I'LL update it myself -- manually.

It irks me to no end the companies who THINK they know what people need or want, and they just hand out trash to the end user. When you buy a computer, the idiot building it has the same concept in his tiny little head. I've started telling them to leave it naked, I'll install what I want because they just install useless **** that nobody needs. That's my slightly off topic rant for the day. :oP
Please report to Zonealarm then, there is nothing much we can do if they are giving a false positive. What it probably is is that zonealarm is simply blocking the process from accessing the internet, you need to allow it.
Why would I need or want to allow it access to the Internet? None of my plug-ins are allowed to access the Net (then again, they also don't ask because they have no need to access it). The only time they get updated is if I update them. I don't allow them to do it themselves. So it is illogical and unintelligent for Firefox to quit working and not be allowed to work simply because Plugin-Container was denied access. That's just stupid programming there.
Actually, every single one of your plugins accesses the internet. It is illogical to think that you can go to youtube and watch a flash video without letting flash access the internet. It has to in order to work. Not auto updating is simply opening yourself up to untold security holes, but that's off-topic. Now, if firefox is hanging with ZA blocking the process, then maybe we have a bug, but I'm more thinking that it is something that ZA is doing, not FF.
I don't think this has anything to do with accessing the internet: if it did, Firefox wouldn't be blocked. This has something to do with allowing the process to launch at all. And you definitely need to allow that, since it's part of Firefox.

We have a fix in the works so that Firefox can see if the launch failed and respond appropriately, but it's not ready yet (bug 535077).
Tyler, you are actually very wrong about internet access: most plugins don't access the internet directly, they use the NPAPI and ask the browser to retrieve data for them. I think Flash might try direct access for special kinds of streaming data, and Java uses their own stack, but in general plugins don't talk directly to the internet.
Won't the plugin-container be accessing the internet, hence triggering a ZA internet access warning?
Why would I need or want to allow it access to the Internet? None of my plug-ins are allowed to access the Net (then again, they also don't ask because they have no need to access it). The only time they get updated is if I update them. I don't allow them to do it themselves. So it is illogical and unintelligent for Firefox to quit working and not be allowed to work simply because Plugin-Container was denied access. That's just stupid programming there.
Very wrong indeed. If they accessed the Internet in the manner you are prescribing, then every single one of them would be triggering ZoneAlarm for me to respond whether I want them to access it or not. That is the entire point of a decent firewall. To prevent programs that should not have access to the Internet from ever accessing the Internet. I mean, what the hell does Notepad need to access the Internet for??? Really.

And, actually, allowing auto-update is what opens you up for security vulnerabilities. I allowed the Windows Update once years ago and their updates just screwed the hell out of my computer. After a re-install, I have never touched one of their updates and my system has NEVER had an issue. Most programs you allow to auto-update, they have made some useless change or tweak that was unnecessary and you become stuck with the stupid thing. I'll pick and choose what I update and leave the rest of the trash where it belongs. I've been working with computers for a LOOOOONG time. Computer can't make logical and critical decisions about things, whereas I can. My computer has had FAR less issues than the majority of people I know who foolishly let everything auto-update for them. As the proverbial saying goes, "The proof is in the pudding."
Anyway, you can set this thread to Resolved/Closed as I have used the about:config concept and changed it to "false." Best solution to resolve the issue, although it is a pain in the butt to go through. Hence the grandmother reference.

Thanks for the aid.
>If they accessed the Internet in the manner you are
>prescribing, then every single one of them would be triggering ZoneAlarm for me
>to respond whether I want them to access it or not

No, ZA doesn't warn you because plugins are running inside the Firefox process.
Plugins can make a direct connection or through NPAPI over Firefox.exe
(and now it's plugin-container.exe instead of FF)
And did ZA ask you for allowing npswf32.dll (that is flash) or plugin-container.exe ?

>I have used the about:config concept and changed it to "false." Best solution 
>to resolve the issue, although it is a pain in the butt to go through.

That is not the best solution. The best solution would be to get your Av software fixed and allowing access to the internet for plugin-container.exe.
Uninstall the plugins like flash if you don't like that they access the net.

BTW: I marked it invalid because of "PLUGIN-CONTAINER.EXE Contains Malicious Code" not because it froze FF. The freezing is an edge case and handled in a different bug.
>No, ZA doesn't warn you because plugins are running inside the Firefox process.
>Plugins can make a direct connection or through NPAPI over Firefox.exe
>(and now it's plugin-container.exe instead of FF)
>And did ZA ask you for allowing npswf32.dll (that is flash) or
>plugin-container.exe ?
That is what I meant, the plugins are going through firefox, and not plugin-container, which should generate a warning through ZA that plugin-container is trying to access the internet, correct?
ZA asks if I want to allow Plugin-Container.exe to access the Internet. Plugin-Container.exe is a program/application. Hence, ZA prevents or allows programs/applications from accessing the Net. A DLL is not an EXE. If the DLL ran as an app, then ZA would ask to prevent/allow it.  But since this is never the case...

