Issue 498136 in chromium: File "not commonly downloaded and could be dangerous"; was working a few days ago

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Cr-Internals-Network Pri-2 Via-Wizard Type-Bug OS-Windows

New issue 498136 by phpla...@gmail.com: File "not commonly downloaded and
could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/43.0.2357.81 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Create a (CA signed) Windows signed executable and serve it over the web
from a HTTPS secure domain. No file redirects take place, the download is
streamed to the browser.

2. Notice the download completes but reports "... is not commonly
downloaded and could be dangerous"

What is the expected behavior?
We were not triggering this behavior before (eg a few days/week ago).

Our website issues self-signed Windowss based installer .exe executables to
a small group of people.

The download will certainly be uncommon because its only issued to a few
select people, it is not a large scale download.

The download is not malicious and has a CA-issued certificate signature
using codesign on Windows.

What went wrong?
Chrome started reporting this file is uncommon and "could be dangerous",
incorrectly alarming our users.

Did this work before? Yes At least a few weeks ago when we last tested it.
It has been working for months without issue.

Chrome version: 43.0.2357.81 Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 17.0 r0

Interested in having this regression resolved as it causes alarm to our
users and we have to explain its not our fault.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #1 on issue 498136 by long.zh...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I'm also wondering about this problem with my file download.

[chro...@googlecode.com]

Updates:
Labels: -Cr-Internals-Network Cr-UI-Browser-SafeBrowsing

Comment #2 on issue 498136 by nhar...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

(No comment was entered for this change.)

[chro...@googlecode.com]

Updates:
Owner: zbut...@chromium.org
Cc: heinic...@google.com

Comment #3 on issue 498136 by npar...@chromium.org: File "not commonly

[chro...@googlecode.com]

Comment #7 on issue 498136 by AndreDeM...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

We too are being unnecessarily affected by the "not commonly downloaded and
could be dangerous" warning.

We serve .zip files containing home plans/models read by our software. The
zips contain no executable files, only these file
types: .txt, .jpg, .png, .zip, and .plan (our home plan document file type).

Perhaps the only noteworthy thing about these zips is that they each
contain a second zip file, but which only contains images.

We're seeing this on most of the .zip links on this page:
https://www.homedesignersoftware.com/samples.html#sample-plans

For example:
https://d37kxq42vikeaj.cloudfront.net/1/downloads/plans/hillside-contemporary.zip

The Chromium behavior is quite aggressive, and these zips are false
positives.

Confirmed with Chrome 44.0.2403.157 m on Windows 8.1.

[chro...@googlecode.com]

Comment #8 on issue 498136 by AndreDeM...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Confirmed also with 46.0.2486.0 dev-m (64-bit)

[chro...@googlecode.com]

Updates:
Cc: heinic...@chromium.org

Comment #9 on issue 498136 by heinic...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #10 on issue 498136 by jcampb...@krollbondratings.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I was able to reproduce this issue by creating a basic zip file with
another basic zip file in it. This mirrors the issue as we were seeing in
production, where we combine zip files of CSV files in one big zip file.

echo "Test" >> test.txt
zip test.zip test.txt
echo "Bacon" >> bacon.txt
zip bacon.zip bacon.txt test.zip

Chrome Version 44.0.2403.157 m

Response Headers
Accept-Ranges:bytes
Connection:Keep-Alive
Content-Length:489
Content-Type:application/zip
Date:Tue, 25 Aug 2015 18:10:55 GMT
ETag:"1e9-51e2671db617d"
Keep-Alive:timeout=15, max=100
Last-Modified:Tue, 25 Aug 2015 17:55:51 GMT
Server:Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11

Attachments:
bacon.zip 489 bytes

[chro...@googlecode.com]

Comment #12 on issue 498136 by market...@rdmcorp.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I was directed to this bug from the Chrome Help Forum. The issue I logged
there was locked and flagged as a duplicate so I will assume that is the
case for now. Here's the wording from my logged issue: "I have found that
MHTML downloads from my private website are being blocked in Chrome and
show a message indicating that "[filename] may harm your browsing
experience and has been blocked". The exact same file can be downloaded
from Google Drive without issue. I have traced this behavior to a
SafeBrowsing API call
(https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw)
from Chrome that gets a very different response when Google Drive is used
versus my private website. Unfortunately, I am unable to submit a Request
for Review of my website (as suggested by the Chrome documentation) because
my private website does not have any security issues flagged in Google
Search Console. So, what do I need to do to stop my private website being
flagged in this manner when downloading MHTML files? This issue is
currently blocking legitimate use of a line-of-business application in
Production."

