We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was closed and archived. Please ask a new question if you need help.

How to make Firefox Quantum compatible to low integrity level? [very effectice way to prevent malware]

more options

Hi,

in pre Quantum versions, you could make your Firefox safe against malware with a simple trick. It was little known but very effective because it uses Windows tools to limit Firefox abilities to write or modify files. We use the Windows program icacls to limit write access to a selected set of subfolders. Here is how it worked:

icacls "C:\Program Files\Mozilla Firefox\firefox.exe" /setintegritylevel low
icacls "C:\Program Files\Mozilla Firefox" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Local\Temp" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Local\Mozilla\updates" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Roaming\Mozilla\Firefox" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Local\Mozilla\Firefox" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\LocalLow\Mozilla" /setintegritylevel (oi)(ci)low
icacls "[...]\Downloads" /setintegritylevel (oi)(ci)low
icacls "[...]\Firefox Profile" /setintegritylevel (oi)(ci)low

Then I updated to Quantum and now this seems to not work anymore. After I secured Firefox in this way and started Firefox, Firefox then doesn't show any websites (just grey area), no popups etc. The whole Firefox UI seems to be broken.

Does anyone know how to fix this? For example, are there additional folders I need to give access to? Or is this not possible in post Quantum Firefox because of this new process architecture etc.?

Hi, in pre Quantum versions, you could make your Firefox safe against malware with a simple trick. It was little known but very effective because it uses Windows tools to limit Firefox abilities to write or modify files. We use the Windows program icacls to limit write access to a selected set of subfolders. Here is how it worked: icacls "C:\Program Files\Mozilla Firefox\firefox.exe" /setintegritylevel low <br/> icacls "C:\Program Files\Mozilla Firefox" /setintegritylevel (oi)(ci)low <br/> icacls "C:\Users\[...]\AppData\Local\Temp" /setintegritylevel (oi)(ci)low <br/> icacls "C:\Users\[...]\AppData\Local\Mozilla\updates" /setintegritylevel (oi)(ci)low <br/> icacls "C:\Users\[...]\AppData\Roaming\Mozilla\Firefox" /setintegritylevel (oi)(ci)low <br/> icacls "C:\Users\[...]\AppData\Local\Mozilla\Firefox" /setintegritylevel (oi)(ci)low <br/> icacls "C:\Users\[...]\AppData\LocalLow\Mozilla" /setintegritylevel (oi)(ci)low <br/> icacls "[...]\Downloads" /setintegritylevel (oi)(ci)low <br/> icacls "[...]\Firefox Profile" /setintegritylevel (oi)(ci)low <br/> Then I updated to Quantum and now this seems to not work anymore. After I secured Firefox in this way and started Firefox, Firefox then doesn't show any websites (just grey area), no popups etc. The whole Firefox UI seems to be broken. Does anyone know how to fix this? For example, are there additional folders I need to give access to? Or is this not possible in post Quantum Firefox because of this new process architecture etc.?

Modified by mario67

Chosen solution

I found this here: https://bugzilla.mozilla.org/show_bug.cgi?id=1433065 which is highly related.

So there are indeed some architectural changes that prevent low integtrity level mode from working properly. I think this is too technical now for this forum. Here seems to be the place for people who don't know the basics and ask questions like "How do I download a file" or similar. But for real technical discussions I have to go somewhere else it seems. I will mark this as closed / solved and move the discussion to bugzilla.

@FredMcD: I think people can google that themselve.

Read this answer in context 👍 0

All Replies (7)

more options

https://www.computerhope.com/icacls.htm Windows command line icacls command help

more options

FredMcD said

https://www.computerhope.com/icacls.htm Windows command line icacls command help

So this is how you became a "top 10 contributor"? You just google some random keywords from the question and then post a random link you found. I didn't ask how to use icacls, if you really understood my question you would realize that I aready know how to use this, I even successfully applied it to a previous version of Firefox. But newer versions of Firefox seem to not be compatible to this low integrity level, or at least in the way I use it.

more options

@mario67, and your first line of reply is why you won't get any help. If your getting malware then you should stop going to black sites that are malware infected and not using proper A/V is another reason why you get malware. Also downloading malware infected software is another way to get malware. So malware only gets on the computer because you the user choose to go to those sites and got infected the Browser itself doesn't do the infections.

more options

WestEnd said

@mario67, and your first line of reply is why you won't get any help. If your getting malware then you should stop going to black sites that are malware infected and not using proper A/V is another reason why you get malware. Also downloading malware infected software is another way to get malware. So malware only gets on the computer because you the user choose to go to those sites and got infected the Browser itself doesn't do the infections.

This is not about how I got malware, but about how I never got any malware because I knew how to prevent that. And now I am asking a simple technical question about Firefox Quantum and Windows low integrity level. Can you answer that question? If yes, you are welcome. Otherwise, please shut up and stop spreading bad words and false informations. Your post is so wrong. Ever heard of drive-by-infection? Security holes? And AV-Software is typically too slow to react to new threads.

Modified by mario67

more options

mario67 said

So this is how you became a "top 10 contributor"? You just google some random keywords from the question and then post a random link you found

No. I got that by helping users find solutions. Since most don't know about the icacls command, I posted a link so they can learn about it.

I also call the Big Guys (those with more solutions then I).

more options

Chosen Solution

I found this here: https://bugzilla.mozilla.org/show_bug.cgi?id=1433065 which is highly related.

So there are indeed some architectural changes that prevent low integtrity level mode from working properly. I think this is too technical now for this forum. Here seems to be the place for people who don't know the basics and ask questions like "How do I download a file" or similar. But for real technical discussions I have to go somewhere else it seems. I will mark this as closed / solved and move the discussion to bugzilla.

@FredMcD: I think people can google that themselve.

more options

I'm glad you found your answer, Mario. :)

Because this thread is solved, and the replies seem to be just arguments, rather than attempts to help, I'm going to lock it.

If your goal is to lock down Firefox, there may be changes that help achieve that in the form of sandboxing - see https://wiki.mozilla.org/Security/Sandbox

If you have any further issues, and you find you're not getting help, just PM the URL.