Confirmed users
908
edits
Security/Features/Application Reputation Design Doc: Difference between revisions
Security/Features/Application Reputation Design Doc (view source)
Revision as of 21:07, 31 March 2016
, 31 March 2016→How to turn off this feature: update the pref names
No edit summary |
(→How to turn off this feature: update the pref names) |
||
| (3 intermediate revisions by one other user not shown) | |||
| Line 12: | Line 12: | ||
* Turn off malware detection in Preferences > Security > "Block reported attack sites." This disables all Safebrowsing malware protection, including the warning interstitial that appears when the user navigates to a malware site. | * Turn off malware detection in Preferences > Security > "Block reported attack sites." This disables all Safebrowsing malware protection, including the warning interstitial that appears when the user navigates to a malware site. | ||
* | * Set <tt>browser.safebrowsing.downloads.remote.enabled</tt> to false in <tt>about:config</tt>. This disables application reputation remote lookupsbut leaves other Safebrowsing malware protection intact. To turn off all download protection checks, use <tt>browser.safebrowsing.downloads.enabled</tt> instead. | ||
== High-level overview == | == High-level overview == | ||
| Line 19: | Line 19: | ||
When a binary file is downloaded, the user-agent extracts several pieces of metadata about the file, including: | When a binary file is downloaded, the user-agent extracts several pieces of metadata about the file, including: | ||
# The target URL from which the file was downloaded, its referrer URL and any URLs in the redirect chain. | # The target URL from which the file was downloaded, its referrer URL and any URLs in the redirect chain. These URLs are checked against goog-badbinurl-shavar. | ||
# The SHA-256 hash of the contents of the file. | # The SHA-256 hash of the contents of the file. | ||
# Any certificate verification information obtained through the Windows Authenticode APIs. | # Any certificate verification information obtained through the Windows Authenticode APIs. This certificate information is used to construct synthetic URLs with which to check goog-downloadwhite-digest256. | ||
# The length of the file in bytes. | # The length of the file in bytes. | ||
# The suggested filename for the download. | # The suggested filename for the download. | ||
| Line 27: | Line 27: | ||
Using this metadata, the user-agent performs a local lookups against a blocklist. In Chrome, this happens in DownloadProtectionService::CheckDownloadUrl [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=813]. If no match is found, the user-agent checks whether the binary is supported. In Chrome, the entry point is in DownloadProtectionService::CheckClientDownloadRequest [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&l=271]. If the download is supported, it checks an allowlist. In Chrome, these checks happen in CheckClientDownloadRequest::CheckWhitelists [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&l=488]. If the binary is signed, then the code signing information is checked against the allowlist. In Chrome, these checks begin inside CheckWhitelists [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=584]. | Using this metadata, the user-agent performs a local lookups against a blocklist. In Chrome, this happens in DownloadProtectionService::CheckDownloadUrl [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=813]. If no match is found, the user-agent checks whether the binary is supported. In Chrome, the entry point is in DownloadProtectionService::CheckClientDownloadRequest [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&l=271]. If the download is supported, it checks an allowlist. In Chrome, these checks happen in CheckClientDownloadRequest::CheckWhitelists [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&l=488]. If the binary is signed, then the code signing information is checked against the allowlist. In Chrome, these checks begin inside CheckWhitelists [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=584]. | ||
If any blocklist matches are found, the user-agent must not save the file to disk. If any allowlist matches are found, the user-agent may treat the binary as trusted and skip the remote lookup. If no matches are found and the binary was unsigned or signature extraction completed successfully (on Windows only), the user-agent may send a remote lookup to the application reputation service. | If any blocklist matches are found, the user-agent must not save the file to disk. If any allowlist matches are found, the user-agent may treat the binary as trusted and skip the remote lookup. If no matches are found and the binary was unsigned or signature extraction completed successfully (on Windows only) and the filename ends with an executable extension, the user-agent may send a remote lookup to the application reputation service. | ||
== Metadata extraction == | == Metadata extraction == | ||