|Why is Chrome reporting a download from my website as 'appears malicious' when a check on the safe browsing list shows i||PaulH 5842||2/14/12 11:51 AM|
Why is Chrome reporting a download from my website as 'appears malicious' when a check on the safe browsing list shows it as clean?
|Re: Why is Chrome reporting a download from my website as 'appears malicious' when a check on the safe browsing list shows i||TheStamp||2/14/12 7:38 PM|
This is happening to me as well.
|Re: Why is Chrome reporting a download from my website as 'appears malicious' when a check on the safe browsing list shows i||akaTwosheds||2/16/12 3:52 AM|
Same here. Our very thoroughly scanned (Nod, Avast, Kaspersky and Sophos all report it clean) setup files are all being tagged as potentially malicious which of course has our customers a little worried.
As a test I copied NOTEPAD.EXE from one of my Win2k3 servers and renamed it as SETUP.EXE. I then used WinRAR (which we use to create out install and update packages) to create a self extracting EXE archive which I named INSTALL.EXE.
I then copied both files to the same web server that I got the "appears malicious" message on and tried downloading them both using Chrome.
SETUP.EXE - the un-archived copy of NOTEPAD.EXE - downloaded just fine with no warnings.
INSTALL.EXE - which is the same file simply archived into a self-extracting EXE archive with WinRAR - was tagged with the "appears malicious" message.
Taking it a little further I used WinRAR to create a ZIP file containing SETUP.EXE and it downloaded just fine as well.
Then in a fit of serious obsessiveness I created a text file and filled it with a few thousand random characters, then created a new self extracting file with WinRAR and tried downloading it, with the "appears malicious" message popping up for it too.
What this all means I can't say for certain but it looks like Chrome really doesn't like self extracting EXEs. At least it doesn't seem to like mine.
Are there any suggestions (don't say stop using WinRAR and/or self extracting EXE - neither is an option) for remedying this?
Thanks for your assistance...
|Re: Why is Chrome reporting a download from my website as 'appears malicious' when a check on the safe browsing list shows i||Joeran||2/16/12 4:28 AM|
I have the same problem for http://docear.org/temp/docear.exe and http://downloads.docear.org/docear.exe respectively. These files are 100% free of malware and viruses but Google Chrome says "docear.exe appears malicious".
Interestingly, exactly the same file can be downloaded from http://amok.am/tmp/docear.exe without any problems. Please, can you telll me what to do so files are not considered malicious from docear.org?
|TheStamp||2/16/12 7:36 AM|
I'm not too sure what to make of this.. I really do think theres a whitelist of valid files and their hashes.
I created a test setup that simply creates a directory (minimum requirement). You can locate it here: http://lanhub.ca/files/setuprr.exe. Chrome reports this as malicious.
I have another installer on the site that has been up around a year: http://lanhub.ca/files/tournamentHUBLiteSetup.exe This is NOT malicious.
If I rename the setuprr.exe to tournamentHUBLiteSetup.exe, chrome still thinks that (the newly renamed) setuprr.exe is malicious. But I can put tournamentHUBLiteSetup.exe anywhere (even on different server) and it will not be malicious.
Now here's the weird part: If I upload setuprr.exe to mediafire.com and download from there, IT IS NOT MALICIOUS!
So I'd like to know, what kind of configuration does mediafire have that makes google auto-approve files, and how do we set it up for our websites?
|alexstor||2/18/12 1:21 PM|
The same problem :-(
My exe file (installer) is 100% clean (just re-checked this with all A/V software I can get) and contains small Windows GUI program. Absolutely nothing that can be marked as malicious..
The website is good for google(checked this with their special page) - no any malware etc
Probably there is 2 possible reasons:
1. Not signed installer(exe file)
2. and/or the packer itself. I'm using Inno Setup to build my installer..
and it seems that the real reason is packer(Inno Setup, WinRar etc)..
Could it be, that Chrome "remembered" some signature for some bad software which was packed as installer with RAR/InnoSetup and NOW chrome detects that signature in our installers as soon as they were also created with RAR/InooSetup/Other packer ?
And the important question.. What to do right now? I assume the first move is to provide ZIP file to download for users in addition to EXE..
