Cisco's Ironport Web Security Appliance is blocking Firefox downloads

RESOLVED FIXED

Status

RESOLVED FIXED
6 years ago
3 years ago

People

(Reporter: pauls, Assigned: jstevensen)

Tracking

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120614114901

Steps to reproduce:

Our Ironport appliances are blocking downloads of Firefox with the following text being displayed.

This Page Cannot Be Displayed

Based on your corporate access policies, this web site ( http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the corporate network. This web site has been associated with malware/spyware.

Threat Type: othermalware Threat Reason: Domain reported and verified as serving malware.

If you have questions, please contact the UT Dallas Computer Help Desk at 972-883-2911 or ( assist@utdallas.edu ) and provide the codes shown below. If you believe this page has been misclassified, use the button below to report this misclassification. Notification codes: (1, MALWARE, othermalware, Domain reported and verified as serving malware., BLOCK-MALWARE, 0x029b41b8, 1342562888.252, AAAD6wAAAAAAAAAAGf8ACP8AAAD/AAAAAAAAAAAAAAE=, http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe) 


Actual results:

All downloads are blocked


Expected results:

Downloads should not be blocked.

Comment 1

6 years ago
It looks like a false positive. Did you report the misclassification?

Updated

6 years ago
Assignee: nobody → server-ops
Component: Untriaged → Server Operations
Product: Firefox → mozilla.org
QA Contact: phong
Version: 13 Branch → other
As :Loic said, the quickest way to resolve issues like this is to follow their instruction and report the false positive URL (ie. "If you believe this page has been misclassified, use the button below to report this misclassification").

If you have trouble submitting, we can try and find an alternate contact and report the misclassification.
(Reporter)

Comment 3

6 years ago
Sure, I know that.  But, since Cisco was reporting malware on your sites, we thought you should know about.  I don't have a dog in this fight, but if you are serving up malware and don't know it, that would be bad, right?

If you can affirm that you've checked your servers and confirmed that they are not serving malware, then we will report a misclassification. But if you're just certain that they are and haven't actually verified that, we're not going to report it.

You should know Cisco has thousands of these appliances all over the world, so we're not the only network blocking Firefox downloads.  I would think this would be an issue you would want to positively resolve.

Comment 4

6 years ago
Do you really think Mozilla is distributing malwares through its update servers?

It's clearly a false positive, see the analysis report on VirusTotal: 0/29
https://www.virustotal.com/url/09fd0f8b57cd0af24a216645e7093a77ce45c0b5219a05af4ad1d1e3b703f849/analysis/

Cisco should fix its heuristics/malware definitions on their side, that's all.

It's a frequent issue with vendors of security suite.
(Reporter)

Comment 5

6 years ago
You misunderstand.  They're not reporting that the executable is malicious.  They're reporting that the web site is serving malware.  Notice the message says "Domain reported and verified as serving malware."  Domain.  Not executable.

If you can affirm that you have done an analysis of your servers and verified that they are malware-free, then we will report this as a misclassification.  Otherwise we will not.

I'm not trying to be a jerk.  This is a serious issue.  If someone reported to us that a website was serving malware, we would do a forensic analysis of the site before we pronounced it clean.  That's all I'm asking you to do.  Verify that there is no malware on the site.  No infected Javascripts redirecting traffic, etc., etc.

If you can't do that (or won't) we won't report it as misclassified, because we have no way of knowing if it is.  Only you can verify that.
(Reporter)

Comment 6

6 years ago
I left one thing out.  Do I really think Mozilla is distributing malware?  I have no way of knowing.  That's why I rely on a third party vendor to block known, verified malicious traffic, and that's why I've asked you to verify it.

Now I have a question for you.  Do you really think Mozilla's servers could never be hacked?  And do you really think that if that happened you would know instantly?  Or is it just possible that the folks at Mozilla are just as human as the rest of us and could actually be hacked and not discover it right away?
(Assignee)

Comment 7

6 years ago
Paul, 

Thank you for reporting this to us. Mozilla's Operations Security takes reports like this seriously and will investigate, per standard procedure. 

--
Joe Stevensen
Operations Security Manager
(Reporter)

Comment 8

6 years ago
Thanks Joe.  I hope this turns out to be a false positive, and I will await the results of your investigation.  If it is a false positive, we will follow up with Cisco and whitelist the site until they resolve the issue.

Updated

6 years ago
Assignee: server-ops → nobody
Component: Server Operations → Security Assurance: Operations
QA Contact: phong
(Reporter)

Comment 9

6 years ago
The block has cleared in Ironport.  I assume this means that Cisco either contacted Mozilla and resolved the issue or enough people complained that they investigated and determined that it was a false positive.

You may want to continue your investigation to ensure that there is not a problem, but as far as I'm concerned, this bug may be closed.
Assignee: nobody → jstevensen
(Assignee)

Updated

6 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.