New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 498136 link

Starred by 12 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

File "not commonly downloaded and could be dangerous"; was working a few days ago

Reported by phpla...@gmail.com, Jun 9 2015

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Create a (CA signed) Windows signed executable and serve it over the web from a HTTPS secure domain. No file redirects take place, the download is streamed to the browser.

2. Notice the download completes but reports "... is not commonly downloaded and could be dangerous"

What is the expected behavior?
We were not triggering this behavior before (eg a few days/week ago).

Our website issues self-signed Windowss based installer .exe executables to a small group of people.

The download will certainly be uncommon because its only issued to a few select people, it is not a large scale download.

The download is not malicious and has a CA-issued certificate signature using codesign on Windows.

What went wrong?
Chrome started reporting this file is uncommon and "could be dangerous", incorrectly alarming our users.

Did this work before? Yes At least a few weeks ago when we last tested it. It has been working for months without issue.

Chrome version: 43.0.2357.81  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 17.0 r0

Interested in having this regression resolved as it causes alarm to our users and we have to explain its not our fault.
 
I'm also wondering about this problem with my file download.
Labels: -Cr-Internals-Network Cr-UI-Browser-SafeBrowsing

Comment 3 Deleted

Comment 4 Deleted

Comment 5 Deleted

If Google Safe Browsing hasn't seen a particular binary before, or if it's very new, Chrome will warn that it may be dangerous. In these cases the warnings are lifted automatically if the content was verified to be benign after scanning.

If you are having issues, please post the domain(s) on which you’re currently experiencing the problem.
We too are being unnecessarily affected by the "not commonly downloaded and could be dangerous" warning.

We serve .zip files containing home plans/models read by our software. The zips contain no executable files, only these file types: .txt, .jpg, .png, .zip, and .plan (our home plan document file type).

Perhaps the only noteworthy thing about these zips is that they each contain a second zip file, but which only contains images.

We're seeing this on most of the .zip links on this page:
https://www.homedesignersoftware.com/samples.html#sample-plans

For example:
https://d37kxq42vikeaj.cloudfront.net/1/downloads/plans/hillside-contemporary.zip

The Chromium behavior is quite aggressive, and these zips are false positives.

Confirmed with Chrome 44.0.2403.157 m on Windows 8.1.

Confirmed also with 46.0.2486.0 dev-m (64-bit)
Cc: heinichen@chromium.org

Comment 10 by Deleted ...@, Aug 25 2015

I was able to reproduce this issue by creating a basic zip file with another basic zip file in it. This mirrors the issue as we were seeing in production, where we combine zip files of CSV files in one big zip file.

echo "Test" >> test.txt
zip test.zip test.txt
echo "Bacon" >> bacon.txt
zip bacon.zip bacon.txt test.zip

Chrome Version 44.0.2403.157 m

Response Headers
Accept-Ranges:bytes
Connection:Keep-Alive
Content-Length:489
Content-Type:application/zip
Date:Tue, 25 Aug 2015 18:10:55 GMT
ETag:"1e9-51e2671db617d"
Keep-Alive:timeout=15, max=100
Last-Modified:Tue, 25 Aug 2015 17:55:51 GMT
Server:Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11
bacon.zip
489 bytes Download
Cc: kkitajima@chromium.org
We're starting to see more users on the Chrome help forum also coming to us about the same issue as of lately. Here are some examples:

https://productforums.google.com/forum/#!topic/chrome/iZSVb932lkg
https://productforums.google.com/forum/#!category-topic/chrome/_AD-F0k6pno

Comment 12 by Deleted ...@, Sep 8 2015

I was directed to this bug from the Chrome Help Forum. The issue I logged there was locked and flagged as a duplicate so I will assume that is the case for now. Here's the wording from my logged issue: "I have found that MHTML downloads from my private website are being blocked in Chrome and show a message indicating that "[filename] may harm your browsing experience and has been blocked". The exact same file can be downloaded from Google Drive without issue. I have traced this behavior to a SafeBrowsing API call (https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw) from Chrome that gets a very different response when Google Drive is used versus my private website. Unfortunately, I am unable to submit a Request for Review of my website (as suggested by the Chrome documentation) because my private website does not have any security issues flagged in Google Search Console. So, what do I need to do to stop my private website being flagged in this manner when downloading MHTML files? This issue is currently blocking legitimate use of a line-of-business application in Production."
marketing@rdmcorp.com, if you're willing to do so, please share the domain which is hosting the files on which you're seeing the warnings.
Status: Started

Comment 15 by Deleted ...@, Sep 8 2015

I can email you that information but cannot share here. Will that work?
I have seen this issue on windows when a .zip to be downloaded again contains .zip file. Easily reproduceable on Version 44.0.2403.155 m  windows platform. The warning will prevent users from download. Is there any workaround?
You can email the domain on which the file is hosted to zbutler@chromium.org if you do not want to post it here.