Don't use RAR/InnoSetup?(not really possible)
Try to re-pack and to re-name installer?
|alexstor||2/18/12 1:38 PM|
The more interesting thing.. just downloaded the really spying tool as exe installer but _signed_... ya, no any warnings ;-) so it seems the signature is very important for chrome
|jschuh||2/19/12 8:13 AM|
Chrome 17 added reputation checking for executable downloads. You can find more information here: http://blog.chromium.org/2012/01/all-about-safe-browsing.html
|alexstor||2/19/12 8:56 AM|
Well, thank you but this does not answer the question, why Chrome detects my 100% clean exe as malicious(not as 'probably malicious', that I will be able to undestand, i.e. any EXE is _probably_ malicious), why truly spying program is marked as clean and what we can do now to "say" Chrome that our exe is ok.
In this article:
If a file isn’t from a known source, Chrome sends the URL and IP of the host and other meta data, such as the file’s hash and binary size, to Google. The file is automatically classified using machine learning analysis and the reputation and trustworthiness of files previously seen from the same publisher and website.
And? What is wrong with my file's hash and binary size? No any malware file was previously published on my website
The only explanation can be "the same publisher".. If it gets "publisher" from digital signature, then all unsigned exe will be "Unknown Publisher" and of course there are many viruses in Internet without digital signature and so produced by "Unknown publisher"..
But in this case this this "Safe Browsing" is just a kid's toy as soon it detects unsigned clean exe as definitely malicious (note, not as "probably" but just malicious) but at the same time says signed spyware program(keylogger) is clean and safe.
The Chrome is WRONG, this file is not 'malicious' as it says, so it must have an ability to report a false positive detection, as any antivirus has (as soon as Chrome begins to act as some kind of antivrius). All we want is to have an ability to say Google "hey, this particular file is 100% clean. You can re-check it with virustotal, remember hash and don't say for users it is malicious".. I don't see this ablility right now.. Am I wrong?
|banbouk2||2/20/12 3:31 AM|
Here's what I experienced:
I developed an application on .net and uploaded it to mywebsite. Now when I tried to download it from mywebsite it gave the malicious warning. I then tried to download the same file through my host alias name which was something like mywebsite.myhost.com there was no warning message (it was the same file)
Then what I did is I uploaded the "notepad.exe" to mywebsite and tried to download it through mywebsite, guess what it didn't give any warning!
So I thought that maybe if I sign my .net application that would work. After signing it, it still gave the message whenever I try to download it through mywebsite.
It seems to me that Chrome checks the website name through some white-list of domains that they have, if the website was in the white-list then you won't get the warning. If it wasn't then it checks something in the application itself (I haven't figured out what yet, it might be because my signature was a test one and not through verisign or the big guys where you need to pay money)
I hope my experience helped a little
|alexstor||2/20/12 2:28 PM|
> After signing it, it still gave the message whenever I try to download it through mywebsite.I believe that such "home made" signature is the same for Chrome as no signature.. Because any one can sign a virus with such signature but to purchase a verisign(for example) signature you have to fully identify yourself or your company
|Janester||2/21/12 3:13 PM|
I just encountered this problem as well. I had a free trial download link on my main page, and full version links that require an authorized account to access. When I issued a software update today and changed the files to the new versions, I found that Chrome reported "appears malicious" on my free trial link, but had no problem with my full version link (even though both files had changed). The full version URL used SSL and the trial did not, so I decided to try changing my trial URL to use SSL. That did the trick - I can now download the new files from both HTTPS URLs without nasty Chrome warnings. Hope this helps someone.
|TheStamp||2/21/12 3:26 PM|
Can someone verify Janester's solution with having the download over SSL? I don't have any certs currently.
|Janester||2/21/12 3:49 PM|
I had tried another workaround solution before trying SSL, and that was to put the free trial executable file on Google Docs and share it publicly. When you do this, it will give you a link to a Google Docs landing page like this:
The landing page to Google Docs was unacceptable for me, so I had to change the link to this:
and that gave me a direct link to my file. This is obviously not an ideal solution by far, but it might do for someone in a pinch and doesn't require SSL. Having the URL link out to Google Docs probably looks a bit goofy to customers, but it was better than a big red nasty DO-NOT-DOWNLOAD warning. Also I have no idea what the bandwidth limitations would be, but if you are a small shop it might be enough to get you by temporarily until you can implement a real solution.
|nelroy||2/24/12 2:29 PM|
I have the same problem (which I posted seperately before I found this thread). Was initially worried that I had a malware attack, but the problem is only Chrome. IE, Safari and Firefox don't report a problem and neither do a number of scanning tools. I tried the following: create a text file with a couple of lines of random text, rename it to an .exe and upload it. This is indeed reported by Chrome as malware. Tried again with a digitally signed executable (in this case the Microsoft c library redistributable) and it didn't trigger a warning. So it looks indeed like a signing problem, which is an irritator because I now have to pay for a certificate to offer free software.
|Janester||2/24/12 3:25 PM|
Hmm, I was able to get around it without a code signing certificate, just by using SSL (which uses a less expensive certificate, and I already had one to secure access to my website), but as your experience shows it seems SSL isn't the only way...
