How trustworthy are Mozilla’s “malware checks” on Firefox add-ons? Sothink Web Video Downloader now declared “false positive”.

On Saturday I posted about how recently Mozilla declared two experimental Firefox add-ons as malware. Now Mozilla is claiming that the malware reading on v4.0 of Sothink Web Video Downloader was actually a false positive. (Master Filer extension is still declared as malware.)

For a moment, lets ignore the fact that Mozilla was only using “one malware detection tool” to screen add-ons before last week. Instead, lets focus on the fact how Mozilla – more or less – publicly condemned an otherwise respected software development firm without conducting a proper investigation. After reading their most recent post on the matter which explains how McAfee “helped Mozilla understand the threat better” (hence the now changed verdict), it looks like prior to McAfee’s intervention, Mozilla simply scanned the add-ons and declared them bad. If this was me trying to keep my personal computer safe, a simple scan would suffice. However, this is a company that has a reach of millions of users. I, for one, expect Mozilla to conduct a proper investigation before condemning someone else in public (especially when it means that that someone will lose many customers after Mozilla’s verdict has been revealed). Whoever was irresponsible enough to approve the first blog post without proper investigation should be held accountable.

In another scenario, lets give Mozilla the benefit of the doubt and say they did conduct an investigation (an investigation that involved more than just simply scanning the add-ons in question with an anti-malware tool) before making the first blog post. If this was the case, whoever conducted this investigation should be fired because I certainly don’t want someone with these type of threat detecting skills – or lack thereof – protecting my browser in any shape, form, or fashion.

Dare I ask if SourceTec Software was based in the Americas or Western Europe (i.e. they could easily sue Mozilla for libel) would Mozilla have acted a bit more cautiously? I shall hope the origins of SourceTec did not matter, but one must wonder. What Mozilla should have done is waited for a proper investigation to be conducted – such as they did in conjunction with McAfee – before making any public noise on the issue.

Now lets go back to the fact that Mozilla was, prior to last week, only using “one malware detection tool” in its pat-down of add-ons. I understand the fact that experimental add-ons may not be screened by Mozilla, so this point of mine is not necessarily directly related to the malware add-ons issue on hand. Rather I just want to express my sheer horror at how Mozilla put all their confidence in one tool as opposed to diversifying their protection methods. Even on my personal computer I use more than one method of anti-malware protection (and encourage everyone else to do the same); and if anything goes wrong on my computer, it will only effect me… not (potentially) thousands of other people. On the other hand, an AMO fail could result in (potentially) thousands of users being infected. What in the world was Mozilla thinking? I realize the fact that more screening means higher costs; but come on – somethings are worth spending that extra cash on (just look around for examples of what resulted thanks to cost-skimping strategies implemented by automakers). Thankfully, though, Mozilla now uses “two additional malware detection tools”; I don’t know if three tools are enough but three sure are better than one.

All in all, I feel very strongly that this whole episode has been a prime example of managerial, procedural, and technical failures at multiple levels of Mozilla HQ. Let me make clear I am not really blasting Mozilla for the false positive reading; false positives are just a necessary evil to anti-malware tools. Rather, I am disappointed how this was handled – from start to finish.

/Rant

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

15 comments

  1. Anonymous

    I’m very careful about where the add-ons I install come from. There are just some countries that I will not install any software from… china being one of them… they don’t have anything outstanding anyway.
    I do understand that this will not eliminate all the problems but it takes care of a big chunk of them.
    Please forgive my English. English is not my native language.

  2. Corno

    It is very difficult to say whether malware potential of an add-on is intentional or just an avoidable side-effect and spin-off of what it is said to be designed for. I don’t think Mozilla alarmed the users just because Sothink is not based in the USA or Europe, that is an hilarious idea. Yet, Sothink is -unjustly pderhaps- a bit shady firm and IObit has managed to give Chinese software a name. At least Mozilla admitted that they were wrong.

  3. acr

    Threatfire is not cloud based, but it is a good extra layer of protection for some users. It bricked my keyboard on my Vista system, but some like it pretty well. I liked it way back when it was cyberhawk – pre PCTools days.

    I am not jumping on the bandwagon and saying the NScatcher.dll is a false positive. I believe McAfee still flags the latest version as malicious, along with a number of other scanners.

    http://www.virustotal.com/analisis/3f32a9c80dc0c015a097df2c295eb4ced791f1de001bf1dd13e9f4ee88dd7af2-1265538229

    http://virscan.org/report/61470d3c090a41ee76b19dd94e16c134.html

    http://www.threatexpert.com/report.aspx?md5=d4f57ce7d0429d46d761c1eea4181ad0

  4. giovanni

    Hi Ashraf!!

    Yes, I totally agree with you but even the award-winning AVIRA 9 (FREE and PREMIUM version) has recently been downgraded by AV COMPARATIVES under AVAST! FREE ANTIVIRUS 5 because of its high false positive malware detection rate: were you aware of it??

