Security/Download Protection: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(→‎Engineering: Document the tests to run.)
(update Telemetry section based on recent changes)
Line 49: Line 49:


'''Alerts are sent to [https://mail.mozilla.org/listinfo/safebrowsing-telemetry safebrowsing-telemetry@mozilla.org].'''
'''Alerts are sent to [https://mail.mozilla.org/listinfo/safebrowsing-telemetry safebrowsing-telemetry@mozilla.org].'''
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2018-09-04&keys=__none__!__none__!__none__&max_channel_version=nightly%252F63&measure=APPLICATION_REPUTATION_BINARY&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2018-08-09&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_BINARY]: whether the file examined by download protection is a binary type
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2018-09-04&keys=__none__!__none__!__none__&max_channel_version=nightly%252F63&measure=APPLICATION_REPUTATION_BINARY_ARCHIVE&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2018-08-09&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_BINARY_ARCHIVE]: whether the binary file examined by download protection is dmg, rar or zip
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_LOCAL]: results of the local checks (whitelist and blacklist)
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_LOCAL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_LOCAL]: results of the local checks (whitelist and blacklist)
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-08-20&keys=__none__!__none__!__none__&max_channel_version=nightly%252F51&measure=APPLICATION_REPUTATION_REMOTE_LOOKUP_TIMEOUT&min_channel_version=nightly%252F51&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-08-20&table=0&trim=1&use_submission_date=0 APPLICATION_REPUTATION_REMOTE_LOOKUP_TIMEOUT]: whether or not a client timed out while contacting the remote lookup server
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-08-20&keys=__none__!__none__!__none__&max_channel_version=nightly%252F51&measure=APPLICATION_REPUTATION_REMOTE_LOOKUP_TIMEOUT&min_channel_version=nightly%252F51&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-08-20&table=0&trim=1&use_submission_date=0 APPLICATION_REPUTATION_REMOTE_LOOKUP_TIMEOUT]: whether or not a client timed out while contacting the remote lookup server
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_SERVER&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SERVER]: whether the response from the remote server was valid, invalid (failed to parse as a protobuf) or failed in some other way
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_SERVER&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SERVER]: whether the response from the remote server was valid, invalid (failed to parse as a protobuf) or failed in some other way
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2018-09-04&keys=__none__!__none__!__none__&max_channel_version=nightly%252F63&measure=APPLICATION_REPUTATION_SERVER_2&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2018-08-09&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SERVER_2]: a more detailed version of APPLICATION_REPUTATION_SERVER with network status
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_SERVER_VERDICT&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SERVER_VERDICT]: results (verdict) we got back from the remote server lookup
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_SERVER_VERDICT&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SERVER_VERDICT]: results (verdict) we got back from the remote server lookup
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_SHOULD_BLOCK&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SHOULD_BLOCK]: whether or not a download has been blocked due to an application reputation lookup (local or remote)
* [https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=APPLICATION_REPUTATION_SHOULD_BLOCK&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-04-25&table=1&trim=1&use_submission_date=0 APPLICATION_REPUTATION_SHOULD_BLOCK]: whether or not a download has been blocked due to an application reputation lookup (local or remote)

Revision as of 08:54, 6 September 2018

Description

This feature protects users against malware downloads. It is based on Safe Browsing.

See Security/Features/Application_Reputation_Design_Doc for implementation details.

Prefs

  • browser.safebrowsing.downloads.enabled: enables application reputation checks for downloaded files
  • browser.safebrowsing.downloads.remote.enabled: enables remote lookups (requires the previous pref)
  • browser.safebrowsing.downloads.remote.timeout_ms: timeout for the remote lookups
  • browser.safebrowsing.downloads.remote.url: server endpoint for remote lookups
  • browser.safebrowsing.malware.enabled: enables malware checks (required by application reputation)
  • browser.safebrowsing.provider.google.lists: list of tables coming from the Google Safe Browsing service
  • urlclassifier.downloadAllowTable: list of trusted certificates which suppress remote lookups (Windows-only)
  • urlclassifier.downloadBlockTable: list of URLs serving malware binaries

Engineering

Product/Component: Toolkit/Safe Browsing

Most of the code lives in toolkit/components/downloads/ApplicationReputation.cpp. The lookup is requested from within toolkit/components/jsdownloads/src/DownloadIntegration.jsm.

Upstream list of file extensions:

Tests

Here are the download protection specific tests: 

./mach test toolkit/components/reputationservice/test/

Also relevant are the Safe Browsing tests.

QA

To turn on debugging output, export the following environment variable: 

MOZ_LOG_FILE=/tmp/apprep.log
MOZ_LOG="ApplicationReputation:5"

Telemetry

Alerts are sent to safebrowsing-telemetry@mozilla.org.

Documentation

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Download_Protection&oldid=1200646"