Windows Defender SmartScreen

[Webdongle]

Attempting to download the fpa zip (when Windows Defender SmartScreen is enabled, triggers a virus warning. Is there anything that can be done about that?

[sozzled]

Correct. This occurs with people who use Windows 10 with Windows Defender SmartScreen enabled.

We have discussed this issue at some length at https://forum.joomla.org/viewtopic.php?f=806&t=976273

@mandville suggests that one workaround is to disable Windows Defender SmartScreen for "trusted sites" (see https://forum.joomla.org/viewtopic.php?f=806&t=976273#p3588400) but perhaps a longer-term solution is to report the issue to the Windows development team (see https://forum.joomla.org/viewtopic.php?f=806&t=976273).

@frostmakk does not see this as something for the FPA project (see https://forum.joomla.org/viewtopic.php?f=806&t=974477).

That's all that I know and can write about this matter.

[frostmakk]

The so-called FPA project has for the last three years been me alone in the dark when it comes to coding, and I'm not even a mediocre coder, so no I don't see this one solved unless more literate people involve themselves.

[mandville]

Beyond the disable smartscreen, you could always click more info and report it as safe. then it gets manually reviewed. i could ask for a proper certificate of authenticity but i dont think there is any real need.

[Webdongle]

I was thinking more like have some sort of message on the fpa page?

[sozzled]

If someone gave me forum moderator privilege for the forum category Forum Post Assistant, I could write a sticky about this. But that's not going to happen in a month of Sundays, is it? People, who use Win10, will just have to stumble along as best they can and all one can do is to refer them to the forum discussion(s) where the matter has been identified.

Nice idea, though, but people just don't read "some sort of message", do they?

[Webdongle]

@sozzled write it up and ask (nicely) @mandville to post it for you. But I was wondering if something in red on https://forumpostassistant.github.io/docs/ ? On the lines of Windows Defender SmartScreen gives a false positive with a link (new tab/window) to instructions how to disable it

[sozzled]

Perhaps, in a month of Sundays, I may write it. It took nearly a year for my last effort to get stickied. I can do it quicker if I don't have to go through OO's "bureaucracy".

Either someone gives me the job or doesn't give me the job to complete the task. I can either be trusted to complete the task or not trusted as the case may be but, please, don't ask me to do something by proxy.

[mandville]

If we are going through the fpa and jamms sticky debate I can add it to the list and get it done at the same time.

On Sat, 11 Jan 2020, 02:16 Michael Russell, notifications@github.com wrote:

Perhaps, in a month of Sundays, I may write it. It took nearly a year for my last effort to get stickied. I can do it quicker if I don't have to go through OO's "bureaucracy".

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ForumPostAssistant/FPA/issues/60?email_source=notifications&email_token=AAG2A6PLTNARBOQ3FVSNQ4LQ5ETXXA5CNFSM4KFISICKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIVWRYY#issuecomment-573270243, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG2A6PT4BAP33CDLZZVTM3Q5ETXXANCNFSM4KFISICA .

[mandville]

lets see what happens https://twitter.com/mandville/status/1216104258271051781 bait tweet

[mandville]

@sozzled would you like to do a 6ft alert on the docs saying that the fpa creates a false report on windows? and poissibly write an post for the forum so i can add it to the list when we move stuff around

[sozzled]

Nah ...

Point 1: I have a couple of problems reconciling myself to the "pink sticky" that takes people off to the FPA docs repo. I would prefer that the sticky sends people to the forum category at forum.joomla.org where we can place announcements.

Point 2: There are enough forum moderators who can create sticky topics/announcements. So, to answer Kevin's question, it's not my task to do this (unless someone grants me the necessary privs).

Point 3: To answer @mandville's question posted on Twitter, it happens 100% of the time on Win10 systems that have Windows Defender SmartScreen enabled. The "virus" alert (prevents downloading of FPA .zip and also prevents uploading fpa-en.php from the PC to the server) occurs at the point where you click "yeah, save this somewhere").

It's neither a false negative or a false positive: it's Windows Defender SmartScreen. How would the average punter know the difference? So, the answer to the last of the questions in that tweet is, "dunno, don't care, it's Microsoft bat-crazy s**t!"

Point 4: There's enough information already posted in three or four topics at forum.joomla.org that contain some words. I would also think that adding a few extra lines to the FPA announcement topic could help. Again, if I had moderator privs, I would be able to edit that announcement.

Point 5: How come it's my job ... ? ;-)~~

[Webdongle]

@sozzled

Point 5: How come it's my job ... ?

Because you volunteered (given certain conditions).

If someone gave me forum moderator privilege for the forum category Forum Post Assistant, I could write a sticky about this.

Perhaps @mandville thought she could negotiate the terms for you to write it? :stuck_out_tongue_winking_eye:

[sozzled]

I'm not going to argue whose job it is but I have a way to answer @Webdongle's original question.

1) I will write a post for the FPA forum that will have the subject "Please read this if you use Windows 10" and I will concisely summarise the situation.

2) Can someone please move that post (when I write it) to the FPA announcement and lock it.

