Steve Maughan 26 Posted April 22, 2020 Hi, Google Chrome has started to block the downloads of my application (https://www.alignmix.com). We offer a trial download so anyone can try the software and decide if it's for them. We've been doing this since 2015 with no problems. The application is business-to-business application that helps companies design their sales forces territories. It doesn't contain any malware at all. Everything is done with the user's permission. It is quite a large application at 157 Mb. When the user clicks on the download link they will see the download progress in the bottom left hand corner. Once downloaded Google Chrome informs them "AlignMix-2019-Setup.exe may be dangerous, so Chrome has blocked it" (see the screenshot). There is only one option, and that's to "Discard" — it's not a warning, it's the only option for the user. The only way around this is to delve deep into Google Chrome's setting and disable the "protection" feature and then re-download. I can't see many users taking this route — most, if not all, will simply move on and try to find another solution. The "Discard" button take you to this information page: https://support.google.com/chrome/answer/6261569?visit_id=637231503147981989-2256574895&p=ib_download_blocked&hl=en&rd=1 Which then takes you to this page, " learn how to resolve malware or unwanted software issues": https://support.google.com/webmasters/answer/3258249 When I run a "Security Issues Report" there are no security issues on the site — see screenshot. AlignMix conforms to the software guidelines. This is serious. Since 60% of the visitors to our website use Google Chrome this will have a massive impact on our business. It could jeopardize the viability of my business. Is this the start of Google's war against desktop software? Does anyone have an advise? Has anyone come across this before? All help appreciated! Steve Share this post Link to post
Sherlock 663 Posted April 22, 2020 All hail monocultures and monopolies. That said, have you waited the estimated two weeks for your reconsideration review to be approved or denied? If so, what was their answer? If not, all you can do is wait. And no, this is not the start of Googles war on desktop software. It's what you get, when one provider of a common product gets an overwhelming share of the market - they become cocky. Share this post Link to post
Steve Maughan 26 Posted April 22, 2020 Just now, Sherlock said: All hail monocultures and monopolies. That said, have you waited the estimated two weeks for your reconsideration review to be approved or denied? If so, what was their answer? If not, all you can do is wait. The only review I could see was the for Android APK applications. I haven't been able to find a way of submitting this issue — any clues appreciated. Share this post Link to post
Lars Fosdal 1793 Posted April 22, 2020 I successfully downloaded it just now, and I did not get a warning. I have to say that I became very skeptical when I saw Softpedia mentioned, as they have a long history with bundling files with other installers like "helpers" for browsers. I did not run the installer. 1 Share this post Link to post
Fred Ahrens 59 Posted April 22, 2020 I'm just guessing: It could be a problem that the file isn't downloaded from your domain but from storage.googleapis.com. At the end whenever another identified malware was downloaded via storage.googleapis.com your downloads are flagged as well as potential malware - you just don't have this under control as anybody can use this domain for downloads. I would try moving the downloads to your own domain. 1 Share this post Link to post
Steve Maughan 26 Posted April 22, 2020 12 minutes ago, Lars Fosdal said: I successfully downloaded it just now, and I did not get a warning. I have to say that I became very skeptical when I saw Softpedia mentioned, as they have a long history with bundling files with other installers like "helpers" for browsers. I did not run the installer. Hi Lars, The Softpedia comment is well taken — I'll remove it now. Can I ask which version of Google Chrome you're using? Thank! Share this post Link to post
Lars Fosdal 1793 Posted April 22, 2020 Chrome: Version 81.0.4044.122 (Official Build) (64-bit) partly managed by our IT org. Share this post Link to post
Steve Maughan 26 Posted April 22, 2020 28 minutes ago, Fred Ahrens said: I'm just guessing: It could be a problem that the file isn't downloaded from your domain but from storage.googleapis.com. At the end whenever another identified malware was downloaded via storage.googleapis.com your downloads are flagged as well as potential malware - you just don't have this under control as anybody can use this domain for downloads. I would try moving the downloads to your own domain. Hi Fred, I gave that a try and it didn't work. I can't imagine Google penalize you for storing stuff on their storage solution. Thanks, Steve Share this post Link to post
Fred Ahrens 59 Posted April 22, 2020 For testing I uploaded your file to our own domain and still get the error while downloading it from there. So the source of the download doesn't seem to be the source of the problem. It seems to be a problem with the digital signature. It may help to add a second signature using sha1 digest algorithm. It won't hurt and will give you also some compatibility with downloading the file on older Windows versions. This will also change the checksum of your file and provides a good chance that it won't be detected again that has been flagged as critical due to unknown reasons. Some years ago we also used Comodo certificates. When we had similar problems it helped just to sign and upload the affected file again. Meanwhile we switched to DigiCert signatures and those problems went away. This also lowered false positive detection of our binaries by some virus scanners. Share this post Link to post