[chro...@googlecode.com]

Comment #13 on issue 498136 by zbut...@google.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

mark...@rdmcorp.com, if you're willing to do so, please share the domain
which is hosting the files on which you're seeing the warnings.

[chro...@googlecode.com]

Updates:
Status: Started

Comment #14 on issue 498136 by zbut...@google.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #16 on issue 498136 by vrinda....@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I have seen this issue on windows when a .zip to be downloaded again
contains .zip file. Easily reproduceable on Version 44.0.2403.155 m
windows platform. The warning will prevent users from download. Is there
any workaround?

[chro...@googlecode.com]

Comment #17 on issue 498136 by zbut...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

You can email the domain on which the file is hosted to
zbu...@chromium.org if you do not want to post it here.

We only need to know the domain on which you're seeing the issue
(e.g., 'example.com'); please do not include further personal information.

vrinda.n.h, you can similarly let us know the domain where you're seeing
problems if you're willing to do so.

[chro...@googlecode.com]

Updates:
Status: Fixed

Comment #18 on issue 498136 by zbut...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

The domain in question is no longer showing Safe Browsing warnings as of
09/11/2015.

For the most up-to-date information regarding malware and unwanted software
evaluations and appeals for this website, please refer to the Search
Console.

[chro...@googlecode.com]

Comment #19 on issue 498136 by jkavanag...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I can confirm that the update has fixed our issue with the download of
MHTML files from our systems.

[chro...@googlecode.com]

Comment #20 on issue 498136 by MGrat...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

The mentioned alert about file download blocked by Chrome is shown for
Sharp IMG Viewer setup file available from URLs:
http://sites.google.com/site/sharpimg/viewer/SharpImgWixSetup.msi
http://sharpimg-viewer.appspot.com/files/SharpImgWixSetup.msi
http://dl.dropboxusercontent.com/u/89553906/SharpImgWixSetup.msi
ftp://ftp.drivehq.com/MikeGratsas/files/SharpImgWixSetup.msi
There are no any warnings in Search Console for site
http://sharpimg-viewer.appspot.com. Could you clear how to fix this issue?

[chro...@googlecode.com]

Comment #21 on issue 498136 by zbut...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hello MGratsas:

Google has detected malware or unwanted software on one or more downloads
from http://sharpimg-viewer.appspot.com/. A download that is malicious
[https://support.google.com/webmasters/answer/163633?hl=en] or violates our
unwanted software policy
[https://www.google.com/about/company/unwanted-software-policy.html] will
show a warning to users either visiting or downloading content from this
site. Below is an example of an URL that Google Safe Browsing identified to
be violating our unwanted software policy:
http://sharpimg-viewer.appspot.com/files/SharpImgWixSetup.msi

For more detail on how you could modify your software to make it compliant,
please review our malware and unwanted software help center article
[https://support.google.com/webmasters/answer/3258249?hl=en].

Keep in mind that if software is offered as part of a bundle, all programs
included in the bundle must follow our Malware and Unwanted Software
policies too.

If there is flagged software on your site that you would like to be
re-reviewed, please file an appeal
[https://support.google.com/webmasters/answer/168328] in Search Console.
For additional guidance, please refer to our malware and hacked sites web
forums
[https://productforums.google.com/forum/#!topicsearchin/webmasters/category$3Amalware--hacked-sites%7Csort:relevance%7Cspell:false].
For more information on Google Safe Browsing, please see our Safe Browsing
Transparency Report
[https://www.google.com/transparencyreport/safebrowsing/faq/?hl=en].

Thanks you.

[chro...@googlecode.com]

Comment #23 on issue 498136 by zbut...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Below is a part of the policy that is relevant to a violation that our
system found:

> "When accessing Google services or products, software must use and adhere
> to the terms of publicly-available Google APIs for interacting with the
> user’s system or any program installed. In addition, software must comply
> with any other applicable Google policies."

For more detail on how you could modify your software to make it compliant,

please review this detail from our malware and unwanted software help
center article [https://support.google.com/webmasters/answer/3258249?hl=en]:

> “Use an extension or browser add-on to change browser functionality,
> rather than causing browser behavior change via other programmatic means.
> For example, your program should not use DLLs (dynamically linked
> libraries) to inject ads in the browser, should not deploy proxies that
> intercept traffic, should not use a Layered Service Provider to intercept
> user actions, or insert new UI into every web page by patching the Chrome
> binary.”

The violation detailed above is an example of the primary policy violation
found by our systems. This notice may not cover every violation that was
found, and it may not be a comprehensive list of malware and unwanted
software showing alerts from your website.

