
Is Firefox lying to users about viruses in downloads? - newman8r
https://www.theindy.us/is-firefox-lying-to-users-about-viruses-in-downloads/
======
yodon
If only the voting public understood about statistics, false positives, and
false negatives.

Even if Firefox did a full virus scan, there would still be false positives
and false negatives in the results.

The system designer always has to put their reporting threshold somewhere, and
that always means making a decision to bias towards false positives or false
negatives. Eliminating false positives means exploding the number of false
negatives.

Unfortunately, people like the OP don’t understand this, and yell angry things
like “Firefox is lying to me!” Others here suggest FF should inject a bunch of
weasel words like maybe and could and might. That’s a seemingly rational thing
to do if you believe you’re informing a customer population that understands
things like false positives and false negatives, but we have pretty clear
evidence that they don’t. So FF makes a conscious informed decision to prefer
reporting false positives over false negatives and then allows the user to
override if they believe they know enough to do so. Sure, there are some costs
to false positives, but they are dwarfed by the cost of false negatives.

~~~
sandov
And why the hell should the browser act as an antivirus?. It's a browser, not
an antivirus, it should assume the user knows what he's doing, not treat him
like a toddler.

It's just a huge annoyance with no considerable benefit.

~~~
konceptz
In the web security space its typically called the browser security model and
there are differences between browsers. The browser is not just a portal
forwarding/displaying the intentions of the developers. If you want to see one
of the more obvious examples look at the same origin policy and how it’s
implemented across browsers.

Having said that, I do agree that browsers shouldn’t implement lots of crazy
features but I personally don’t mind if they have some kind of malicious file
scanning feature.

------
sus_007
_Firefox isn’t necessarily scanning the files for viruses, they’re often just
using databases that list domains suspected of hosting malware._

IIRC, Chrome does the same thing too. I think it's not much of an issue for
Firefox to flag stuffs downloaded from suspected URLs as a malware since it's
not uncommon to have one's system infected from those sites' content. Firefox
is just trying it's best to prohibit any sort of system infection through
itself.

~~~
mc32
I wonder why they can’t integrate some service like VirusTotal into their
downloader. Sure, for heretofore new objects it’ll take longer, but they have
a long list of many many file hashes and their reputation dB .

~~~
chmod775
Because I don't want Firefox to send what I download to some (third party)
company. Or anywhere for that matter.

Their (and chrome's) current solution to block malware domains use a client-
side bloom filter afaik.

If you'd try to build the same client-side into firefox, you'd have just built
another (bad) antivirus software.

Might as well integrate clamav into firefox then.

~~~
mc32
Can’t they just compare hashes and for those where they have to do a scan,
serve as an anonymous intermediary/proxy?

~~~
GlitchMr
Perhaps similarly to Pwned Passwords API, except for files:
[https://www.troyhunt.com/ive-just-launched-pwned-
passwords-v...](https://www.troyhunt.com/ive-just-launched-pwned-passwords-
version-2/)

------
davidsong
There are several ebooks that have been uploaded to libgen that contain PDF
exploits, and from what I understand there's no way to remove them.

The way that their library database works is by linking a book number to a
file's md5 sum. On the filesystem they are stored something like
`$drive:\$batch\$sum` where `$drive` is a Windows drive letter, `$batch` is
the primary key of the document rounded to the nearest 1k, 10k or 100k
depending on collection and `$sum` is the `md5sum` of the file data. The
archive's file data is shared via torrents, usenet and other means in those
batches, and to keep that in sync they have a policy of the primary key and
sum of each file being immutable.

So if you do happen to download the literary works of mankind via their
torrents, you have to do so with your antivirus turned off and hope nobody has
uploaded anything too illegal over the last decade.

~~~
mediocrejoker
I could be wrong but I think technically a PDF exploit only affects a single
viewer program, like Acrobat on windows, right?

~~~
heathl
It would depend on the exploit. For a simple example, an exploit that was a
result of a flaw in the file specification could result in it being cross
platform.

It's going to be rarer to find something of that scope, maybe even to the
point of you being effectively right.

~~~
davidsong
Also dodgy files can contain multiple exploits, potentially for different
platforms. Problem here from the malicious actor's point of view is that each
vector for attack is also a vector for detection, so rather than a cesspool of
exploits it makes more sense to use single new and mostly unknown exploit that
targets software used by the greatest number of victims.

------
beezischillin
I'm not as bothered by the main point of the article but it does raise an
interesting point that was missed by the comments so far is near the end: If
you're flagging files as potentially harmful, giving a user a choice to either
execute it or delete it is kind of bad design!

