We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Why does the Firefox Win 64 bit installer get flagged by immunet consistently for Sality?

  • 9 回覆
  • 1 有這個問題
  • 37 次檢視
  • 最近回覆由 James

more options

This installer for 64 bit firefox is recently and consistently getting flagged by immunet's Clam engine as malware

Infected or noninfected crc32 checksum: setup-stub/exe's pre-infection crc32 = 87196b42

so i remove it from immunet quarantine - crc32 matches... I downloaded it on another machine with symantec - crc32 matches no infection found in symantec

Details from Virus Total upload of the infected file https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection

This is the download site: https://www.mozilla.org/en-US/firefox/new/

Download link in the site: https://www.mozilla.org/en-US/firefox/download/thanks/

This installer for 64 bit firefox is recently and consistently getting flagged by immunet's Clam engine as malware Infected or noninfected crc32 checksum: setup-stub/exe's pre-infection crc32 = 87196b42 so i remove it from immunet quarantine - crc32 matches... I downloaded it on another machine with symantec - crc32 matches no infection found in symantec Details from Virus Total upload of the infected file https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection This is the download site: https://www.mozilla.org/en-US/firefox/new/ Download link in the site: https://www.mozilla.org/en-US/firefox/download/thanks/
附加的畫面擷圖

被選擇的解決方法

Btw the https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection does not prove that the Firefox stub checked was indeed infected.

Only Clam is flagging it out of 68.

Clam has been among a short list of antivirus clients (which includes Norton, Antiy-AVL and Cylance) doing many False Positives with Firefox stubs (for Windows) over the years.

Also this online stub is not Win64 Firefox but rather defaults to installing Win64 if the OS and hardware system supports it and it can install 32-bit version instead.

To get the full offline 64-bit or 32-bit Firefox for Windows setup you can get it at www.mozilla.org/firefox/all/


Actually it may be Clam still falsely claiming the stubs are infected due to 7zS.sfx. 7zS.sfx is the 7-ZIP self extractor stub from 7-ZIP that is used by Mozilla to pack the actual Firefox program with the 7-ZIP archive utility. Mozilla has been providing stubs since Fx 18 and some antivirus clients still occasionally false flag the stubs.

ex: https://github.com/4ian/GDevelop/issues/88#issuecomment-81366849

And look at Relations section: https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/relations

從原來的回覆中察看解決方案 👍 0

所有回覆 (9)

more options

That screenshot look alike like many malware I seen impersonating legit A/V program. Otherwise the program your using is junk.

more options

hi, that's a question that you'd need to pose to the vendor that's (falsely) flagging the file...

more options

While I somewhat agree that ClamAV's engine is not the best, it has been around for a long time as has Sality and its variant (since early 2000's I believe)

The problem with ruling it out comes from the listing on virustotal, which proves that the version of immunet I have shares detection with whatever Virustotal is using and is probably not a bad copy of immunet.

I use immunet because they are backed by Cisco and Talos threat intelligence.

more options

Whil I would generally agree on the placement of the question in who's forum, I could honestly care less about notifying Cisco/Immunet. I support Firefox from version 1 to quantum. Die hard. If this is getting flagged by immunet and not the 32 bit installer, then we have a problem at Firefox and the fact that it shares signatures found in an intense rootkit piece of malware (Sality) that infects EXE files in order to spread (consider the odds of hash collisions during a scan)

OR The darker conspiracy theory would be that Cisco-Talos is out to slow the spread of Firefox which competes in quality and quantity against all their proprietary hooha... https://newsroom.cisco.com/press-release-content?articleId=1608152

more options

WestEnd said

That screenshot look alike like many malware I seen impersonating legit A/V program. Otherwise the program your using is junk.

My friend this is not a simple problem, I am looking out for the future of Mozilla here. This is a massive problem.

more options

If your not willing to tell the Security software is causing the issue there's not much more that can be done here. If what your saying was true there be plenty more threads asking for help on this but there isn't.

more options

WestEnd said

If your not willing to tell the Security software is causing the issue there's not much more that can be done here. If what your saying was true there be plenty more threads asking for help on this but there isn't.

I was really looking for a direct way to contact Mozilla and report this because if A/V is blocking an installer, they can simply repackage the installer without malware signatures or suffer the loss of users. I am not out here during work hours trolling a Mozilla forum for nothing. Please stop posting for status only. I am in the business of what I am talking about, just trying to find the quickest avenue to get the problem realized.

more options

False Positives from some Antivrus scanners have occured in the first couple weeks (usually in first few days) after a new major Firefox Release.

More so with the small stub installer for Windows from www.mozilla.org but not with the full setup for Windows from www.mozilla.org/firefox/all/

Mozilla has not repackaged the installers simply because of false positives as the antivirus clients usually quickly get a definitions update correcting the mistake.

由 James 於 修改

more options

選擇的解決方法

Btw the https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/detection does not prove that the Firefox stub checked was indeed infected.

Only Clam is flagging it out of 68.

Clam has been among a short list of antivirus clients (which includes Norton, Antiy-AVL and Cylance) doing many False Positives with Firefox stubs (for Windows) over the years.

Also this online stub is not Win64 Firefox but rather defaults to installing Win64 if the OS and hardware system supports it and it can install 32-bit version instead.

To get the full offline 64-bit or 32-bit Firefox for Windows setup you can get it at www.mozilla.org/firefox/all/


Actually it may be Clam still falsely claiming the stubs are infected due to 7zS.sfx. 7zS.sfx is the 7-ZIP self extractor stub from 7-ZIP that is used by Mozilla to pack the actual Firefox program with the 7-ZIP archive utility. Mozilla has been providing stubs since Fx 18 and some antivirus clients still occasionally false flag the stubs.

ex: https://github.com/4ian/GDevelop/issues/88#issuecomment-81366849

And look at Relations section: https://www.virustotal.com/#/file/dc1e41fa8ac852fa8b8c5d6ba099fe84d394b6719c4519f6354fe2beba9ee141/relations

由 James 於 修改