Policy Plus github url is flagged Google safe browsing (also used by Firefox)

[vjayer]

The top level page https://github.com/Fleex255/PolicyPlus is flagged by Google safe browsing and as such, prevents browsers like Firefox from visiting the url. https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fgithub.com%2FFleex255%2FPolicyPlus

Interestingly: This info was last updated on Jul 5, 2021.

The site ahead may contain harmful programs

Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

Advisory provided by Google Safe Browsing.

github.com has been reported as containing harmful software. You can ignore the risk and go to this unsafe site.

Learn more about harmful and unwanted software at Unwanted Software Policy. Learn more about Firefox’s Phishing and Malware Protection at support.mozilla.org.

From, https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work?as=u&utm_source=inproduct#w_ive-confirmed-that-my-site-is-safe-how-do-i-get-it-removed-from-the-lists

To request removal from the list of reported phishing sites, use this form provided by Google. 

https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&hl=en

[Fleex255]

Thanks for the note. Policy Plus sometimes triggers antivirus false positives, probably because it can modify policy-related files, Registry entries, and perhaps especially offline user hives. It looks like a false positive during a recent scan caused the project page to be flagged as dangerous. I've submitted a report to Safe Browsing.

[ghost]

Apparently this is still flagged. I've seen this stupid thing block two sites ever and they've both been legit FOSS. Turned it off, if it literally only ever supplies me false positives it's more harm than good.

[Fleex255]

An update on this: I spent a decent amount of time a couple weeks ago filling out forms to report the false positive to the ~22 antivirus vendors that flagged the June 2021 snapshot. That got the false positive count down to 5 AV programs for that specific EXE, but apparently the AV exclusions were very narrow: 16 AVs flag the current dev build. Filling out a bunch of forms for every new development step is not sustainable, so these false positives are probably going to remain for the foreseeable future.

It is conceivable that Authenticode signing might help reduce false positives, but I am not sure if it will reliably solve the problem. Extended Validation code signing certificates are the only way to get immediately trusted by SmartScreen, but in addition to being extremely expensive they seem to only be issued to companies. Files signed with individual or standard validation certificates must each build their own reputation, which is a problem for semifrequently updated programs like Policy Plus. Individual open-source developer certificates have lower but still nonnegligible costs, so I don't want to spend the money if it might not actually fix anything. Any ideas would be welcome.

[ghost]

II wonder if it might be less likely to flag them if they're built from source right here with github actions?

I mean, as a user, there is some trust placed in you, that the exe I download is actually built from the code here, unaltered. Perhaps the system might recognise this also, in which case building it here relives that need for trust, and might also relieve you of the false positives?

I think this sounds like wishful thinking, I expect the system is not that 'smart'....

Perhaps it's worth asking the devs of other similar tools with similar problems. https://github.com/processhacker/processhacker comes to mind.

[Fleex255]

Thanks for reminding me about GitHub Actions. While I didn't expect the site of compilation to have an impact here—the program is just a file downloaded from the Internet by the time an antivirus sees it—it would be good if users could verify that they're running the published code. The per-commit dev builds, now called "latest builds", are now performed and uploaded automatically by a GitHub Action. The "compute hash" step allows everyone to see the SHA256 hash of the program straight out of the compiler.

Interestingly, the latest build only triggers 2 false positives. I am not sure whether this is only from compiling in the Release configuration (instead of Debug like before) or if the compiler/toolchain version used on GitHub Actions is agreeable to some sort of heuristics/AI.

Regarding Process Hacker, that program much more widely used and signed with a fancy certificate suitable for kernel-mode code; I am not sure which is the active ingredient in avoiding the Safe Browsing blocklist. It nevertheless has recurring issues with AV programs.

For now I'll wait and see if having changed the links in the README helps with the browser block.

[ghost]

Good luck man. I really appreciate this tool so if there's anything I can do to help, count me in!

[Fleex255]

Having changed the links in the README and filed another Safe Browsing report yesterday, it appears that the repository page's status has been changed to "some pages on this site are unsafe", which does not trigger the big red block. The specific "unsafe" pages are just issue threads that link to the old kind of "dev build" EXE. That's not a major concern, so it looks like this problem has been (for now?) resolved.