3) After doing that, can someone please add to the "pink sticky", the words "Additional info for Windows 10 users" that links to the post that I will write.

No need to change the FPA documentation (and the change may be short-lived, if MS gets its act together and realises that the FPA .zip file does not contain a "virus" and thereby prevents users downloading it).

Would that help?

Waiting for a reply before I do anything else.

[mandville]

2 . yes

3. yes

[sozzled]

Fair enough. Give me 5 minutes and I'll do it. :)

[sozzled]

Done

[sozzled]

Please lock the new forum topic (that I just created) quickly because I do not want people to "comment" about it.

[mandville]

already had done. also put in the formal request for another suitable person to...

please sticky https://forum.joomla.org/viewtopic.php?f=806&t=977089 please add a link to https://forum.joomla.org/viewtopic.php?f=806&t=977089 with the reference "windows defender smartscreen issues". in the red FPA box please unsticky https://forum.joomla.org/viewtopic.php?f=714&t=784055 https://forum.joomla.org/viewtopic.php?f=714&t=778692 https://forum.joomla.org/viewtopic.php?f=714&t=757645

[sozzled]

Thanks. Can you lock https://forum.joomla.org/viewtopic.php?f=806&t=977089 , please, so that no-one replies to it? If someone wants to reply, they can (a) use an existing topic where the issues have been discussed, or (b) create a new topic.

EDIT Thanks! I see that the topic is now locked. Excellent.

LOL @ "another suitable person": did you use form JFRTMT-03 (v7.2.1), in triplicate? Ahhh ... the bureaucracy.

[Webdongle]

@sozzled Thanks for writing it. I wasn't sure what the wording should be.

@mandville Thanks for moving and locking it, and fo putting in request for the link/wording. Could the hyperlink be made to open in a new window?

[sozzled]

Opening a link in a new window is not the default way that The Joomla! Forum™ works. It would be nice if the BBcode used by the J! forum created <a href=target-url target="_new"*>...</a> HTML but I don't think OO wants it to be done like that. You would have to write to OO to change this (if it's even possible). I don't know enough about how to setup phpBB forums, sorry.

[Webdongle]

I was hoping that @madiville might request it.

⁣Sent from BlueMail ​

On 12 Jan 2020, 01:24, at 01:24, Michael Russell notifications@github.com wrote:

Opening a link in a new window is not the default way that The Joomla! Forum™ works. It would be nice if the BBcode used by the J! forum created ... HTML but I don't think OO wants it to be done like that. You would have to write to OO to change this (if it's even possible). I don't know enough about how to setup phpBB forums, sorry.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/ForumPostAssistant/FPA/issues/60#issuecomment-573370950

[mandville]

The topics are being shifted as we speak and I'm bot sure phpbb has new window tags

On Sun, 12 Jan 2020, 01:49 Kevin Griffiths, notifications@github.com wrote:

I was hoping that @madiville might request it.

⁣Sent from BlueMail ​

On 12 Jan 2020, 01:24, at 01:24, Michael Russell notifications@github.com wrote:

Opening a link in a new window is not the default way that The Joomla! Forum™ works. It would be nice if the BBcode used by the J! forum created ... HTML but I don't think OO wants it to be done like that. You would have to write to OO to change this (if it's even possible). I don't know enough about how to setup phpBB forums, sorry.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub:

https://github.com/ForumPostAssistant/FPA/issues/60#issuecomment-573370950

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ForumPostAssistant/FPA/issues/60?email_source=notifications&email_token=AAG2A6PJEBW6ADHJGODT5NTQ5JZIXA5CNFSM4KFISICKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIWPRHA#issuecomment-573372572, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG2A6KWW6JJQVTXMJFIA63Q5JZIXANCNFSM4KFISICA .

[mandville]

I believe the checklist is now done. red box reads

Forum rules Forum Rules Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU. Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post. Windows Defender SmartScreen Issues <-- please read this if using Windows 10.

there is no target option command in phpbb according to their docs

[sozzled]

A couple of things here:

1) As a general principle, yes, the BBcode used at The Joomla! Forum™ does not generate links that open in a new window. There is one exception, however, where I notice that a link appearing in the "blue box" at the head of the security forum—the link to SiteLock, the sponsor of the forum category—opens in a new browser tab. But that's the exception to the rule and, in that case, it probably involved some "hard coding" somehow.

2) The actions undertaken by the forum management team (to change the "pink box") have been completed and I think the matter requested in the OP has been resolved.

[sozzled]

I'd like to revisit this. I tested the download of the latest FPA download .zip on Win10 (with Windows Smartscreen Defender enabled) and I had no problem. If the latest repackaging efforts have fixed the problem that people were having using Win10—that "if" needs to be verified—then maybe we can dispense with the "pink area notice" on the forum?

[sozzled]

Update: the issue still exists for people who use MS Edge with Windows 10 with Windows Smartscreen Defender enabled. It doesn't happen (for me, anyway) with Firefox. I have not tried other browsers. Oh well, looks like we'll have to leave the "pink area notice" intact for the time being.