Based on my experience and what I've read of others here, my theory of how Chrome validates downloads is that it goes through a checklist like this:
1. Is the host site known and trusted? (i.e. large established sites are OK)
2. Can the identity of the host site be verified? (i.e. via SSL certificate)
3. Can the the identity of the file's publisher be verified? (i.e. via code signing certificate)
4. Is the file known and trusted? (I had a file up for a while that was unsigned and accessed without SSL - Chrome was fine with it until I changed the binary after the security update... I'm assuming it takes some time to reach this status.)
If one of these criteria passes, the download is not flagged as malware, and if they all fail, it is.
Though I currently have a solution that works for me, I'm interested in fully understanding this issue so I don't get bitten again. I'm hoping more people post their experiences so we can all benefit from them.
|alexstor||2/25/12 12:59 PM|
Janester, could describe in two words what is required to get SSL certificate for my website? Is it possible to get SSL certificate for web-site on shared hosting or VPS is required? How much does it cost? Thanks
|Janester||2/25/12 8:00 PM|
I'm using shared hosting, and I had my hosting provider do the actual installation of my certificate, so what you would have to do depends on your host. You should check with your hosting provider for assistance and requirements. Generally, it requires that you generate a Certificate Signing Request (CSR) on your hosting account and then submit that to the Certificate Authority you are purchasing the certificate from (i.e. GoDaddy or VeriSign, etc.). It looks like GoDaddy's standard SSL certificate currently goes for $69.99/yr and the others are usually more expensive.
|stevek_mcc||2/27/12 6:37 AM|
Chrome's 'this file appears malicious' warnings are false and unfounded in too many cases. They include two factors that have nothing to do with whether the code is malicious: packed executable, and low number of previous downloads.
Packing an executable is good practice: they take up less space and bandwidth, and are faster to start up from hard disk. Like including some form of software protection or obfuscation, packing may make it harder for Google to recognize or analyse the program, but that does NOT mean it appears malicious.
Software downloads follow the law of the long tail: things like Flash and Adobe Reader installers are frequently encountered, but there is a massive amount of software not commonly used, but which may be very useful to some. You can recognize common downloads as non-malicious, but not recognizing something does NOT mean it appears malicious.
Both packing and infrequent downloads simply mean that you can't say much about that software. In that case, the principle must be 'innocent until proven guilty'.
If you see someone on the street with a black mask and knife in his hand, he appears malicious; if you see a friend you recognize, he doesn't appear malicious; but if you see someone you don't recognise, and who is mostly obscured by a crowd, you can't go around shouting to everybody around you that he's malicious.
|adrianprice||2/28/12 6:35 AM|
I am having the same problem -- an (unsigned) exe installer created using InnoSetup is called malicious and recommends I discard it. The file is completely clean, and this is not only ruining my download rate, but ruining the reputation of my company -- as anyone in PR knows, it doesn't matter if you've made a transgression, being publicly accused of a transgression is enough in the eyes of the public. This HAS to be fixed. Is there anything we can do about it?
I've searched Google's site and I've found aboslutely no tips for software publishers, and of course, no response from them in this thread. This is unbelievable, especially with Chrome rapidly gaining market share -- this is going to destroy small software vendors.
As to why I don't sign my installer: it's freeware, and while I don't mind putting my time and effort into developing the software, I'm not about to pay several hundred dollars per year for a code signing certificate to distribute something with zero return.
This seems to have just started with the most recent Chrome update; I didn't have this issue downloading the same installer from the same site using Chrome last week.
|adrianprice||2/28/12 6:48 AM|
Addendum to my previous comment: Google Webmaster Tools' Malware section shows no malware found, and StopBadWare shows nothing in their database for my site. These are the only suggested given anywhere that I can find on Google's sites and blogs on the subject.
|banbouk2||2/28/12 7:02 AM|
For some reason, after some time my exe file is not reported as malicious anymore. Is it possible that google scanned the file and found that it is malware free? Has anyone faced the same scenario?
|stevek_mcc||2/29/12 3:18 AM|
@banbouk2: Yes, our exe file seems to be no longer reported as malicious. I actually never saw the warning myself, it was reported by a user. By the time the report got to me and I'd installed Chrome, I didn't see any warning. I'll check back with the user whether he does.
|stevek_mcc||2/29/12 3:45 AM|
@banbouk2: Our user no longer sees the problem. He saw it 25th Feb with the same version as he's using now:
so I guess the change was in the Google servers that Chrome checks from.
|banbouk2||2/29/12 3:50 AM|
@stevek_mcc interesting, so it seems that any unknown exe file is considered as malicious until it gets scanned and verified by Google.