When you deny Plugin-Container.exe from accessing the Net, Firefox displays "Not Responding" at the top of the page and all the pages go white and it will not allow you to do anything but terminate the program in its entirety. Every window you have opened in Firefox quits working.

The best solution is not to allow it access to the Internet, because I don't know it's purpose or function and what exactly it is doing. I don't allow programs access that I don't know precisely what they are doing and why they are doing it. As I said before, companies like to do a lot of weird **** that is untrustworthy and I'm not letting them control MY system and what happens with it. I've seen too many "updates" render someone's system "obsolete" and forced them to go out and spend more money on a hardware upgrade that was NOT necessary, yet the "upgrade" would not allow the program to work until they did so. I don't buy that **** and I have no respect for persons who do this. I also have no respect for those pathetic companies who force the user to have to install via the Internet rather than from their own system. they give you a bogus EXE that reaches across the Internet to install rather than from your own harddrive, and I will not use their products. Give me the entire damn file when I download it, of lose a potential customer. It's that simple. They're attempting to gain control over your system with this ****, figuring they know what's best for you. Sorry, but I disagree with their philosophy. I know what's best for me and I'll look out for my interests.
That makes a lot more sense. Thanks for sharing!

Hmm... Never realized Firefox crashed while watching videos. Never been an issue with me. In fact, I've never had an issue with Firefox at all until most recently. It's been a VERY enjoyable browser and I recommend it to everyone I know. Especially those who want to filter out all the immoral trash that gets flashed before your eyes. Ad Block Plus is an amazing add-on! :oD Don't know where I'd be without Firefox and Ad Block Plus.

Thanks again!
>A DLL is not an EXE. If the DLL
Both is binary code that accesses the internet.
What is the difference for the security ?
Right, there is no difference and it doesn't matter if it's an .exe or .dll

>When you deny Plugin-Container.exe from accessing the Net, Firefox displays
>"Not Responding" at the top of the page and all the pages go white and it will
>not allow you to do anything but terminate the program in its entirety.

I don't think that is true.
>"PLUGIN-CONTAINER.EXE contains malicious code and was prevented from running."
That does it (your broken AV software). I hope you complain at your av vendor.

>The best solution is not to allow it access to the Internet, because I don't
>know it's purpose or function and what exactly it is doing.

Google for it ?

The other things about companys and all the other stuff doesn't matter here.This is a bug database and not a discussion forum.
>>When you deny Plugin-Container.exe from accessing the Net, Firefox displays
>>"Not Responding" at the top of the page and all the pages go white and it will
>>not allow you to do anything but terminate the program in its entirety.

>I don't think that is true.

Doesn't matter what you think, it is true nonetheless. It's happened to me repeatedly.

>>"PLUGIN-CONTAINER.EXE contains malicious code and was prevented from running."
>That does it (your broken AV software). I hope you complain at your av vendor.

No, that isn't what does it and my AV software isn't broken. As I said above, in case you missed it, my AV isn't giving the warning. ZoneAlarm is, which doesn't have AV included. The first time you deny the plugin from accessing the Internet, it does precisely what is mentioned at the top. Every consecutive time you try to use Firefox AFTER it has already been denied, ZoneAlarm gives that warning about malicious code and then, guess what, executes EXACTLY as described above.
This bug thread can be closed. I have my resolution for the issue.
Severity: normal → trivial
Component: Security → General
Summary: PLUGIN-CONTAINER.EXE Contains Malicious Code → PLUGIN-CONTAINER.EXE Issues
Component: General → Flash (Adobe)
Product: Firefox → Plugins
QA Contact: firefox → adobe-flash
Summary: PLUGIN-CONTAINER.EXE Issues → zonealarm triggers confusing network access prompt for plugin-container.exe with flash resulting in user breaking oopp for firefox
Version: unspecified → 11.x
Cheng: is this worth a SUMO article? Or maybe it's already covered in the general OOPP stuff.

This isn't a flash problem so the bug is now in the wrong Product/Component, but I guess it's not worth fixing unless we want to reopen it as an outreach (to ZA) bug.
Summary: zonealarm triggers confusing network access prompt for plugin-container.exe with flash resulting in user breaking oopp for firefox → zonealarm triggers confusing network access prompt for plugin-container.exe resulting in user breaking oopp for firefox
We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.
Status: RESOLVED → UNCONFIRMED
Component: Flash (Adobe) → Checkpoint Zonealarm
QA Contact: adobe-flash → checkpoint-zonealarm
Resolution: INVALID → ---
Version: 11.x → unspecified
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago8 years ago
Resolution: --- → INCOMPLETE
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.