hide all comments

General

Guilty until proved innocent? Flagging unrecognized downloads as malicious

February 27, 2012 19:07:43 +0200 (EET)

Google Chrome's "this file appears malicious" warnings are false and unfounded in too many cases. Similar problems exist with IE, and some anti-virus software. Their tests include two factors that have nothing to do with whether the code is malicious: packed executable, and low number of previous downloads.

Packing an executable is good practice: they take up less space and bandwidth, and are faster to start up from hard disk. Like including some form of software protection or obfuscation, packing may make it harder to recognize or analyse the program, but that does NOT mean it appears malicious.

Software downloads follow the law of the long tail: things like Flash and Adobe Reader installers are frequently encountered, but there is a massive amount of software not commonly used, but which may be very useful to some. Recognizing something as a common download tells you its non-malicious, but not recognizing something does NOT mean it appears malicious.

Both packing and infrequent downloads simply mean that you can't say much about that software. In that case, the principle must be 'innocent until proven guilty'.

If you see someone on the street with a black mask and knife in his hand, he appears malicious; if you see a friend you recognize, he doesn't appear malicious; but if you see someone you don't recognise, and who is mostly obscured by a crowd, you can't go around shouting to everybody that he's malicious.

Comments

Agreed

[John] March 07, 2012 17:32:27 +0200 (EET)

I've recently set up a website and have about six applications with installers created using Inno setup, I could just offer them zipped but I thought it would be nice to create an installer. Chrome tells me that every one of them "Appears Malicious" and presents me with the default option of "Discard", as shown on your site here... What infuriates me is I know they are clean and if it were me visiting someone else's site and that appeared I would just discard and never return because, thanks to this faulty validation process, I have been told that this site hosts malicious software. I checked my site using Google safe browsing diagnostics and, unsurprisingly, it said my site was clean and I've never hosted any malware... Which is a truly god awful contradiction. I suppose it was only a matter of time before they screwed up a perfectly good browser.

Re: Agreed

[Steven Kelly] March 07, 2012 20:39:12 +0200 (EET)

Sorry to hear that, John. For the record, I've seen this problem on Chrome with an installer made with InstallShield, and on IE with InstallShield and even just plain MSI files. Signing the installer or making downloads happen over HTTPS gets around the problem, but since certificates aren't free that's not an option for everyone.