OpenMPT flagged as malware by Firefox 115.13.0esr

Started by Alice (Midori), July 21, 2024, 17:03:34

Previous topic - Next topic

Alice (Midori)

As can be seen on the screenshot, for the first time ever Firefox has raised weird and unexpected suspicion about the latest OpenMPT (Win 7/8/8.1 AMD-64 version).

Is there any reason to believe it, or is it just a false positive?
Tracker and synth music enjoyer
An internet potato

Saga Musix

I have no idea what Firefox uses in the background to make this determination (the system's installed AV solution?), but it seems like only ClamAV detects something. I have submitted a false positive request to them. It seems to be offended only by the plugin bridge executables, which is strange because they haven't changed in a long while, so anyone can guess what has changed that they are suddenly considered malicious.
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.

manx

It looks like Firefox outright flags EVERY download from our server. Old OpenMPT versions are also affected, as are libopenmpt downloads.

Saga Musix

It could be that Google's "Safe Browsing" API is at play then. The web console claims that there are "malicious downloads" but it fails to provide any example URLs, which is of course very helpful in determining if there's any substance to their claims (which would be surprising). I tried clicking the "The problem has been resolved" button to see if they change the evaluation result, but I don't have a lot of hope, given that this is most likely an entirely automated process based on some heuristics and AV signatures.
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.

Alice (Midori)

Quote from: manx on July 21, 2024, 17:17:49It looks like Firefox outright flags EVERY download from our server. Old OpenMPT versions are also affected, as are libopenmpt downloads.
Welp, that's unfortunate, must've happened overnight, since i don't recall it being a thing before.
It seems that this protection is based on a list of malicious website URLs, so for whatever reason openmpt.org must've been added to it.

An excerpt from Mozilla's website: https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work#w_malware

QuoteHow does Phishing and Malware Protection work in Firefox?

Phishing and Malware Protection works by checking the sites that you visit against lists of reported phishing, unwanted software and malware sites. These lists are automatically downloaded and updated every 30 minutes or so when the Phishing and Malware Protection features are enabled.

When you download an application file, Firefox checks the site hosting it against a list of sites known to contain "malware". If the site is found on that list, Firefox blocks the file immediately, otherwise it asks Google's Safe Browsing service if the software is safe by sending it some of the download's metadata.*

I'd try contacting Mozilla, because this is just silly, not to say outright cringe.
Tracker and synth music enjoyer
An internet potato

Alice (Midori)

Although... This is strange - i just tried downloading the previous version and the latest one, and only the latest gets flagged, so it's not based on the site's domain name apparently.

Tracker and synth music enjoyer
An internet potato

Saga Musix

#6
I'm not getting any blocked downloads in Firefox (though I might have disabled that feature), nor in a freshly-installed Chrome. It could be that they have a cache for URLs and thus not all downloads trigger the problem, even though the whole domain is flagged by Google Safe Browsing (so complaining at Mozilla is not going to help).
To be honest, I'd first wait for ClamAV fixing their detection of plugin bridge executables (which now also triggers when re-scanning old plugin bridge executables it considered to be fine before) before trying to fix this at any other place, because quite probably results of virus scanners are at least one metric that leads to this whole mess.
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.

Saga Musix

By now the ClamAV detections are gone, let's see if that helps with the Safe Browsing rating. I noticed that RETRO builds are currently still picked up with nonsensical heuristic threat detections by various AV engines, though, and this is not good. We might have to change the build process for those so that they can be code-signed, as that seems to avoid quite a few false positives. It's not quite clear year how realistic this change would be for our build process.
In the meantime, if you would like to help contributing getting us off those lists, you can pick some random files from https://download.openmpt.org/archive/openmpt/ and upload them to VirusTotal and check if they are picked up by any AV engines. If that is the case, submit a false positive to the AV vendor if possible (you can get contact details e.g. from this list). You can mention that the file is part of OpenMPT and link to the website. I submitted a few false positives already but it's just impossible for me to go after all of them (and I'm sure you would rather appreciate me spending my limited spare time on actually making OpenMPT better than running after shady AV companies).
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.