FF-3b3 - turning off virus scanner

Discussion about official Mozilla Firefox builds
Locked
User avatar
hhh
Posts: 6731
Joined: February 29th, 2004, 11:21 am
Location: Stuart, FL

Post by hhh »

BTW, there is a bug filed, yes? Bug number, please.

-edit- https://bugzilla.mozilla.org/show_bug.cgi?id=412094
Ah. Redirected to Resolve Wontfix. Apparently, I stand corrected suckers, you're S.O.L.
WAPCE
Posts: 34
Joined: July 18th, 2007, 9:06 pm

Post by WAPCE »

stephendonner
Posts: 6
Joined: January 23rd, 2008, 1:55 am
Location: Mountain View, CA
Contact:

Need help testing and collating anti-virus scanning problems

Post by stephendonner »

Hi there -

I'm the QA engineer responsible for testing our anti-virus integration, and would like to apologize for not testing the scanning behavior as thoroughly as I should have (I could use the excuse of not having enough time, but that's weak); as we draw nearer to Firefox 3 beta 3--and, in turn, move closer to Firefox 3 final--it becomes increasingly important that the user-experience becomes better, and our level of quality raises.

To that end, I need your help; I'd like to figure out, as best we can, the following:

* which AV-integration is especially problematic
* with which file types these prolonged/stuck scans occur
* any other variables that contribute to this less-than-stellar user-experience

I know many of you have already done excellent triage and reporting of this issue here, and I don't mean for anyone to duplicate work, so in the coming days I'll be rolling up individual reports in a chart/matrix/Wiki page somewhere, and I'll report back here when I have something more presentable/editable.

Until then, please report your findings, as clearly and tersely as possible, in successive posts to this thread. Please include the following:


* Operating system/service-pack level
* System specs: processor type and speed, and RAM, etc.
* Full user-agent of Firefox 3--please test with the latest trunk nightly if at all possible--see ftp://ftp.mozilla.org/pub/firefox/nightly/latest-trunk/ for builds
* Anti-virus vendor, version
* Type of scanned file
* Size of scanned file
* Time to manually scan the file
* Time to scan via the download-manager interface

I hope this doesn't seem like a lot to ask, but it really will help me to drill down the inevitable flurry of reports into a more-coherent summation of the problem(s).

Thanks for your continued help in making Firefox 3 great!

Sincerely,

Stephen
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post by the-edmeister »

Stephen, my concerns are:
1. a pref to turn the scan off entirely
2. a warning when an AV program isn't installed on the system

W2K SP4 - PII 350 - 768 MB-RAM
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9b3pre) Gecko/2008012104 Minefield/3.0b3pre
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
User avatar
malliz
Folder@Home
Posts: 43796
Joined: December 7th, 2002, 4:34 am
Location: Australia

Post by malliz »

the-edmeister wrote:Stephen, my concerns are:
1. a pref to turn the scan off entirely
2. a warning when an AV program isn't installed on the system


I second that
What sort of man would put a known criminal in charge of a major branch of government? Apart from, say, the average voter.
"Terry Pratchett"
Jim too
Posts: 483
Joined: December 29th, 2003, 11:16 am

Post by Jim too »

I am wondering if some AV programs don't provide the entry points that Firefox is using and that is the reason not everyone is seeing the same experience. Note that this is different from no AV program installed. In fact the argument made here is that the file will get scanned anyway when it is closed so the scan initiated by Firefox is redundant. As a first step if there was a way to know if Firefox is even invoking the entry point might help (maybe there is an indication and I don't see it because the AV software on this machine doesn't include the entry point).
User avatar
Fuziwuzi
Posts: 234
Joined: November 28th, 2007, 8:33 am
Location: Atlanta, Georgia USA

Post by Fuziwuzi »

Frank Lion wrote:
Fuziwuzi wrote:... It was that scan which would take a long while, longer than the download in many cases. By altering the registry as I did, that scan does not occur now, which is appropriate since the antivirus program I use would scan the file anyway.