We only need to know the domain on which you're seeing the issue (e.g., 'example.com'); please do not include further personal information.

vrinda.n.h, you can similarly let us know the domain where you're seeing problems if you're willing to do so.
Status: Fixed
The domain in question is no longer showing Safe Browsing warnings as of 09/11/2015.

For the most up-to-date information regarding malware and unwanted software evaluations and appeals for this website, please refer to the Search Console.
I can confirm that the update has fixed our issue with the download of MHTML files from our systems.

Comment 20 by Deleted ...@, Sep 16 2015

The mentioned alert about file download blocked by Chrome is shown for Sharp IMG Viewer setup file available from URLs:
http://sites.google.com/site/sharpimg/viewer/SharpImgWixSetup.msi
http://sharpimg-viewer.appspot.com/files/SharpImgWixSetup.msi
http://dl.dropboxusercontent.com/u/89553906/SharpImgWixSetup.msi
ftp://ftp.drivehq.com/MikeGratsas/files/SharpImgWixSetup.msi
There are no any warnings in Search Console for site http://sharpimg-viewer.appspot.com. Could you clear how to fix this issue?
Hello MGratsas:

Google has detected malware or unwanted software on one or more downloads from http://sharpimg-viewer.appspot.com/. A download that is malicious [https://support.google.com/webmasters/answer/163633?hl=en] or violates our unwanted software policy [https://www.google.com/about/company/unwanted-software-policy.html] will show a warning to users either visiting or downloading content from this site. Below is an example of an URL that Google Safe Browsing identified to be violating our unwanted software policy:
http://sharpimg-viewer.appspot.com/files/SharpImgWixSetup.msi

For more detail on how you could modify your software to make it compliant, please review our malware and unwanted software help center article [https://support.google.com/webmasters/answer/3258249?hl=en].

Keep in mind that if software is offered as part of a bundle, all programs included in the bundle must follow our Malware and Unwanted Software policies too.

If there is flagged software on your site that you would like to be re-reviewed, please file an appeal [https://support.google.com/webmasters/answer/168328] in Search Console. For additional guidance, please refer to our malware and hacked sites web forums [https://productforums.google.com/forum/#!topicsearchin/webmasters/category$3Amalware--hacked-sites%7Csort:relevance%7Cspell:false]. For more information on Google Safe Browsing, please see our Safe Browsing Transparency Report [https://www.google.com/transparencyreport/safebrowsing/faq/?hl=en].

Thanks you.

Comment 22 by Deleted ...@, Sep 18 2015

It should be noted your presented hyperlinks can not indicate any concrete reason why Google decided to mark the mentioned setup file as malware. Please answer where and how I could determine the exact reason?
Below is a part of the policy that is relevant to a violation that our system found:

> "When accessing Google services or products, software must use and adhere to the terms of publicly-available Google APIs for interacting with the user’s system or any program installed. In addition, software must comply with any other applicable Google policies."

For more detail on how you could modify your software to make it compliant, please review  this detail from our malware and unwanted software help center article [https://support.google.com/webmasters/answer/3258249?hl=en]:

> “Use an extension or browser add-on to change browser functionality, rather than causing browser behavior change via other programmatic means. For example, your program should not use DLLs (dynamically linked libraries) to inject ads in the browser, should not deploy proxies that intercept traffic, should not use a Layered Service Provider to intercept user actions, or insert new UI into every web page by patching the Chrome binary.”

The violation detailed above is an example of the primary policy violation found by our systems. This notice may not cover every violation that was found, and it may not be a comprehensive list of malware and unwanted software showing alerts from your website.

I advise you to keep in mind that if software is offered as part of a bundle, all programs included in the bundle must follow our Malware and Unwanted Software policies too.

Comment 24 by Deleted ...@, Sep 24 2015

Hi there! Chrome recently (~last friday) started to warn our users about files downloaded from us as "uncommonly downloaded" and hence "potentially dangerous".

We don't understand why Google would flag those files as potentially dangerous. We're a marketplace selling digital goods, and most of the warnings seem to be about Wordpress themes (i.e. no executables, except for php and frontend js files...) All our files are reviewed and malware is not tolerated.

They're also private downloads, with access limited to the buyer. We achieve that by making our download links signed S3 URLs with an expiration time. Could that be the reason?