I advise you to keep in mind that if software is offered as part of a

bundle, all programs included in the bundle must follow our Malware and
Unwanted Software policies too.

[chro...@googlecode.com]

Comment #24 on issue 498136 by emmanuel...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi there! Chrome recently (~last friday) started to warn our users about
files downloaded from us as "uncommonly downloaded" and hence "potentially
dangerous".

We don't understand why Google would flag those files as potentially
dangerous. We're a marketplace selling digital goods, and most of the
warnings seem to be about Wordpress themes (i.e. no executables, except for
php and frontend js files...) All our files are reviewed and malware is not
tolerated.

They're also private downloads, with access limited to the buyer. We
achieve that by making our download links signed S3 URLs with an expiration
time. Could that be the reason?

Those files are hosted on Amazon S3 so the domain is s3.amazonaws.com (a
pretty common one to say the least), but users are redirected to that URL
from a variety of domains (e.g. themeforest.net, codecanyon.net ... - we
have 8 marketplaces all using that mechanism, see http://market.envato.com/)

[chro...@googlecode.com]

Comment #25 on issue 498136 by emmanuel...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hey there, any news on this issue?

We're still getting the warning for our files (zips with php and js code)
hosted on s3.amazonaws.com, despite their being very much malware-free.

Is this the right place to report this or is there any other point of
contact at Google to discuss the issue?

[chro...@googlecode.com]

Comment #26 on issue 498136 by vie...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I envounter the same problem with this file:
http://assets.audyx.com/noah/production/audyx_module_setup.exe

It really hurts my customers.
Please help

[chro...@googlecode.com]

Comment #27 on issue 498136 by contract...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

My problem seems to have gone away. Recent tests on different machines have
not shown any error. I do have a code signing certificate attached, and the
file has been downloaded at least 200x, so I don’t know what caused it to
go away. It has been very frustrating though.

[chro...@googlecode.com]

Comment #30 on issue 498136 by emmanuel...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi Heinic,

The issue eventually self-resolved around september 30th, without further
action on our end. We don't know what resolved it. Our best guess so far is
that the Google Safe Browsing API eventually tuned down the sensitivity
setting/feature that was causing the false positives, but it's just a wild
guess.

Any hints about what happened or what we can do about it if it occurs again?

Cheers

[chro...@googlecode.com]

Comment #31 on issue 498136 by heinic...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

These warnings are not false positives - they are warnings that Google
displays on downloads that are new or not commonly downloaded. Once Google
has verified the file to be benign, the warnings will go away.

[chro...@googlecode.com]

Comment #33 on issue 498136 by heinic...@google.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi viebel --

If there is a different version of the software, it could also possibly
display the new download warnings (which is working as intended), until it
is verified to be benign. If there are issues with this, post the file here.

[chro...@googlecode.com]

Comment #34 on issue 498136 by contract...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi Guys

I posted recently that I was having this warning problem, but it went away.

I have now renamed the distributed file (same contents) and experimented
with it, and am getting no warnings.

The file does however have the same code signing certificate attached.

I am however not quite sure what to conclude from the above, but all is
working fine.

Kim

[chro...@googlecode.com]

Comment #35 on issue 498136 by vie...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Thanks heinic,

What would be the best way to require the new version of the file to be
verified?
Posts here are not always answered very quickly...

[chro...@googlecode.com]

Comment #36 on issue 498136 by FollowTh...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi Chrome team.

Same problem here.

Our site is EV SSL. The file is SHA256 codesigned. Same file with same
content has been working OK for past versions (in those versions it was
just SHA1 codesigned). Chrome started to lock the new SHA256 codesigned
file download about one week ago and now no downloads appear to work,
neither de SHA256 or the old SHA1.

Domain is https://www.r2docuo.com, download is
https://www.r2docuo.com/r2docuosetup.exe

This is seriously damaging our business. We had to stop an adwords campaign
and several marketing actions. Please help.

[chro...@googlecode.com]

Comment #39 on issue 498136 by FollowTh...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Heinic, if this helps, attached you can find a current screenshot of what
is happening to our customers just now when they download the file.

Thanks in advance

Attachments:
download-warning-Dec-1-2015.png 142 KB

[chro...@googlecode.com]

Comment #40 on issue 498136 by FollowTh...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Problem was solved with new Chrome version. Thanks Heinic!

[chro...@googlecode.com]

Comment #41 on issue 498136 by yaekonta...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

what is the fixed version?

[chro...@googlecode.com]

Comment #42 on issue 498136 by yaekonta...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I am using the last version 47.0.2526.106 m and suddenly these warnings are
displayed when a user download my software (exe or msi files).

