Chrome reports malicious false positives for file downloading

[Distraught_webmaster]

Hello,

 

As suggested by Kameron M on the Chrome Help Forum, I post now my message here on the developper forum.

 

I am the webmaster of a news website and file download website. Only legal files and free software from different famous software editors are offered to download. The files are totally originals (no adware, spyware or advertising added in the archives or in the setups for example). There about 30 000 files available on our 2 download servers. The files are several formats (EXE, ZIP, MSI, TAR etc.)

We do not have any problem for many years with our solution and Chrome but since March 2015 (we do not change anything at this date), the Chrome browser displays a security warning each time someone download a file from our servers. The red message says the file is potentially malicious, could present a risk for the user and has so been blocked by Chrome. We have no problem to download the exact same file if we upload it on a different server and use an other domain name. It seems our IP adresses and/or domain name have been black listed without reason by Google in Chrome. It is a false positive and it is very boring for our professional activity.

 

All files offered have been passed to antivirus softwares but nothing to report.

 

The Google Webmaster Tools Security panel says no security problems have been detected about our www website nor about the download URLs that we have also added and authenticated in GWT.

 

I thought at the beginning that the problem would disappear by itself but nothing has changed after two months...

 

Does an expert here knows how it is possible to ask Google to reevaluate their position and/or rescan the website and/or at least explain us what is the exact reason the files are blocked ?

 

Thanks for your help.

[PhistucK]

Please, search for a Google Safe Browsing support venue, as Chrome does not decide for itself that a file is malicious or dangerous. It uses the Google Safe Browsing API to make the decision.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Andrew Cutforth]

I have the same problem.  I just posted the following on the Chrome help forum and got re-directed here so posting again:

Just recently downloading our software products from our web site using Chrome, it blocks the download and says it may harm your browsing experience.  Firstly our software is nothing to do with the web so it cannot affect your browsing experience and our software is all digitally signed so it cannot have a virus.  

The only way to retrieve the download is to go into the downloads section and click "Recover malicious file".  It is now accusing us of producing harmful software!  This is defamation at best.  Where do we report false positives to get this resolved.  

This will be harming our sales and is not acceptable, especially as we also pay for Google Adwords - that is a conflict of interest on your part.

[MSI Team]

Can you try uploading all downloads to VirusTotal? Each antivirus scanner detects its own set of known threats.

[Distraught_webmaster]

Hello,

 

Thanks for your answer.

 

MSI_TEAM, as suggested, I have just checked with VirusTotal the root URLs of our both download servers. I do not test each file URL because we host thousands of files (so thousands of URLs to test and hundred of GB to upload) and I see that the VirusTotal API is limited to 4 requests/minute......

 

The first root URL is detected as a Malicious site for the Blueliv URL Scanner . It is detected as Clean site for all others 62 scanners.

 

The second root URL is detected as Clean site for all 63 scanners ( including Blueliv).

 

The two servers host exactly the same content as they are pure mirrors so it is strange to obtain a different result.

 

Anyway, with Chrome, the malicious error message is displayed for both servers downloads.

 

Are Chrome or Google Safe Browsing using VirusTotal and/or Blueliv solutions ? Do you know if it is possible to obtain a detailed report from Blueliv to know which file bring the problem ? But I am not sure it's will change something for Chrome...

 

PhistucK, I searched for Google Safe Browsing support but found nothing. Any idea how to contact them or ask a rescan of the servers ?

 

Thanks for your help.

[MSI Team]

Have you hosted malicious content or spam on the first root URL but not the second root URL? Has the first root URL been hacked but not the second root URL? The reputation between the first root URL might differ from the reputation of the second root URL. AFAIK Safe Browsing scans all webpages and web content itself and does not rely on external scanners.

[Philip Rogers]

I contacted the team behind this. Could you please file one of these?

https://support.google.com/webmasters/answer/168328?hl=en&ref_topic=4598410

On Thu, Jun 4, 2015 at 10:38 AM, MSI Team <msimprovert...@gmail.com> wrote:

Have you hosted malicious content or spam on the first root URL but not the second root URL? Has the first root URL been hacked but not the second root URL? The reputation between the first root URL might differ from the reputation of the second root URL. AFAIK Safe Browsing scans all webpages and web content itself and does not rely on external scanners.

--

[Distraught_webmaster]

MSI Team, no I do not have hosted malicious content and my servers do not have been hacked or something else. But we never know, perhaps, Google identifies one file (among the thousands hosted) as malicious and blocks all the downloads. But which one...

 

I do not see why reputation for Blueliv is not the same as servers are only used for this task (HTTP file delivering) and the content served is exactly identical.

 

Philip, I checked the three points on your page but I do not think I violate these rules. And I can't request a review because, as I said in my first post, for Google Webmaster Tools, I do not have security issues so the link "Request a review" is not offered. The snake biting its tail. Google GWT said on one hand that there are no security issues and on the other hand, Google Chrome blocks my servers :(

 

Is there here a Google Chrome developer that could look at my particular case ?

 

Thanks for your help.

[Philip Rogers]

Distraught_webmaster, I see what you mean. I checked this page for one of my own sites and had the same issue as you. I'll forward this info along :/

--

[VR Bacon]

I'm having a similar problem - my software will not download through Chrome, yet it's built for chrome.  VirusTotal has one scanner detecting a malicious download for a trojan startpage, but our software never touches the search settings or home page of any browser.

Does anyone have an update on this thread?

Thanks

Vincent

[Distraught_webmaster]

Hello Guys, I have good news !

 

I have just seen today that my blacklisted URLs are now seen as clean by Chrome and the downloads are no more blocked. Yes !!

I do not know if this is related to this thread ?

 

I hope Google will resolve one day the fact that downloads could be blocked by Chrome whereas no security problems are reported by GWT.

 

I have also contacted VirusTotal and Blueliv to report the false postive with my URLs. They are working on my case.

 

Thanks again for your help.

[VR Bacon]

My downloads are no longer blocked, either.  Thanks to anyone who may have helped!

V

[SunnyDanielle]

Hi,

I have the same problem. I just posted the following on the Chrome help forum and got re-directed here so posting again:

Google Safe browsing is erroneously detecting our software product as a threat, therefore preventing users from installing and using it, which in turn causes us to lose significant revenue.

Our software is nothing to do with the web so it cannot affect your browsing experience. We do not have hosted malicious content and our servers have not been hacked or something else.

Checking through VirusTotal I can see that our software URL is detected as a malicious site for the Blueliv, CLEAN MX and Google Safebrowsing URL Scanner. I have contacted Blueliv and CLEAN MX and they are working on my case.

None of our products contain any virus, are a virus or contain any other malicious components. The company is a Microsoft Gold Application Development partner and the products are checked to be virus-free and certified by Norton and Microsoft.

How can we get our product de-classified as a threat?

Thank you very much in advance!

[PhistucK]

https://support.google.com/webmasters/answer/168328?hl=en&ref_topic=4598410

☆PhistucK

--

[SunnyDanielle]

I keep submitting it for review for 2 weeks already and nothing changes. That's why I post my request here in the developers forum.

I would appreciate it if any expert from Google could help me.

[SeekingTheTruth]

So did anyone finally helped with this problem? We have the same problem currently. 

[Elliander Eldridge]

This is still an issue. As both a user and a developer I find this not only pointless - but malicious on the part of google. On a number of websites it doesn't just give a warning - it outright ASSERTS that the file is malicious and will NOT allow the user to override that and download anyway unless they completely disable a number of security features of Chrome.

In other words, Chrome is actively encouraging all of its affected users to remove all security rather than actually be a responsible company and only block content that it KNOWS is malicious.