    According to AV COMPARATIVES, the FREE EDITION of AVAST is now even better than AVIRA PREMIUM 9 although its malware detection rate is still a little bit inferior than the AVIRA’s one.

    But this is the price to pay whenever you use a security software, such as AVIRA or A-SQUARED 4.5, with a high false positive detection rate and you can do nothing about it.

    And the same thing can be applied with reference to the Firefox security add-ons problem you mentioned here in this article!!!

    Do you agree with me, buddy??

    Hey, by the way, look over here:

    http://www.networkworld.com/news/2010/012210-firefox-36-is-good-but.html

    LOL! Maybe we have overrated FF at the expense of IE 8: what do you make of it??

    Finally, what’s your opinion about the cloud-based new generation antivirus software such as THREATFIRE or PANDA CLOUD ANTIVIRUS?

    http://www.brighthub.com/computing/smb-security/articles/59809.aspx

    Well, believe it or not, but PANDA CLOUD ANTIVIRUS uses less than 300KB of memory when it is idle and, according to PC WORLD and PC MAGAZINE, it’s currently the best free AV out there as far as the malware detection rate is concerned (an impressive 99.4%)

    http://www.pcworld.com/reviews/product/290839/review/cloud_antivirus.html

    Keep an eye on it!!

    Waiting for your feedback!!

  5. kingpin

    A clear case of shooting the gun’s B4 looking.

    Clearly the Source-Tec has suffered,hope Mozilla apologies and rectifies it’s mistake!

    Good to know McAfee resolved this issues,Bcoz I am using McAfee Virus Scan with confidence,Now What do u say McAfee criticizer’s?

  6. Samuel

    Telling people about the problem so fast wasn’t the real mistake, the mistake on Mozilla’s part was making it sound like they were 110% sure about it. A better idea would have been to say something about how they are investigating. Then when they come and say all’s good they don’t look as stupid.

  7. Anonymous

    Give Mozilla a break, Ashraf, they’re just making sure everyone is fully up to date, even if it means false positives. And they weren’t dooming SoureTec, they just told us about a “virus” detected by what I think is McAfee.
    It happens to other big and trustworthy companies as well, probably even Google, they just don’t tell anybody. “What you don’t know won’t hurt you”.

  8. Ramesh Kumar

    Ashraf – great review as usual.Apart from this I’ve noticed that the number of unreviewed plugins also has increased in Firefox of late.Yet another managerial failure – they used to be quicker before.

    Ramesh

  9. J. Scott L.

    @Adrian -

    Though it was not the correct word to use in that sentence, how is something which checks SPELLING going to find this error???

    The word “except” was spelled correctly.

    Either way, I understood what was being written.

    …and we move on…

    Good job Ashraf.

  10. Adrian

    Yea right! One up for Sothink. I always thought that they were a trustworthy developer.

    Typo:
    ” I, for one, except Mozilla to conduct a proper investigation before condemning someone else in public”
    should be
    ” I, for one, expect Mozilla to conduct a proper investigation before condemning someone else in public ”

    Ashraf, are you getting enough sleep? Lot’s of typos lately. Isn’t there a spell checker in the WordPress.org software?

    P.S.”/Rant” — cool! LOL

  11. Ron

    I agree, Mozilla screwed up in a rush to warn users about an apparent problem. Blame it on the 24 hour news cycle, maybe…

    The addons were unknown to me; I still have no idea what they were supposed to do for the browser. The hard truth is still the same: In God we trust, all the others must provide a valid digital certificate. (bg)

  12. Farrukh

    AOA Ashraf,

    That means, Mozilla Addons got the executable code which somehow executes in the Mozilla’s own shell. Actually that’s one logic in order to run Addons and let them do their task.

    (In general, the .exe files also run in either Windows Shell or Windows command Shell).

    So executable code is prone to the infection by Malware or Trojans.

    However, the developer of malware/trojan can design it in such a way that the AntiVirus/AntiMalware/AntiTrojan tools will detect it as a normal OS software.

    So there may be such chances that they may have missed some information or detect the activity of Addons as the activity of Malwares/Trojans.

    BTW, one user commented on Mozilla’s Blog like this:

    Chris says:
    February 8, 2010 at 8:29 pm
    I tried downloading firefox today, my avg caught the trojans. I stopped the install and rebooted, looks like i still have at least one trojan. I am still waiting on scan results

    Now it seems from this comment that FireFox installer itself have some trojan :).

  13. icantdrive55mph

    This is kinda spooky. I just downloaded SoThinks software this afternoon and my antivirus software did it’s job correctly and told me it was a virus. I guess I can try and reinstall it now that I know it’s OK, but I think I’m going to install one of your recommendations Ashraf, FormatFactory.
    Please keep up the great reviews, we truly appreciate them…