Releases page flagged as Unwanted Software by Google Safe Browsing

[makuhlmann]

Describe the request The releases page of this repo has been flagged as malicious by Google, resulting in a big red warning in Chrome and Firefox (possibly other browsers too). As a result downloads are blocked as well and need to be allowed manually.

Screenshots

Desktop (please complete the following information):

• OS: Any
• Build Any

Additional context Related: https://geekflare.com/tools/tests/3o910hetl https://twitter.com/christitustech/status/1553445177221586947

[SpaghettDev]

Can confirm. I had to update and this error popped up, after clicking "ignore the risk", and downloading the exe, Firefox flagged it (the exe) as harmful and may contain viruses or whatever.

[rcmaehl]

I go on vacation for 4 days and apparently this is what I come back to. Whoo.

[rcmaehl]

https://github.com/rcmaehl/MSEdgeRedirect/releases is blocked https://github.com/rcmaehl/MSEdgeRedirect/releases/ is not

I honestly don't know what to make of this

@ChrisTitusTech I've already replied to twitter but sorry that you got caught in the crossfire.

[rcmaehl]

Looks like @isaak654 and Sandboxie-Plus had the same issue a while ago. I'm going to review the install/uninstall process to see if that can improve things.

[ChrisTitusTech]

I was able to bombard youtube via Twitter, and the strike was reversed. Still a bit a bummer for an awesome project. It's not the creators fault, just googles algo go wonky.

[rcmaehl]

TODO:

• [x] #65. Pretty sure the installer/uninstaller leaves behind some registry entries. Lets get those cleaned up
• [x] Discontinue directly offering x86 builds. Will still be availabe in the .zip. x86 has been ~5% of total downloads (5,845 of 110k) Generally receives 2-4x the AV false positive rate of x64
• [x] Archive old releases Especially pre-0.5.0.1 due to security advisory. The less number of AV false positives on the releases page, the better.
• [ ] Swap to own logo Stop using a modified Microsoft Edge logo to prevent any Intellectual Property issues
• [ ] Add Webdriver option Mix between IEFO and Service Mode. https://github.com/Danp2/au3WebDriver https://msedgedriver.azureedge.net/<version>/edgedriver_win<arch>.zip
• [ ] Code Signing Cert While an EV code signing cert would be preferred. It is a large chunk of change. A regular $100ish/yr cert will do fine in the meantime.

[rcmaehl]

Actions taken so far:

• Jul 31: Updated all internal links to use /releases/
• Jul 31: Filled out the Safe Browsing False Positive form. Although this seems to be only for phishing.
• Aug 1: Discontinued direct x86 build links for releases.
• Aug 1: Contacted Github Support to see if they could file a review for Security Issues. Github support ticket #1726178
• Aug 1: Contacted Google through the Report A Security Issue form Sandboxie Plus found. Case ID [5-8504000032703]
• Aug 1: Contacted Graphic Artist for new logo design
• Aug 1: Received preliminary draft for new logo design
• Aug 2: Received response Google could not verify ownership. Responded with proof of ownership and advised further on the content.
• Aug 3: Cleaned up leftover registry key if no other software created by me is installed
• Aug 4: Google directed me to Github Support as well as Search Central Community.
• Aug 4: Uploaded New Logo base to github. Working on new logo using base, along with other assets.
• Aug 5: Continued drafts for updated Logo with Graphic Artist
• Aug 6: Removed old assets from Releases
• Aug 6: Removed nightly.link from Releases page
• Aug ?: Submitted Web False Positive to Avira per Virustotal Detection
• Aug 16: Fixed issue with WinGet keeping old packages
• Aug 16: Added option to installer to Submit False Positive
• Aug 18: Avira removed Releases page from their Blacklist per Virustotal
• Sep 11: Removed from Google Safe Browsing Blacklist

Continuation:

• Oct 27(ish): Entire repo added to Google Safe Browsing Blacklist
• Oct 27: Filled out the Safe Browsing False Positive form.
• Oct 27: Re-added the option to quick submit the project as a false positive after installation to release 0.7.2.0, deselected by default.
• Oct 31: Filed False Positive with Fortinet
• Nov 1: Removed from Fortinet Blacklist
• Nov 1: Removed from Google Safe Browsing Blacklist!