~~~
huhtenberg
No, it's not "bad design".

If there's an uncertainty in detection, there are false positives and letting
the user decide is the only correct option.

Edit: Nevermind. Re-reading the article - they should indeed allow saving the
file in addition to deleting or opening it.

~~~
jkirsteins
The implied better alternative is to allow saving, instead of opening, so
users can scan the files themselves.

------
shittyadmin
If anyone else doesn't like this behavior of sending hashes for everything you
download to Google, set:

browser.safebrowsing.malware.enabled=false

And if you don't want phishing warnings either:
browser.safebrowsing.phishing.enabled=false

------
MaxBarraclough
I recently stumbled across just such a false positive, in the NextCloud
showcase, no less. Not much they can do about it, as far as anyone can tell.

[https://github.com/nextcloud/server/issues/9916](https://github.com/nextcloud/server/issues/9916)

------
Piskvorrr
Spoiler: no, sometimes flags safe content from shady sources.

~~~
yjftsjthsd-h
... so, materially yes? As a user, I don't care that they have an excuse, I
care that they said "this file is a virus" when the file was not a virus.

~~~
Piskvorrr
Not really. "Lying" includes an intent to deceive. I would have been okay with
"raises false alarms", "generates false positive" or even "confuses and/or
misleads users".

As a user, I want to be better safe than sorry - but would perhaps be happier
with a finer classification than "no problem/OMG VIRUS!"

~~~
xg15
Until the moment where you really need that file.

~~~
howard941
This. Firefox has become far more aggressive in policing use. For ex., if
HTTPS is misconfigured 60.0.2 no longer offers an option for one time
exceptions, now there's only 'get me out of here' and 'report to mozilla'
buttons. Perhaps someone more familiar with ff's config knobs will post the
knob name.

~~~
Liquid_Fire
I'm running 60.0.2 and I still have the option to add an exception, under
"Advanced". What you describe only happens when the site is so badly
misconfigured that no connection is possible (e.g. protocol errors).

------
pjc50
I'm now wondering what happens if I start posting the string
"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" to
various places. Would it result in the site getting flagged?

------
hashhar
This is how every other browser does it too. I'd be more alarmed if my browser
had an inbuilt antivirus.

~~~
Trellmor
Like Chrome?

[https://motherboard.vice.com/en_us/article/wj7x9w/google-
chr...](https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-
files-on-your-windows-computer-chrome-cleanup-tool)

------
franga2000
I agree that straight up calling it a virus is wrong. "This file comes from a
suspicious source and might be dangerous" would be much better wording. Enough
to make the user cautious, but not scare the shit out of them (yes, I've
literally seen people jump out of their seats and scream when they saw a virus
warning).

------
owly
Who cares? Flagging sites probably provides an overall benefit for people to
be careful on sites where viruses have been detected. People pirating books
will still download them ‘cause if they are on a know pirate books site
they’ve already accepted some risk. People who don’t know what their doing
will still get infected.

~~~
klez
In part I agree, but then again, it can become a problem à-la windows security
prompt, where people have learned to basically ignore it and give permission
to mostly anything.

In other words, in my opinion, don't cry wolf unless there's an actual wolf,
or at least something that could reasonably look like one.

------
morganvachon
Site is down, archive.org cache here:

[https://web.archive.org/web/20180704124718/https://www.thein...](https://web.archive.org/web/20180704124718/https://www.theindy.us/is-
firefox-lying-to-users-about-viruses-in-downloads/)

------
woofcat
It's dead Jim...

[https://webcache.googleusercontent.com/search?q=cache:https:...](https://webcache.googleusercontent.com/search?q=cache:https://www.theindy.us/is-
firefox-lying-to-users-about-viruses-in-downloads/)

------
lucb1e
So it's whatever list they use of malware hashes that's the issue, not
Firefox, right? It's probably publishers that are adding their pirated works
to it, not Mozilla. Or does Mozilla maintain it themselves for Firefox in
particular?

------
daviddahl
The history of Google's "SafeBrowsing" with respect to Firefox is a real mixed
bag. The privacy protections Mozilla asked for from Google were begrudgingly
implemented. As a Linux user, I used to just turn it off.

------
rileymat2
It would be an interesting experiment to see if being direct and clear but at
times inaccurate protects more novice users than being a little more wishy
washy but accurate.