In this case it is better to publish the exe file and wait for some time before giving the download link to your customers!
|HeyPops||2/29/12 7:00 AM|
I just resolved this issue for my downloads by using full HTTPS URLs for the downloads. Thankfully, Google doesn't require I pay thru the nose for a code signing certificate (which I cannot afford!), an SSL certificate for my domain is sufficient.
So rather than using a relative URL which could be invoked as either HTTP or HTTPS (as I had been doing), I now use a fully-qualified HTTPS URL for the download and Chrome no longer says "appears malicious". The downloads also still works with other browsers like Safari , Firefox and IE using the HTTPS URLs.
|CahabaCreek||4/16/12 12:05 PM|
We are in the same boat. It hit us with our latest release. I would think someone with the resources could find a class action law suit here as this clearly attacks the reputation of any company that offers free versions of software and therefore needs to contain cost (so does not wish to pay yearly fees for signing certs that may/may not resolve the issue). We have no problem with a warning that the files are from an unknown source, but to use the term "appear to be malicious" when Googles own webmaster tools find our files clean, 3 different antivirus software report them clean, TrustWave scans our PCI complaint site regularly and we are NOT on the StopBadWare site list is irresponsible at best. My assumption is that Google is trying to get companies to push distribution of software into "their" cloud to avoid(Google docs) as that is the only free way around this. So, what we are doing it putting a warning on OUR download page that Google Chrome appears to have a bug that causes them to report our files as malicious and that we recommend another browser be used. If there is a way for a small business site to be "whitelisted" then someone should share it. I haven't found it.
|casid||7/12/12 1:34 AM|
Same here. It's a shame that the issue is still there. I hate to say it, but this really sucks.
|gsiry||8/9/12 10:43 AM|
I am running into this issue as well. Over the past couple of days some of our downloadable installers generate the 'not commonly downloaded' warning from chrome.
|jgreiner1024||8/22/12 3:51 PM|
We went through the hassle of getting a code signing certificate and chrome still blocks it claiming it is malicious even though it is not.
If we can't find a system to white list our software, I don't see how we have any other choice than to lawyer up because this isn't right to block legitimate software and offer no way for the software to be unblocked.
|ferries||8/30/12 8:27 PM|
I distribute some specialized analytical software. Same Chrome problem with 'appears malicious'.
The only way I could persuade a suspicious client was to tell him to download with IE8.
Ironically, IE8 reassuringly tells the suspicious client that "SmartScreen Filter checked this download and did not report any threats."
That facility in IE8 challenges Google. Chrome needs its equivalent of SmartScreen Filter.
Chrome's word 'appears' is a weasel-worded cop out that causes unnecessary worry.
|LumaRay||9/18/12 12:40 AM||<This message has been deleted.>|
|informa_dev||11/10/12 12:16 PM|
you found the solution? I have the same problem
|AndrewInEssex||11/28/12 6:23 AM|
And me; it's a pain - is the only solution to buy SSL for the domain? I do have plenty of other things to do!
|Markus M..||12/28/12 6:33 AM|
Same problem here. In my experience SSL only prevents the message box. Chrome still offers to delete the file.
|gotya toolz||12/28/12 11:48 AM|
As site owners or webmasters it would be too expensive to constantly buy ssl certificates for each site we build. I have used googles webmaster tools and imported the html file or the meta tag to activate and certify the websites but still on all my downloads they say it appears malicious and this has been for weeks. Im positive i have lost customers and new potential customers as well. I have even made a text file into a .exe by renaming it and google still finds it malicious. the only way to bypass it make everything in .rar format. Google needs to get there heads on straight before a class action suit goes there way due to loss of sales and customers for small businesses like mine. I am a programmer and even scanned all of my software through googles malware checker and still states everything is clean so how would you feel if it was the first time on a site and seen a malicious warning even if its false? Customers depend on our software but now google is making it very difficult to stay in business with huge mistakes like this.