[gnpaone]

I think it may be probably due to this issue plaguing GitHub recently https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/

[rcmaehl]

@micwoj92 Any way to have a new release remove assets from old releases during github actions CI?

[micwoj92]

No idea. I have quickly looked and there are couple "delete assets" actions on github marketplace with various degrees of feature richness and configurability.

[rcmaehl]

No idea. I have quickly looked and there are couple "delete assets" actions on github marketplace with various degrees of feature richness and configurability.

Yeah, saw those. Just wanted your opinion since a lot of them don't show a lot of usage.

[t0rzz]

Same problem with Firefox, both when opening page and when opening the .exe file.

[justadudeongithub]

Reported a false positive and thank you. This so works. I can finally use search.

[AgainPsychoX]

Can we get new release soon? The old file is still flagged, making it unable to install on business hardware :C

[rcmaehl]

Can we get new release soon? The old file is still flagged, making it unable to install on business hardware :C

Yep. Will be prioritizing getting a new Webdriver based mode added this weekend and hopefully have 0.7.1.0/0.8.0.0 out.

[farcepest]

Webroot also reports this as a threat.

[rcmaehl]

Webroot also reports this as a threat.

Submitted a support ticket

[AveYo]

It's like security and AVs are going backwards, to the 90's whitelist by hand trash. Ain't a low number of FPs equally important to detection rates?! Cause I can block everything myself without their cloud, AI, heuristics, ATP and dozens more buzzwords

Yesterday Defender started FP my scripts. FFS! I went powershell-less once, now vbs-less. Relevant part is now just cmd. And flashing window 👎 Frankly, it's unacceptable. "Smart Screen", "Safe Browsing" are nothing but corporate bully tools. Good luck to you!

[rcmaehl]

Frankly, it's unacceptable. "Smart Screen", "Safe Browsing" are nothing but corporate bully tools. Good luck to you!

Yep, you as well!

[AgainPsychoX]

I just now realized... Isn't that Microsoft being just rude and spam-reporting the software?

[rcmaehl]

I just now realized... Isn't that Microsoft being just rude and spam-reporting the software?

No clue honestly. It definitely FEELS that way as only a specific URL is blacklisted despite being accessible multiple ways.

https://github.com/rcmaehl/MSEdgeRedirect/releases is blocked https://github.com/rcmaehl/MSEdgeRedirect/releases/ is not

Despite being the EXACT SAME PAGE.

But I'll hold onto Hanlon's razor for now.

[AgainPsychoX]

Have anyone check website code by the way? Microsoft owns GitHub now, I wonder would they add something malicious in the background to have the page flagged again and again.

And no telling me they wouldn't do that for sure, when they are not playing nice in the first place with forcing Bing and Edge.

[Masamune3210]

They arent, if they were it would be in all release pages due to how the site is set up, not one individual one. Besides, Microsoft doesn't have that much ill will towards stuff like this outside of frustrating its efforts. Think about it, if they truly cared that much, they could just blacklist the executable from running in Windows, they don't have to try to sow malice

I just now realized... Isn't that Microsoft being just rude and spam-reporting the software?

No clue honestly. It definitely FEELS that way as only a specific URL is blacklisted despite being accessible multiple ways.

rcmaehl/MSEdgeRedirect/releases is blocked rcmaehl/MSEdgeRedirect/releases is not

Despite being the EXACT SAME PAGE.

But I'll hold onto Hanlon's razor for now.

Neither of these trigger the warning for me, but I'm not sure if that's a setting I have changed somewhere and forgot or if the warning is only triggering for certain people

[ElitePheonix009]

Neither of these trigger the warning for me, but I'm not sure if that's a setting I have changed somewhere and forgot or if the warning is only triggering for certain people.

