New Firefox installer?
Hi
I recently downloaded Firefox from the main download page https://www.mozilla.org/en-US/firefox/ The actual download link was: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-stub/en-US/win/aeb02dfeae750c7fa2abe9c7bc07b48193110ac61e2169456253638270735d21/Firefox%20Installer.exe
I normally check my downloads using https://virusscan.jotti.org or https://virustotal.com before I run them with admin privileges. Anyway when I uploaded to http://www.virustotal.com the first thing I noticed was that it had never seen the hash before! (SHA1 hash is 3a974b7394597de41230f7517c293e4b6386eeab.) Once it was uploaded, it was promptly detected by the Cylance antivirus engine.
Can somebody please get in touch with Cylance? I suppose I could contact them myself; however, I prefer not to report it as a "false positive" on the off-chance that particular download actually is corrupted or I got a man in the middle- after all, it's surprising that VirusTotal has never seen this hash before.
All Replies (4)
Some protection programs don't like the update/install stubs. Go here for the full installer.
http://www.mozilla.org/en-US/firefox/all/ Download Firefox For All Languages And Systems
Thanks for the reply. Turns out a new Firefox version was released yesterday, which explains why VirusTotal hadn't seen the hash of the stub-installer before.
The full, offline installer tests clean, as expected, but interestingly, it reports the following "tags" (see the area of the attached screenshot that I've highlighted in blue):
"cve-1999-0016 cve-2004-0790 cve-2005-0068 exploit overlay peexe signed upx"
This is intriguing: my resumé also gets flagged as "exploit"; the Firefox full installer and my resumé are in fact the only 2 files I have ever seen tagged as "cve-1999-0016" or "exploit."
On that, you should contact the scanners support.
Mozilla uses cdns to serve Firefox downloads as a more direct one is for example https://archive.mozilla.org/pub/firefox/releases/90.0/win64/
Cylance, Clam, Antiy-AVL, and Jiangmin (and also Norton at times) have done "False Positives" frequently over the years and is often the only one getting a hit when the others are undetected on virustotal or in the antivirus clients.
The common reason for these to have false positives is with 7zS.sfx (look in details on page) which is the 7-ZIP self extractor used since early on and these mentioned antivirus get the occasional false positive hit on that.
Firefox setups for Windows have been self-extracting 7z since the Firefox 0.8 Release (Feb 2004).
For reading as Bugzilla is Not a discussions forum like here. ex: Bug#1468067 - Firefox installer doesn't pass VirusTotal test
"Cylance appears to be detecting anything that's been through UPX as unsafe."