Security/Features/Application Reputation Design Doc: Difference between revisions

Line 53: Line 53:


== Remote lookup (present in FF 32, Windows-only) ==
== Remote lookup (present in FF 32, Windows-only) ==
These lookups are Windows-only, because we rely on signature information in order to suppress remote lookups and signature APIs are only available on Windows.
These lookups are Windows-only, because we rely on signature information in order to suppress remote lookups and signature APIs are only available on Windows. If the binary is unsigned or its signature does not match a known good publisher and the filename ends in a known executable extension, Firefox sends a remote lookup to the application reputation service.


The user-agent encodes file metadata into a ClientDownloadRequest protocol buffer and sends it to the remote service. If a MALWARE verdict is received, the downloaded file should not be saved and the UI should report that the download may be malware. In Chrome, this occurs in CheckClientDownloadRequest::SendRequest [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=612]. In Firefox, this happens in ApplicationReputation::PendingLookup::SendRemoteQuery [http://mxr.mozilla.org/mozilla-central/source/toolkit/components/downloads/ApplicationReputation.cpp] and in the JS DownloadIntegration.shouldBlockForApplicationReputation [http://mxr.mozilla.org/mozilla-central/source/toolkit/components/jsdownloads/src/DownloadIntegration.jsm#491].
The user-agent encodes file metadata into a ClientDownloadRequest protocol buffer and sends it to the remote service. If a MALWARE verdict is received, the downloaded file should not be saved and the UI should report that the download may be malware. In Chrome, this occurs in CheckClientDownloadRequest::SendRequest [https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/safe_browsing/download_protection_service.cc&rcl=1392695364&l=612]. In Firefox, this happens in ApplicationReputation::PendingLookup::SendRemoteQuery [http://mxr.mozilla.org/mozilla-central/source/toolkit/components/downloads/ApplicationReputation.cpp] and in the JS DownloadIntegration.shouldBlockForApplicationReputation [http://mxr.mozilla.org/mozilla-central/source/toolkit/components/jsdownloads/src/DownloadIntegration.jsm#491].
Confirmed users
238

edits