Security/Features/Application Reputation Design Doc: Difference between revisions

Security/Features/Application Reputation Design Doc (view source)

205 bytes added , 23 July 2014

Confirmed users

238

edits

@@ Line 53: / Line 53: @@
 == Remote lookup (present in FF 32, Windows-only) ==
-These lookups are Windows-only, because we rely on signature information in order to suppress remote lookups and signature APIs are only available on Windows.
+These lookups are Windows-only, because we rely on signature information in order to suppress remote lookups and signature APIs are only available on Windows. If the binary is unsigned or its signature does not match a known good publisher and the filename ends in a known executable extension, Firefox sends a remote lookup to the application reputation service.
 The user-agent encodes file metadata into a ClientDownloadRequest protocol buffer and sends it to the remote service. If a MALWARE verdict is received, the downloaded file should not be saved and the UI should report that the download may be malware. In Chrome, this occurs in CheckClientDownloadRequest::SendRequest [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=612]. In Firefox, this happens in ApplicationReputation::PendingLookup::SendRemoteQuery [http://mxr.mozilla.org/mozilla-central/source/toolkit/components/downloads/ApplicationReputation.cpp] and in the JS DownloadIntegration.shouldBlockForApplicationReputation [http://mxr.mozilla.org/mozilla-central/source/toolkit/components/jsdownloads/src/DownloadIntegration.jsm#491].