This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why does the Firefox Win 64 bit installer get flagged by immunet consistently for Sality?

  • 9 replies
  • 1 has this problem
  • 37 views
  • Last reply by James

more options

This installer for 64 bit firefox is recently and consistently getting flagged by immunet's Clam engine as malware

Infected or noninfected crc32 checksum: setup-stub/exe's pre-infection crc32 = 87196b42

so i remove it from immunet quarantine - crc32 matches... I downloaded it on another machine with symantec - crc32 matches no infection found in symantec

Details from Virus Total upload of the infected file https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection

This is the download site: https://www.mozilla.org/en-US/firefox/new/

Download link in the site: https://www.mozilla.org/en-US/firefox/download/thanks/

This installer for 64 bit firefox is recently and consistently getting flagged by immunet's Clam engine as malware Infected or noninfected crc32 checksum: setup-stub/exe's pre-infection crc32 = 87196b42 so i remove it from immunet quarantine - crc32 matches... I downloaded it on another machine with symantec - crc32 matches no infection found in symantec Details from Virus Total upload of the infected file https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection This is the download site: https://www.mozilla.org/en-US/firefox/new/ Download link in the site: https://www.mozilla.org/en-US/firefox/download/thanks/
Attached screenshots

Chosen solution

Btw the https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection does not prove that the Firefox stub checked was indeed infected.

Only Clam is flagging it out of 68.

Clam has been among a short list of antivirus clients (which includes Norton, Antiy-AVL and Cylance) doing many False Positives with Firefox stubs (for Windows) over the years.

Also this online stub is not Win64 Firefox but rather defaults to installing Win64 if the OS and hardware system supports it and it can install 32-bit version instead.

To get the full offline 64-bit or 32-bit Firefox for Windows setup you can get it at www.mozilla.org/firefox/all/


Actually it may be Clam still falsely claiming the stubs are infected due to 7zS.sfx. 7zS.sfx is the 7-ZIP self extractor stub from 7-ZIP that is used by Mozilla to pack the actual Firefox program with the 7-ZIP archive utility. Mozilla has been providing stubs since Fx 18 and some antivirus clients still occasionally false flag the stubs.

ex: https://github.com/4ian/GDevelop/issues/88#issuecomment-81366849

And look at Relations section: https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/relations

Read this answer in context 👍 0

All Replies (9)

more options

That screenshot look alike like many malware I seen impersonating legit A/V program. Otherwise the program your using is junk.

more options

hi, that's a question that you'd need to pose to the vendor that's (falsely) flagging the file...

more options

While I somewhat agree that ClamAV's engine is not the best, it has been around for a long time as has Sality and its variant (since early 2000's I believe)

The problem with ruling it out comes from the listing on virustotal, which proves that the version of immunet I have shares detection with whatever Virustotal is using and is probably not a bad copy of immunet.

I use immunet because they are backed by Cisco and Talos threat intelligence.

more options

Whil I would generally agree on the placement of the question in who's forum, I could honestly care less about notifying Cisco/Immunet. I support Firefox from version 1 to quantum. Die hard. If this is getting flagged by immunet and not the 32 bit installer, then we have a problem at Firefox and the fact that it shares signatures found in an intense rootkit piece of malware (Sality) that infects EXE files in order to spread (consider the odds of hash collisions during a scan)

OR The darker conspiracy theory would be that Cisco-Talos is out to slow the spread of Firefox which competes in quality and quantity against all their proprietary hooha... https://newsroom.cisco.com/press-release-content?articleId=1608152

more options

WestEnd said

That screenshot look alike like many malware I seen impersonating legit A/V program. Otherwise the program your using is junk.

My friend this is not a simple problem, I am looking out for the future of Mozilla here. This is a massive problem.

more options

If your not willing to tell the Security software is causing the issue there's not much more that can be done here. If what your saying was true there be plenty more threads asking for help on this but there isn't.

more options

WestEnd said

If your not willing to tell the Security software is causing the issue there's not much more that can be done here. If what your saying was true there be plenty more threads asking for help on this but there isn't.

I was really looking for a direct way to contact Mozilla and report this because if A/V is blocking an installer, they can simply repackage the installer without malware signatures or suffer the loss of users. I am not out here during work hours trolling a Mozilla forum for nothing. Please stop posting for status only. I am in the business of what I am talking about, just trying to find the quickest avenue to get the problem realized.

more options

False Positives from some Antivrus scanners have occured in the first couple weeks (usually in first few days) after a new major Firefox Release.

More so with the small stub installer for Windows from www.mozilla.org but not with the full setup for Windows from www.mozilla.org/firefox/all/

Mozilla has not repackaged the installers simply because of false positives as the antivirus clients usually quickly get a definitions update correcting the mistake.

Modified by James

more options

Chosen Solution

Btw the https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection does not prove that the Firefox stub checked was indeed infected.

Only Clam is flagging it out of 68.

Clam has been among a short list of antivirus clients (which includes Norton, Antiy-AVL and Cylance) doing many False Positives with Firefox stubs (for Windows) over the years.

Also this online stub is not Win64 Firefox but rather defaults to installing Win64 if the OS and hardware system supports it and it can install 32-bit version instead.

To get the full offline 64-bit or 32-bit Firefox for Windows setup you can get it at www.mozilla.org/firefox/all/


Actually it may be Clam still falsely claiming the stubs are infected due to 7zS.sfx. 7zS.sfx is the 7-ZIP self extractor stub from 7-ZIP that is used by Mozilla to pack the actual Firefox program with the 7-ZIP archive utility. Mozilla has been providing stubs since Fx 18 and some antivirus clients still occasionally false flag the stubs.

ex: https://github.com/4ian/GDevelop/issues/88#issuecomment-81366849

And look at Relations section: https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/relations

Modified by James