Why does the Firefox Win 64 bit installer get flagged by immunet consistently for Sality?
This installer for 64 bit firefox is recently and consistently getting flagged by immunet's Clam engine as malware
Infected or noninfected crc32 checksum: setup-stub/exe's pre-infection crc32 = 87196b42
so i remove it from immunet quarantine - crc32 matches... I downloaded it on another machine with symantec - crc32 matches no infection found in symantec
Details from Virus Total upload of the infected file https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection
This is the download site: https://www.mozilla.org/en-US/firefox/new/
Download link in the site: https://www.mozilla.org/en-US/firefox/download/thanks/
Chosen solution
Btw the https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection does not prove that the Firefox stub checked was indeed infected.
Only Clam is flagging it out of 68.
Clam has been among a short list of antivirus clients (which includes Norton, Antiy-AVL and Cylance) doing many False Positives with Firefox stubs (for Windows) over the years.
Also this online stub is not Win64 Firefox but rather defaults to installing Win64 if the OS and hardware system supports it and it can install 32-bit version instead.
To get the full offline 64-bit or 32-bit Firefox for Windows setup you can get it at www.mozilla.org/firefox/all/
Actually it may be Clam still falsely claiming the stubs are infected due to 7zS.sfx. 7zS.sfx is the 7-ZIP self extractor stub from 7-ZIP that is used by Mozilla to pack the actual Firefox program with the 7-ZIP archive utility. Mozilla has been providing stubs since Fx 18 and some antivirus clients still occasionally false flag the stubs.
ex: https://github.com/4ian/GDevelop/issues/88#issuecomment-81366849
And look at Relations section: https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/relations
Read this answer in context 👍 0All Replies (9)
That screenshot look alike like many malware I seen impersonating legit A/V program. Otherwise the program your using is junk.
hi, that's a question that you'd need to pose to the vendor that's (falsely) flagging the file...
While I somewhat agree that ClamAV's engine is not the best, it has been around for a long time as has Sality and its variant (since early 2000's I believe)
The problem with ruling it out comes from the listing on virustotal, which proves that the version of immunet I have shares detection with whatever Virustotal is using and is probably not a bad copy of immunet.
I use immunet because they are backed by Cisco and Talos threat intelligence.
Whil I would generally agree on the placement of the question in who's forum, I could honestly care less about notifying Cisco/Immunet. I support Firefox from version 1 to quantum. Die hard. If this is getting flagged by immunet and not the 32 bit installer, then we have a problem at Firefox and the fact that it shares signatures found in an intense rootkit piece of malware (Sality) that infects EXE files in order to spread (consider the odds of hash collisions during a scan)
OR The darker conspiracy theory would be that Cisco-Talos is out to slow the spread of Firefox which competes in quality and quantity against all their proprietary hooha... https://newsroom.cisco.com/press-release-content?articleId=1608152
WestEnd said
That screenshot look alike like many malware I seen impersonating legit A/V program. Otherwise the program your using is junk.
My friend this is not a simple problem, I am looking out for the future of Mozilla here. This is a massive problem.
If your not willing to tell the Security software is causing the issue there's not much more that can be done here. If what your saying was true there be plenty more threads asking for help on this but there isn't.
WestEnd said
If your not willing to tell the Security software is causing the issue there's not much more that can be done here. If what your saying was true there be plenty more threads asking for help on this but there isn't.
I was really looking for a direct way to contact Mozilla and report this because if A/V is blocking an installer, they can simply repackage the installer without malware signatures or suffer the loss of users. I am not out here during work hours trolling a Mozilla forum for nothing. Please stop posting for status only. I am in the business of what I am talking about, just trying to find the quickest avenue to get the problem realized.
False Positives from some Antivrus scanners have occured in the first couple weeks (usually in first few days) after a new major Firefox Release.
More so with the small stub installer for Windows from www.mozilla.org but not with the full setup for Windows from www.mozilla.org/firefox/all/
Mozilla has not repackaged the installers simply because of false positives as the antivirus clients usually quickly get a definitions update correcting the mistake.
Modified
Chosen Solution
Btw the https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection does not prove that the Firefox stub checked was indeed infected.
Only Clam is flagging it out of 68.
Clam has been among a short list of antivirus clients (which includes Norton, Antiy-AVL and Cylance) doing many False Positives with Firefox stubs (for Windows) over the years.
Also this online stub is not Win64 Firefox but rather defaults to installing Win64 if the OS and hardware system supports it and it can install 32-bit version instead.
To get the full offline 64-bit or 32-bit Firefox for Windows setup you can get it at www.mozilla.org/firefox/all/
Actually it may be Clam still falsely claiming the stubs are infected due to 7zS.sfx. 7zS.sfx is the 7-ZIP self extractor stub from 7-ZIP that is used by Mozilla to pack the actual Firefox program with the 7-ZIP archive utility. Mozilla has been providing stubs since Fx 18 and some antivirus clients still occasionally false flag the stubs.
ex: https://github.com/4ian/GDevelop/issues/88#issuecomment-81366849
And look at Relations section: https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/relations
Modified