Firefox throws the book at malware (too hard)

Firefox throws the book at malware (too hard)

Mozilla’s Firefox browser fails to give the user one very important option when it flags suspect files—and this throws some shade on the browser’s identification of malicious downloads.

Surfing is just the start

As a browser, Firefox does more than letting you surf the internet and downloading your heart’s desire. It also checks your downloads against a blacklist of malicious sites and then double-checks this with Google’s Safe Browsing option. This is not an add-on. It’s in the Firefox default settings and will be always on until you go into settings and specifically turn it off.

Firefox throws the book at malware (too hard) - in-post

Firefox works like indigestion and restaurant choice

The problem is that Firefox isn’t precisely scanning each and every file for malware. Instead, they are largely basing their calls on past experiences from the site. This is like avoiding a restaurant because you and a friend had bad cases of indigestion after eating there. There is no direct detection of salmonella in your meal; you just have an (often justified) idea that eating there comes with a significant statistical chance of an unpleasant result.

Firefox throws the book at malware (too hard) - in-post

Malware detection should be more than a binary decision

When Firefox identifies a download as something malicious, it opens a pop-up that gives an absolute statement—”This file contains a virus or malware”—and gives you a binary choice: delete or open the file. In fact, there is no option to save the file. This tactic is great when it works, but what about a false positive or a misidentified malware distribution site? After all, this is primarily a reputation-based call—something bad has come from this site before.

A true case of a false positive?

On the user side, this is a current issue for visitors of Genesis Library and multiple mirror sites. This site lists over 2 million documents and books for people to download for free. While some of these files are likely copyright-protected materials, a lot of them seem to be professional papers, and—as frequently happens at P2P download sites—some of these files likely contain malware.

But not all of them do. However, users of this service have recently been reporting that Firefox is sometimes—and inconsistently—stopping them from downloading the desired texts. They also find the pop-up’s binary option of delete or open confusing—especially considering that Firefox hasn’t really looked deep into the individual, downloaded file.

“So, instead of giving the user the option to save the file and scan it with their own virus software, Firefox says you either have to delete it or execute it immediately. That’s probably not a very good idea for files suspected of containing malware,” reported a user on the Indy blog.

When in doubt, scan

“Totally agree with this point,” points out Alexander Vukcevic, head of the Avira Virus Lab. “The warning should be changed the other way around so a person can save only without directly execution. This change would enable them to scan the file with their antivirus—without having to open or execute the file.”

The general security rule is to scan ANY suspect file before opening it. This gives the antivirus a clearer shot at stopping malware in its inactivated state, before an executed file can wreak havoc on a computer.

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.