My site is HTTPS secured and all files exe, msi,... are signed with SHA256
CodeSigning certificate (DigiCert).

Fix this please!

[chro...@googlecode.com]

Comment #43 on issue 498136 by heinic...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

@yaekontable -

Please request a review via the Search Console. For more details, see this
Help article: https://support.google.com/webmasters/answer/168328?hl=en

[chro...@googlecode.com]

Comment #44 on issue 498136 by yaekonta...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

@Heinic:

I can't open a review because my site is clean and no warnings security.

My site and files are clean. The files are signed with Code Signing
certificate. But now I have seen that the files (exe and msi) signed with
my previous certificate (2014-2015) no display these warnings. The warnings
are displayed with files signed with my last certificate.

Chrome may not recognize the signature?

## Certificate 2015-2016:

CN = DigiCert SHA2 Assured ID Code Signing CA
OU = www.digicert.com
O = DigiCert Inc
C = US
Algoritm: sha256RSA

RESULT: download warnings

## Certificate 2014-2015:

CN = DigiCert Assured ID Code Signing CA-1
OU = www.digicert.com
O = DigiCert Inc
C = US
Algoritm: sha1RSA

RESULT: NO download warning

[chro...@googlecode.com]

Comment #47 on issue 498136 by yaekonta...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hello heinic:

today the warnings have disappeared. Before I sent back the sitemap of my
website through Google Webmaster Tools. I do not know if this has
influenced...

[chro...@googlecode.com]

Comment #48 on issue 498136 by billaull...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

I am having this Set.upzip is not commonly downloaded ..... Problem too,
can it be fixed?

[chro...@googlecode.com]

Comment #49 on issue 498136 by pienew...@gmail.com: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi all

I have been having the same issue for a few months, it was fine and then
all of a sudden chrome started to flag everything as potentially dangerous.

My company produces software to print on to labels, the software is
completely designed by us and contains no malware or viruses. We check
this regularly and religiously.

this site in question is www.planglowcloud.com/software and the file in
question is http://planglowcloud.com/software/LabelLogic%206.0.74.exe

Any help would be greatly appreciated.

[chro...@googlecode.com]

Comment #51 on issue 498136 by heinic...@chromium.org: File "not commonly

downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi all --

@pienewman - I am unable to reproduce the issue. It appears to be resolved.
Are you still experiencing this issue?

@p.stratton - Could you please provide the URL in question, or an email
address at which you can be contacted?

[chro...@googlecode.com]

Comment #52 on issue 498136 by p.stratt...@googlemail.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hi @Heinic,
Thanks for the fast response.
Please email on pst...@hotmail.co.uk and I'll provide some links
Thanks
Paul

[chro...@googlecode.com]

Comment #53 on issue 498136 by p.stratt...@googlemail.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

Hello @Heinic
I send you several links demonstrating the issue with zip download.
Did you get a chance to test ?

[chro...@googlecode.com]

Comment #54 on issue 498136 by p.stratt...@googlemail.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

@Heinic

Any feedback on this issue ?

[chro...@googlecode.com]

Comment #55 on issue 498136 by p.stratt...@googlemail.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

@Heinic

Are you able to respond to my previous posts ?

[chro...@googlecode.com]

Comment #56 on issue 498136 by accou...@cogneticsystems.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

We have also had this problem for over a year now.
If you download any of our four product installation files from
https://www.cogneticsystems.com/download/index.html, you will get the
dreaded
"...exe is not commonly downloaded and could be dangerous" message. There
are no errors reported for our site on the Google search console.

The Nsis installer and Linux zipped files are not signed, since the
products of many small companies and open source projects are often not
signed and can be downloaded on Google Chrome without getting the "could be
dangerous" error message.

On February 13th I added links to the four download program files to our
site’s sitemap so that the Google crawler could find them and hopefully
classify them as being safe.

Any help in resolving this issue would be appreciated. I will mail you the
four problem links if you can send me an email address.

Thanks

[chro...@googlecode.com]

Comment #57 on issue 498136 by p.stratt...@googlemail.com: File "not

commonly downloaded and could be dangerous"; was working a few days ago
https://code.google.com/p/chromium/issues/detail?id=498136

@Heinic, or anyone from Google !!!.... Is this forum still being monitored ?
Your customers are still experiencing this issue but there are no responses.

Has this bug tracking migrated to "Monorail" already ? If so I think this
needs to be made clear. I don't see anything on Monorail relating to this
issue

I also raised Issue 585830 on this forum, but again, no responses!

I'll try and raise this direct on Monorail as this is still a problem for
us and we seem to be getting nowhere !