Parts of website blocked by Google Safe Browsing?

Since today, parts of the SWI-Prolog website seem to be recognised as unsafe by Google Safe Browsing. The Google Safe Browsing report for Jan’s PhD (which I am sure will not install anything) can be found here: https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fwww.swi-prolog.org%2Fdownload%2Fpublications%2Fjan-phd.pdf

In Firefox, currently visiting the website results in a red alert message:

Is anyone familiar with this and how to get the false-positive fixed?

Following the various links on Mozilla’s page gets to here which says to use this link to request removal of incorrect malware or this one for phishing.

Unfortunately, the malware one says that if the report is from Google, you have to create a Google webmaster account to validate it, which seems pretty shakedown-y to me :confused:

No fun. I got an alert from the university that Google found a malware file on the site. It didn’t specify which file. I checked that the .exe files were not compromised (that is not easy: on first upload the server takes an SHA256 hash for the file and regularly validate this still matches while the file and checksums are maintained under different accounts). Nothing wrong. So, it appears to me my PhD thesis which was generated in 2009 and the download file is still the same (says SHA256 comparing to the copy that is still on my machine).

For short, this is false alarm. How do we get rid of this?

I filed a complaint at https://safebrowsing.google.com/safebrowsing/report_error/?hl=en

1 Like

Registered as owner of the site. This reveals the culprits are supposed to be (added spaces not
to create a link and get this blocked too).

Both files are fine. I complained trough the web interface, but the form doesn’t seem to suggest the option they may be wrong. We’ll see …

The site is still black (well, red). Google still reports these files as malware. https://www.stopbadware.org/clearinghouse/search however (which seems behind FFs alert) says it knows nothing about https://www.swi-prolog.org, with or without /download/devel

I recall there is some site where you can get an overview of all malware scanners for a url. Does anyone know about this?

VirusTotal runs a URL through a slew of anti-virus products:
https://www.virustotal.com/gui/home/url

1 Like

Thanks Richard. That was what I was looking for. Says 2 out of 71 scanners do not like the 8.1.14 exe and classify it as phishing and malicious. That (to me) confirms there is no real problem.

I don’t seem to be able to get Google to listen though. I have claimed ownership on the site. That allows to report, but not really that they got it wrong :frowning: I tried to add a fair description on the process, but that was apparently too long. So I just asked them to properly review the file ASAP.

This is really bad. Except for stopping with Windows binaries I see no option to fix this for once and forever though :frowning:

Seems somehow something/someone corrected this! I fear it will happen again :frowning:

1 Like

It’s back. At least for 8.1.15 dev release on OS X.

Probably related to this…
While building swi from source, I saw a warning that the location of the config file has moved. For further information, I should look to “https://swi-prolog.org/modified/config-files.html”.
When browsing to this page, I first got a notification that it was insecure. And after ignoring that warning, nginx reproted " 502 Bad Gateway"

Ben

This looks more like a configuration mistake for me. @jan, adding swi-prolog.org as a server alias for www.swi-prolog.org in nginx should be enough to fix this. (Note: hopefully your SSL certificate was created for swi-prolog.org with as well as without www, otherwise you need an additional server configuration…)

There are several things going on:

Wikipedia says Virustotal is owned by Google, so it is possible they use
Virustotal as part of Safe Browsing.

We could upload new Windows binaries to Virustotal for scanning. There’s
an API, so potentially uploading could be automated. (There’s a slight
complication for files greater than 32MB…)

The API also has a domain report. We may be able to use that to find
problems with www.swi-prolog.org before Falco does ;>

That is an interesting thought. I wonder how vendors deal with this in general. Produce a random Windows binary and it seems it is likely that a couple of virus/malware scanners trigger. I vaguely recall that checking at Google, it was claimed MacAffe was one of the two complaining scanners, while virustotal had two others. Our binary is only 12Mb, so that is fine :slight_smile:

If someone knows how to deal with this, please share!

for what its worth, we’ve had our first confirmed case of someone using something else because of this. It’s certainly not the actual first time - I’m sure we’re hemmorhaging users - but found a user on twitter who reports he used GNU-Prolog as a result of the warning. Ran into multiple issues, and got a copy of SWI-Prolog by using MS Edge, Microsoft’s new name for Internet Explorer.

That was to be expected. In the days before a CDN when we kept track of downloads there were over 500 per day. Probably more now. If you hit a red alert page it will be less :frowning:

Seems we are blocked again, now all three download pages :frowning: I can’t do much as my internet connection is really slow :frowning:

Does it make sense to delete all the *.EXE files and point to another site (swi-prolog-win.org) containing them (with an explanation that some virus scanners incorrectly flag them)?

This will kill swi-prolog. Is there any way others can help with this?