OpenMPT flagged as malware by Firefox 115.13.0esr

Alice (Midori) · July 21, 2024, 17:03:34

As can be seen on the screenshot, for the first time ever Firefox has raised weird and unexpected suspicion about the latest OpenMPT (Win 7/8/8.1 AMD-64 version).

Is there any reason to believe it, or is it just a false positive?

Saga Musix · July 21, 2024, 17:16:08

I have no idea what Firefox uses in the background to make this determination (the system's installed AV solution?), but it seems like only ClamAV detects something. I have submitted a false positive request to them. It seems to be offended only by the plugin bridge executables, which is strange because they haven't changed in a long while, so anyone can guess what has changed that they are suddenly considered malicious.

manx · July 21, 2024, 17:17:49

It looks like Firefox outright flags EVERY download from our server. Old OpenMPT versions are also affected, as are libopenmpt downloads.

Saga Musix · July 21, 2024, 17:34:39

It could be that Google's "Safe Browsing" API is at play then. The web console claims that there are "malicious downloads" but it fails to provide any example URLs, which is of course very helpful in determining if there's any substance to their claims (which would be surprising). I tried clicking the "The problem has been resolved" button to see if they change the evaluation result, but I don't have a lot of hope, given that this is most likely an entirely automated process based on some heuristics and AV signatures.

Alice (Midori) · July 22, 2024, 19:57:54

Quote from: manx on July 21, 2024, 17:17:49It looks like Firefox outright flags EVERY download from our server. Old OpenMPT versions are also affected, as are libopenmpt downloads.

Welp, that's unfortunate, must've happened overnight, since i don't recall it being a thing before.
It seems that this protection is based on a list of malicious website URLs, so for whatever reason openmpt.org must've been added to it.

An excerpt from Mozilla's website: https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work#w_malware

QuoteHow does Phishing and Malware Protection work in Firefox?

Phishing and Malware Protection works by checking the sites that you visit against lists of reported phishing, unwanted software and malware sites. These lists are automatically downloaded and updated every 30 minutes or so when the Phishing and Malware Protection features are enabled.

When you download an application file, Firefox checks the site hosting it against a list of sites known to contain "malware". If the site is found on that list, Firefox blocks the file immediately, otherwise it asks Google's Safe Browsing service if the software is safe by sending it some of the download's metadata.*

I'd try contacting Mozilla, because this is just silly, not to say outright cringe.

Alice (Midori) · July 22, 2024, 20:14:42

Although... This is strange - i just tried downloading the previous version and the latest one, and only the latest gets flagged, so it's not based on the site's domain name apparently.

Saga Musix · July 22, 2024, 20:24:04

I'm not getting any blocked downloads in Firefox (though I might have disabled that feature), nor in a freshly-installed Chrome. It could be that they have a cache for URLs and thus not all downloads trigger the problem, even though the whole domain is flagged by Google Safe Browsing (so complaining at Mozilla is not going to help).
To be honest, I'd first wait for ClamAV fixing their detection of plugin bridge executables (which now also triggers when re-scanning old plugin bridge executables it considered to be fine before) before trying to fix this at any other place, because quite probably results of virus scanners are at least one metric that leads to this whole mess.