Improving Malware Detection in Firefox

Sid Stamm

14

We are always looking for ways to help protect people better from the constant threat of malicious software. For years Firefox has utilized Google’s Safe Browsing phishing and malware protection to help keep you from accidentally visiting dangerous sites. This protection feature works by checking the sites that you visit against lists that Firefox downloads of reported phishing and malware sites. (For more details, check out this page.)

Firefox is about to get safer.

Until recently, we only had access to lists of reported malicious web sites, now the Safe Browsing service monitors malicious downloaded files too. The latest version of Firefox (as of July 22) will protect you from more malware by comparing files you download against these lists of malicious files, and blocking them from infecting your system.

The next version of Firefox (released in September) will prevent even more malicious downloads on Windows. When you download an application file, Firefox will verify the signature. If it is signed, Firefox then compares the signature with a list of known safe publishers. For files that are not identified by the lists as “safe” (allowed) or as “malware” (blocked), Firefox asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata. Note this online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher. Most of the common and safe software for Windows is signed and so this final check won’t always need to happen.

In our preliminary testing, we estimate this new malware protection cuts the amount of malware that slips through Firefox’s protections in half. That’s a lot of malware that will be stopped in its tracks.

And of course if you don’t want to send Google data about the few downloads that don’t match these lists, you can turn off malware protection. But we believe eradicating malware is critical for most people, and expect this new feature to help work behind the scenes to keep you safe as you browse.

For more details, head on over to Monica’s blog post.

14 responses

  1. Ferdinand wrote on :

    When is Firefox going to protect against attacks from semi legal downloads like java(updates) that infect your system with toolbars and destroy your browsers by hijacking settings.
    That is the biggest problem for normal users right now.

    1. Monica wrote on ::

      Hi Ferdinand,

      Java has been click-to-play by default for a while now: https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins

      Project Squeaky is intended to help clean up our addon ecosystem. If you are interested, please have a look at:

      https://blog.mozilla.org/addons/2013/05/22/a-step-forward-in-add-on-install-experience/
      https://groups.google.com/forum/?fromgroups#!forum/mozilla.addons.user-experience

    2. Rodrigo wrote on :

      It helps a lot if you don’t click next without reading the stuff like an idiot, i never got a single toolbar installed on my pc because i read every single page when i’m installing a program.

  2. Albert wrote on :

    the biggest problem the f***king plugin container chrashes 3343456436 times / day.. can’t even reach to download a malware……..

  3. Geoff Lawler wrote on :

    Is this work based on the “CAMP: Content-Agnostic Malware Protection” paper?

    1. Monica wrote on ::

      Yes, that paper is published by the Google Safe Browsing team.

  4. NSA wrote on ::

    > Note this online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher

    Seems like a great way for Google to spy on people, however.

  5. anamika wrote on ::

    I face lot of problems while browsing because of some malware attacks & downloads. firefox suddenly crashes and asks for re load.

  6. Richard wrote on :

    “And of course if you don’t want to send Google data about the few downloads that don’t match these lists, you can turn off malware protection.”

    Why not give the option to disable only the remote lookups?

    1. Monica wrote on ::

      Hi Richard,

      In a previous test pilot study (http://monica-at-mozilla.blogspot.com/2013/02/writing-for-98.html), I observed inconsistent preference states existing Safe Browsing preferences. I decided not to exacerbate the problem by offering yet another preference. From the link above:

      “It is also interesting that fewer people disable Google SafeBrowsing checks for malware than for phishing. Presumably these are disabled for privacy or performance reasons. Are users who disable one and not the other making a mistake, or do these users consider themselves phish-proof but not drive-by-download-proof? If it is a mistake, why do we allow users to construct a set of preferences that are internally inconsistent in reasoning?”

      Hope that helps.

  7. Kriss wrote on :

    Should Firefox(‘s queries to google’s servers be made via some Mozilla’s anonymizing proxies, I would use this feature. But one of the reasons why we use Firefox and not Chrome, is that we praise our privacy and don’t want another source of disclosure towards Google. I trust Mozilla, I don’t trust Google.

    1. dai wrote on :

      I totally agree with you!
      It’s the same with the normal browsing Protection; why downloads Firefox the list of bad sites from Google? Why not from Mozilla and they download it from Google?

      1. Monica wrote on ::

        Hello Kriss and Dai,

        Mozilla does not offer anonymizing proxies. The ongoing maintenance costs of doing so are prohibitive, not to mention that malware and phishing classification are outside of Mozilla’s core expertise. For this problem, it made sense to take advantage of Google’s service in order to provide increased security to our users, while giving our users the option to turn it off.

  8. Cowicide wrote on :

    Why are you censoring comments here? I’ve been trying to comment since yesterday. So much for Mozilla transparency.