Its triggering for me also. So, these reasons might not be triggering the warning on your device -

1) You might be using mobile phone. On mobile phone it does not trigger the warning. 2) You might have changed a setting. 3) You might not be updated to the latest version.

[demortes]

New EXE is blocked by chrome, no way to override?

[rcmaehl]

New EXE is blocked by chrome, no way to override?

Are you clicking "view all downloads"?

[ElitePheonix009]

Reported false positive from my mobile. Will be reporting a false positive from my computer also.

[farcepest]

Seems unblocked now, YMMV

[rcmaehl]

WHOO!

[ElitePheonix009]

Can confirm that it is no longer triggering a warning. Whoo!

[trlkly]

I'm hitting this again with the latest version, and adding the slash to the end of the URL doesn't help. Both the .EXE and .ZIP are blocked. The .ZIP wasn't blocked before.

(Though I do get a keep option on the .EXE).

While it wouldn't fix the problem for new users, perhaps you could consider having the program actually download updates itself?

[Eden7600]

This issue is popping back up again with the latest version.

[ElitePheonix2009]

It's popping back up again when downloading the .exe file and the .zip file.

[rcmaehl]

Looks like they flagged the entire repo this time... Woooo

[t0rzz]

Someone asks Mozilla why they flagged the exe file as potentially unsafe. They must provide an answer. This is unacceptable.

[rcmaehl]

Someone asks Mozilla why they flagged the exe file as potentially unsafe. They must provide an answer. This is unacceptable.

Mozilla uses Google's safe browsing list unfortunately.

[Masamune3210]

Someone asks Mozilla why they flagged the exe file as potentially unsafe. They must provide an answer. This is unacceptable.

Unfortunately, they neither have to, nor do they usually, provide a reason. They are a private company. Also, usually, they DONT KNOW why its been tagged as malicious. Heuristics are usually black boxes rather intentionally to keep actual malware manufacturers from knowing what to do to avoid detection

[Sensu0]

I wouldn't be surprised if someone else suggested this in the past;

I think the best way to ultimately resolve this issue is by the developer providing a signature which could then be bundled with the installer.

After all, a lot of viruses out there is being released without a known publisher, but if it's a signed piece of software, then that would most likely help with making this software trusted by big tech. Unless of course, Microsoft is actively paying to have this software flagged as a PUP. Or they would try using the "Embrace, Extend, Extinguish" tactic. Then again, Microsoft owns Github...

[Masamune3210]

Code Signing Certs arent cheap, and even that isn't guaranteed to fix the issue. Google just shouldn't label something as malicious without a due process that actually works to remove that label should it be (and it often is) incorrect, and the rest of the industry shouldn't allow them to get away with having as much control as they do

[MoiraPrime]

Someone I know had connections to google and was able to get this escalated and fixed.

[Masamune3210]

We shall see how long it lasts this time, I prophesize not long

[rcmaehl]

Someone I know had connections to google and was able to get this escalated and fixed.

Yep. It's showing as resolved. Well damn. Big thank you!

[androidacy-user]

Page is no longer blocked; however the downloads still are and smartscreen blocks the executable, fyi

[rcmaehl]

Page is no longer blocked; however the downloads still are and smartscreen blocks the executable, fyi

Interesting...

[BlackSparowYT]

Had no more issues when downloading, went through smoothly. No blocked page, no smartscreen and not even a warning when downloading (maybe my settings but idk)

[Glinte]

Maybe remove the "help us get off google's blacklist" option in installation since this is resolved?

[rcmaehl]

Maybe remove the "help us get off google's blacklist" option in installation since this is resolved?

Possibly

[sguergachi]

Chrome download blocks it with standard security enabled :/

[Masamune3210]

Chrome also blocks downloads from the official psn servers, its not very smart lol. Honestly, probably not much that can be done about it, as even if they are convinced to remove it, it will just creep back in at some point either way

[vonDubenshire]

Chrome download blocks it with standard security enabled :/

This is actually normal behavior for a .EXE file. If you go to some scam site they'll initiate a download of an exe that poor Grandma will install without thinking.

It's the flag on the web that sucks