Guest Posted April 22, 2020 Hi, I don't have direct answer to this problem per se, but i will list few unpopular facts, incidents i faced and my suggestion to handle this or at least shorten the time for you in solving this, also some of those information might be new for many of the developer here. 1) I tried to download the file and it went fine without warning, the thing is you can't be %100 that a client is reporting this and he know for sure it did come form an extension installed on chrome or an antivirus ( or any security software there is many ) with enabled filter web traffic ! 2) I tried to upload and scan the file for warnings using VirusTotal.com and it was clean, this might be red herring as you might has in the past a flagged version came by a link your site. 3) Your application is code signed and it is valid. 4) What i did above was for the installer , i didn't installed it so i don't have access to the binary (EXE) itself, you should repeat (3) on your own with any executable your installer is unpacking, also make sure they are code signed too even the uninstaller ( eg. Inno Setup does support signing the uninstaller too), why does this matter ? will be explained in the following facts. 5) Most browsers (FireForx, Internet Explorer, Chrome..) do have client/users protection mechanism, this mechanism depend on blacklists and might have whilelists too, those lists are checking per domain names and IP's, not the binaries, (this is important). Internet Explorer does has the Microsoft Defender and SmartScreen with reputations...etc, Microsoft has Security software and labs for that, so whitelisting there will whitelist your domain, so the source of black list is known. FireFox does has blocklist settings ( visible with about:config ) , here i am not sure if the source of that list is disclosed or undisclosed, but diffidently Mozilla depends on some 3rd party(s) to build that list not only users reports and telemetry from them, the source if any will be Antivirus software companies. Now for Chrome : It doesn't disclose the source of their blacklists, and the security settings doesn't help much there, but with high chance they are depends on specialized third party. 6) You should be familiar with the SBL and RBL , those are lists for Spam and Malicious (high risk), one for Domains Name (SBL) and the other for IP's, those list are form emails spamming, phishing, virus attachments, etc..., why those list are important, and what has an ip or email to do blocking download, then let me tell from this story from my personal experience, i had an project where i was the maintainer of it for some period in time and the job was to update this legacy software and bring it to life with modern theme and features ...many things, one in particular was better licensing system as there was a crack and key generator on the internet available publicly, so there was few emails between up sending those crack and patch files over emails, i was using my main business email is hosted on server i own and using my own email server hosted on it. so far so good, only after around a month i start to receive rejection emails from many public email providers like Hotmail and Yahoo..., few days after that i couldn't use Internet Explorer to download any software from my own server, not even a csv files zip compressed, no executable/binary ! just because it was zip. Now do you see how things can escalate, i had to report false positive to Microsoft and that went very smoothly and short time it was a day or so as i remember, how this happen after a month from sending those emails, the guy i had those emails with, had changed his email client and performed full scan with few antivirus !, he had allowed them to report its finding, those finding was condemning my email, and because it is private ( not public email provider), and had all security/best practice's configured like SPF, DKIM and DMARC, then it is the sender intentionally did that, so i had to contact few of those to lift the black flag. 7) Your domain alignmix.com is not founded on any of those lists, and i think your IP too, and you have SPF and DKIM configured right, adding DMARC will not harm. 8) Have you changed the IP recently ? may be it is flagged somewhere from prior usage with flagged domain. 9) I checked the TTL on the DNS, so i will start with the warning before the suggestion, your TTL for IP is 4 hours, this means if you trying to change DNS settings it might take up to 4 hours to take effect, with that in mind, does enabling a service like CloudFlare help ? Does change the the name of the downloaded file help? Does moving the download link to the different page helps ? Does putting the download file on the site instead of CDN helps ? switching to other CDN ? 10) Is your application packed/protected using packer or protecting software like ( Winlicense , ASPack , ...) there is many of those, if yes are you using one that does support and apply Software taggant , if not then either change, update or switch to better one, to read more about Software Taggant , https://en.wikipedia.org/wiki/Software_taggant and https://standards.ieee.org/industry-connections/icsg/amss.html , in case your application is packed/protected with such obfuscation software, i can't emphasize enough how this much this is important, at least it does has the equal importance of code signing your application with certificate issued from known and trusted issuer. This what i can think of, this problem will be solved only by you, you only can figure it out, if it do need a report false positive to some antivirus or rebuild the reputation rank.. i have no clue for specific reason, for that i listed many thoughts i have, hoping this will help you make sense of what happened or changed. Only you can make sense of that blocking. Sorry for that very long post, and bad English. Hope this help and put you in good direction to investigate, good luck! Share this post Link to post