This 'long while' is a puzzle. I've used the Download Scan extension for a few years now, which invokes my AVG to scan the download. It's completed almost instantly, even for 250mb+ downloads.

I can easily see why people wouldn't want this as default behaviour, without a toggle pref. I just like a clear sign than it has been scanned, rather than hoping the Resident Shield picks it up before I execute the .exe or whatever.
As noted in my earlier posts on this issue, the scan was nearly instantaneous for me as well, at first. Then with recent builds it became much longer. I don't know what the change was, my AVG Pro didn't change (other than daily updates, of course).

A toggle for this feature is definitely necessary. I'm confused about your last statement, though. I've never known a resident AV process that was capricious in choosing to scan or not, regardless of being invoked by another process. :shock:

EDIT: I wonder, since I had two instances of the "Implemented Categories" in my registry, one for AVG and another for Windows Defender, if the increased scan time is due to Minefield calling BOTH of them to do the scan at the same time. That would certainly take longer than having the AV program scan on its own. Just a thought....
Win7-64 Ultimate, Core2Duo E6700, 2GB PC3200 DDR ram, ATI HD4650 graphics.
User avatar
Fuziwuzi
Posts: 234
Joined: November 28th, 2007, 8:33 am
Location: Atlanta, Georgia USA

Post by Fuziwuzi »

OK, I reenabled the interface points in my registry and downloaded a 10MB ZIP file (the Thunderbird Nightly). The download took 6 seconds, the virus scan in download manager took 105 seconds. A manual scan using AVG Pro took 65 seconds.

WinXP Pro SP3 (build 3264)
AVG Pro version 7.5.516 with latest updates
Windows Defender version 1.1.1593.0 with latest updates

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008012304 Minefield/3.0b3pre ID:2008012304

As a test, I took the ZIP file and added the EICAR test file to it. When I then tried to unzip the file, AVG Pro found the test virus instantly as the file was being unzipped. So, having FF scan the file after download is definitely redundant as AVG would find the virus on its own as soon as I attempted to open the downloaded file.
Win7-64 Ultimate, Core2Duo E6700, 2GB PC3200 DDR ram, ATI HD4650 graphics.
pikaunforgiven
Posts: 1004
Joined: May 9th, 2005, 9:58 am
Location: um that place, the one with the stuff

Post by pikaunforgiven »

edit: i refreshed the page after typing this out and saw that fuziwuzi beat me to it, but ill post it anyway since it involves avast free and a real world file in case eicar is somehow detected differently to sway results.

ive found a case where firefox's scanning is absolutely pointless (if not worthless) since its more or less bypassed by avast's web shield before the download even kicks in and doesnt even bother scanning again if you try to download the file a second time. here is an example using a relatively benign file that is flagged as a "tool" by avast but is quite harmless so safe enough for demonstration purposes. if you want to know why its flagged as such, read the warning on the site.

requirements:
1. avast free
2. network, standard and web shields on in avast's options (they are on by default)

steps to reproduce:
1. go to rockxp.org
2. click on the rockxp version 4.0 image somewhere down the page
3. click on save file
4. note that avast warns that the file is a "tool" and aborts the download before the download is finished, thus bypassing whatever firefox uses for scanning.
5. click the image again, and take note that neither avast's shields nor firefox's download scanning kicks in and lets you download the program.
6. for an additional test, run the downloaded exe and note that avast kicks in saying its a "tool", thus the "multiple scanning" behavior everyone has been talking about.

now im no expert on how these things work, but this is definitely a bug one way or another. IE7 actually exibits the same behavior (which doesnt make it right IMO), and i couldnt test opera since its refusing to go to the site completely for some reason. this is also an example of why firefox does not need to trigger a scan of the file after download, because avast will just scan the file once you execute it anyway.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Post by Frank Lion »

Fuziwuzi wrote:
Frank Lion wrote:I just like a clear sign than it has been scanned, rather than hoping the Resident Shield picks it up before I execute the .exe or whatever.
I'm confused about your last statement, though. I've never known a resident AV process that was capricious in choosing to scan or not, regardless of being invoked by another process. :shock:

Hmm, seemed clear enough to me. 'choosing to scan or not' was not the point I made, but 'I just like a clear sign than it has been scanned', was. That OK with you, is it?
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Fuziwuzi
Posts: 234
Joined: November 28th, 2007, 8:33 am
Location: Atlanta, Georgia USA

Post by Fuziwuzi »

Frank Lion wrote:
Fuziwuzi wrote:
Frank Lion wrote:I just like a clear sign than it has been scanned, rather than hoping the Resident Shield picks it up before I execute the .exe or whatever.
I'm confused about your last statement, though. I've never known a resident AV process that was capricious in choosing to scan or not, regardless of being invoked by another process. :shock:

Hmm, seemed clear enough to me. 'choosing to scan or not' was not the point I made, but 'I just like a clear sign than it has been scanned', was. That OK with you, is it?
I was simply commenting on the phrasing you used, which implied a doubt about whether your resident AV program would scan the file. If I doubted my AV program to that extent, I would seek a better AV program. Personally, I like things like AV scans and such to happen in the background without me being aware of them unless there is a problem found. I don't want to be notified every time a file is scanned, but only when some problem is found. I trust that the "resident shield" of my AV program will work in the background as it is designed. I understand other people might like a more profound indication of this activity, which is why I support the suggestion of making this an optional choice. I'd even go as far as saying it could be the default behavior, as long as those like myself could turn it off.
Win7-64 Ultimate, Core2Duo E6700, 2GB PC3200 DDR ram, ATI HD4650 graphics.
MeCasa
Folder@Home
Posts: 13475
Joined: June 30th, 2004, 12:24 am
Location: Texas/NY US; San Jose CR

Post by MeCasa »

Stephen , give us a standardized, controlled test, there's currently way too many variables to test anything other than conjecture.

I realize there will still be countless variables in a controlled test but some patterns may develop, especially on specific AV's.

PS: We still need a switch
Sex is dirty only if it's done right .... Live and Let Live .... Rules are Boring and I Don't Like Them
...................................................... MeCasaEsSuCasa ................................................
User avatar
Don Corleone
Posts: 189
Joined: February 11th, 2005, 10:56 pm

Post by Don Corleone »

MeCasa wrote:Stephen , give us a standardized, controlled test, there's currently way too many variables to test anything other than conjecture.

Not at all. Comparative AV timings using different PC's, different operating systems, different av and different file sizes is exactly how to do this. Where would be conjecture?!

stephendonner wrote:* Operating system/service-pack level
* System specs: processor type and speed, and RAM, etc.
* Full user-agent of Firefox 3--please test with the latest trunk nightly if at all possible--see ftp://ftp.mozilla.org/pub/firefox/nightly/latest-trunk/ for builds
* Anti-virus vendor, version
* Type of scanned file
* Size of scanned file
* Time to manually scan the file
* Time to scan via the download-manager interface
MeCasa
Folder@Home
Posts: 13475
Joined: June 30th, 2004, 12:24 am
Location: Texas/NY US; San Jose CR

Post by MeCasa »

Clean test thread with less opinion on the value of the scan and cleaner test results
Sex is dirty only if it's done right .... Live and Let Live .... Rules are Boring and I Don't Like Them
...................................................... MeCasaEsSuCasa ................................................
User avatar
RaiseMachine
Posts: 1764
Joined: December 6th, 2004, 6:05 pm
Location: England

Post by RaiseMachine »

MeCasa wrote:Stephen , give us a standardized, controlled test, there's currently way too many variables to test anything other than conjecture.

I realize there will still be countless variables in a controlled test but some patterns may develop, especially on specific AV's.

This will, I imagine, (from my experience) become part of the FFT (Full Functional Tests) section on Mozilla's Litmus system. Probably part of the Downloading section.
"Doesn't the idea of making nature against the law seem to you a bit... unnatural ?" - Bill Hicks
"Money is the Schrodinger's Cat of economics." - Robert Anton Wilson
"It's not a bug, it's two features having a fight in the pub car-park." - Me
Locked