[RussW]

Not that I can assist/test in any manner as our shop is completely non-windows, but... does it make any difference which download link is used?

• From the Documentation website ( https://github.com/ForumPostAssistant/FPA/zipball/en-GB )
• Directly from the Github Release Page -- https://github.com/ForumPostAssistant/FPA/archive/v1.6.1.zip -- https://github.com/ForumPostAssistant/FPA/archive/v1.6.1.tar.gz
• or the Github code page, Clone option https://github.com/ForumPostAssistant/FPA/archive/en-GB.zip

[sozzled]

In all cases, there was no difference (as long as I used the URLs entered in the proper case). A small message appears at the bottom of the screen saying "filename was blocked as unsafe by Microsoft Edge".

However, when I entered the URL like this (for example) https://github.com/forumpostassistant/fpa/zipball/en-gb which redirects to https://codeload.github.com/ForumPostAssistant/FPA/legacy.zip/en-gb) the result is quite striking with MS Edge:

With Firefox you just get a "404: Not Found" error

Further, the issue is not just localised to Windows 10. Microsoft has now released MS Edge for Windows 8.1. Same deal there. You have to disable Windows Smartscreen Defender from within MS Edge. It's not a "system setting" in Windows 10 as @mandville described in https://forum.joomla.org/viewtopic.php?f=806&t=976273#p3588400; it's a browser setting.

So now the "pink area" message is incorrect. The problem has spread beyond "Windows 10"; it's a MS Edge-related matter. This also means that the information in the target of the "pink area" notice (https://forum.joomla.org/viewtopic.php?f=806&t=977089) has to be amended as well. As this discussion has been marked as "closed", this isn't my problem anymore.

[RussW]

So it doesn't matter if the download attempt is directly on the Github site or the github pages (documentation site)

If the "More Information" link is clicked, does it give any more useful information as to why it's being flagged?

[RussW]

I tried doing a "Developer Report" requesting fpa gets reviewed by Microsoft, but as with everything Microsoft Support wise, it works as expected, but not as designed - the form keeps failing/erroring. So I was unable to request it to be reviewed.

[sozzled]

I can tell you what I know; I can tell you what I think. I can't tell anyone what to do. Following the release of Windows 10 2004, Windows Defender SmartScreen has been renamed Microsoft Defender Smartscreen. This article may also help: https://www.tenforums.com/tutorials/5520-turn-off-smartscreen-microsoft-edge-windows-10-a.html

[RussW]

My assumption here is that either a number of people have reported github downloads site in the past for dodgy projects, which is unlikely or more projects would be observing problems, or FPA has been reported for some reason by a few folks, which still sounds unlikely but at least "possible", or due to the FPA using a number of system commands via PHP, the script gets flagged as a hacking/malicious-shell script as they include many of the same commands and potentially similar routines. Without the MS Developer site form working, then the only other way to get it reviewed would be to get effected end users to mark it as safe and report it back to MS via the application (if it has a way) or through the "Home User" option at https://www.microsoft.com/en-us/wdsi/filesubmission

[sozzled]

I can tell you what I know: I know I've spent many hours looking into this. I came the conclusion that it was related to Windows/Microsoft SmartScreen Defender a few months ago. I knew there was a connection with MS Edge and I wrongly joined the dots together because MS Edge (at the time) was only available on Win10. That was how this discussion began: people complained that "Windows" said the FPA was "a threat" or a virus or something; I looked into the matter and I was press-ganged into writing the text of a sticky topic.

Much against my better judgement.

I know that the sticky topic wording is now wrong.

I also know that I had to beg people to test downloading FPA v1.6.x to see if the false-positive threat still existed. I know that, with the FPA v1.5.0, I could not download it some months ago via Firefox or MS Edge on Windows 10 with Windows SmartScreen Defender enabled but, as I have not retained detailed notes of my conversations, correspondence, etc., I cannot prove that this was the case. Anyway, things have changed and I'm using a different version of Win10 (not to mention different versions of browsers); I can't turn back the clock. Maybe it was always a MS Edge thing all along?

I know that I can now download the FPA v1.6.0 using Firefox on Windows 10. I have not bothered to try to download FPA v1.5.0 since I updated to Win10 2004. I don't know if it's relevant if I did try. I know that Windows SmartScreen Defender is now branded as Microsoft SmartScreen Defender. I don't know anything more than that.

I don't give a rat's about Windows/Microsoft SmartScreen Defender because I rarely use my Windows 10 laptop to download anything. I also primarily use Firefox. It's rare that I use MS Edge; it's just another browser I have at my disposal along with Opera, Google Chrome, Safari for Windows (which ain't worth beans), Internet Explorer and my iPad and iPhone versions of Safari.

I also know that it's been difficult to gain traction within the FPA team to consider the issue but I thank all those who have paid me some attention. I doubt that we need to find a technical solution. I think we need to find a public relations solution.

Apart from those things I know and think, I have no other input into this topic that was closed by @mandville a month ago.

[frostmakk]

@sozzled

I also know that it's been difficult to gain traction within the FPA team to consider the issue

Please explain.