Guest Posted April 22, 2020 36 minutes ago, Fred Ahrens said: It may help to add a second signature using sha1 digest algorithm. It won't hurt and will give you also some compatibility with downloading the file on older Windows versions. This will also change the checksum of your file and provides a good chance that it won't be detected again that has been flagged as critical due to unknown reasons. Not sure if that helps, but SHA1 signature is good thing, i mean having dual signature. One thing to mention you might like to know : few years back my certificate expired so i grabbed one ( Comodo ), i just resigned the exe itself with the new certificate, no recompile, both cases did have 2 signatures, what is the result Smart Screeen start to warn about that download, later i know from expert that smart screen even with valid trusted issuer certificate, will warns unless: 1) the certificate is OV , it seems EV is not enough. 2) reach 100 download when people override the warning. 3) 3-7 days. Share this post Link to post
Vandrovnik 215 Posted April 22, 2020 I have just tried to download it using Chrome (Czech version 81.0.4044.122 (Oficiální sestavení) (64bitový) ), downloaded without problems, browser allowed me to start the downloaded .exe. Share this post Link to post
Steve Maughan 26 Posted April 22, 2020 2 hours ago, Fred Ahrens said: For testing I uploaded your file to our own domain and still get the error while downloading it from there. So the source of the download doesn't seem to be the source of the problem. It seems to be a problem with the digital signature. It may help to add a second signature using sha1 digest algorithm. It won't hurt and will give you also some compatibility with downloading the file on older Windows versions. This will also change the checksum of your file and provides a good chance that it won't be detected again that has been flagged as critical due to unknown reasons. Some years ago we also used Comodo certificates. When we had similar problems it helped just to sign and upload the affected file again. Meanwhile we switched to DigiCert signatures and those problems went away. This also lowered false positive detection of our binaries by some virus scanners. Fascinating! I didn't think code signing certificate providers had a pecking order! Has anyone else had this experience? Share this post Link to post
Angus Robertson 577 Posted April 22, 2020 18 months ago Google decided a zip on my web site contained a nasty and placed the page on it's blacklist used by other browsers as well to stop the page being displayed, not quite the same blocking as you, but probably the same false detection. That page had about 30 zips, OpenSSL binaries, lots of Delphi source and a couple of EXE samples, Google never told me which file. The answer is to stop Google scanning your files so they can not find false nasties. robots.txt might work, but they can ignore that, my solution was to move all the files onto a password protected web page that Google can not access, and that has worked. It's a pain for users to request the password, but over 1,000 Delphi developers have done so already, hopefully not including anyone from Google. Angus 1 Share this post Link to post
Mike Torrettinni 198 Posted April 22, 2020 4 minutes ago, Angus Robertson said: my solution was to move all the files onto a password protected web page that Google can not access Doesn't captcha or similar options prevent this? Share this post Link to post
Angus Robertson 577 Posted April 22, 2020 There are various protection alternatives, with varying annoyance levels, important issue is that Google can not scan the files. I support the concept of scanning, but not the blundering way Google does it without any human intervention possible for false positives, although it may have got better since I was targetted. Angus Share this post Link to post
Mike Torrettinni 198 Posted April 22, 2020 Captcha or similar options could avoid the need for developers requesting and you managing passwords. Maybe save you some time and developers don't need to wait for access. But if you need controlled access, then captcha is out. Share this post Link to post
dummzeuch 1517 Posted April 22, 2020 If it's only about blocking Google, why not simply post the password on the site itself? Share this post Link to post
Steve Maughan 26 Posted April 22, 2020 3 minutes ago, dummzeuch said: If it's only about blocking Google, why not simply post the password on the site itself? Interesting idea! Share this post Link to post
Attila Kovacs 631 Posted April 22, 2020 Also downloaded successfully with the orange button on the top right without any problem. Version 81.0.4044.113 (Official Build) (64-bit). The app looks interesting, is it like Regiograph? Share this post Link to post
Angus Robertson 577 Posted April 22, 2020 As well as protecting the files from Google, it is good to see who is interested in my various components, mostly old since many are now incorporated into ICS. Always nice for open source authors to know people are interested in our components, usually people only email when something does not work, far fewer thank us for our work. People say Delphi is dying, but the number of people looking for (free) components suggests otherwise. Angus 2 Share this post Link to post
rvk 44 Posted April 23, 2020 At the moment Google probably has marked the download as safe because it is downloaded multiple times. In the future, if Crome is blocking the download with only a discard option, you can go to "Downloads" page of Chrome and there should be an option to keep the download. Share this post Link to post