Those files are hosted on Amazon S3 so the domain is s3.amazonaws.com (a pretty common one to say the least), but users are redirected to that URL from a variety of domains (e.g. themeforest.net, codecanyon.net ... - we have 8 marketplaces all using that mechanism, see http://market.envato.com/)

Comment 25 by Deleted ...@, Oct 1 2015

Hey there, any news on this issue?

We're still getting the warning for our files (zips with php and js code) hosted on s3.amazonaws.com, despite their being very much malware-free.

Is this the right place to report this or is there any other point of contact at Google to discuss the issue?

Comment 26 by vie...@gmail.com, Oct 20 2015

I envounter the same problem with this file: http://assets.audyx.com/noah/production/audyx_module_setup.exe

It really hurts my customers.
Please help
My problem seems to have gone away. Recent tests on different machines have not shown any error. I do have a code signing certificate attached, and the file has been downloaded at least 200x, so I don’t know what caused it to go away.  It has been very frustrating though.
Hi Viebel --

I do not see warnings on the assets.audyx.com file any more.

@emmanuel.joubaud - are you still experiencing this issue? If so, please post the URLs of the files here or email them to heinichen@chromium.org.
Hi Viebel --

I do not see warnings on the assets.audyx.com file any more.

@emmanuel.joubaud - are you still experiencing this issue? If so, please post the URLs of the files here or email them to heinichen@chromium.org.

Comment 30 by Deleted ...@, Oct 21 2015

Hi Heinic,

The issue eventually self-resolved around september 30th, without further action on our end. We don't know what resolved it. Our best guess so far is that the Google Safe Browsing API eventually tuned down the sensitivity setting/feature that was causing the false positives, but it's just a wild guess.

Any hints about what happened or what we can do about it if it occurs again?

Cheers
These warnings are not false positives - they are warnings that Google displays on downloads that are new or not commonly downloaded. Once Google has verified the file to be benign, the warnings will go away.

Comment 32 by vie...@gmail.com, Oct 21 2015

heinic,

I'm wondering what will happen with next versions of the executable http://assets.audyx.com/noah/production/audyx_module_setup.exe:

Will there be a warning until there are enough downloads or not?

I hope that no and that all the next versions will be considered as safe by Chrome.

Could you please confirm?

Hi viebel --

If there is a different version of the software, it could also possibly display the new download warnings (which is working as intended), until it is verified to be benign. If there are issues with this, post the file here.
Hi Guys

I posted recently that I was having this warning problem, but it went away.

I have now renamed the distributed file (same contents) and experimented with it, and am getting no warnings.

The file does however have the same code signing certificate attached.

I am however not quite sure what to conclude from the above, but all is working fine.

Kim

Comment 35 by vie...@gmail.com, Oct 23 2015

Thanks heinic,

What would be the best way to require the new version of the file to be verified?
Posts here are not always answered very quickly...

Comment 36 Deleted

@FollowThWhiteRabbit - I'm unable to replicate the issue - are you still seeing it? What do you mean by "lock" - what warnings are you seeing?
Hi Heinic, thank you very much for your answer.

Just now if I try to download the file with Google Chrome (Windows), the download starts and as soon at it finishes I get the following message "this file is uncommon and could be dangerous". This did not happened 10 days ago. 

I am using Google Chrome 46.0.2490.86 (Build oficial) m (32 bits)

We tried several things like upload a prior version (which never had problems) or moving the file to other company domains. We get allways the same message.


Comment 39 Deleted

Problem was solved with new Chrome version. Thanks Heinic!

Comment 41 Deleted

I am using the last version 47.0.2526.106 m and suddenly these warnings are displayed when a user download my software (exe or msi files). 

My site is HTTPS secured and all files exe, msi,... are signed with SHA256 CodeSigning certificate (DigiCert).  

Fix this please!


@yaekontable -

Please request a review via the Search Console. For more details, see this Help article: https://support.google.com/webmasters/answer/168328?hl=en
@Heinic:

I can't open a review because my site is clean and no warnings security.

My site and files are clean. The files are signed with Code Signing certificate. But now I have seen that the files (exe and msi) signed with my previous certificate (2014-2015) no display these warnings. The warnings are displayed with files signed with my last certificate.

Chrome may not recognize the signature?

## Certificate 2015-2016:

CN = DigiCert SHA2 Assured ID Code Signing CA
OU = www.digicert.com
O = DigiCert Inc
C = US
Algoritm: sha256RSA

RESULT: download warnings

## Certificate 2014-2015:

CN = DigiCert Assured ID Code Signing CA-1
OU = www.digicert.com
O = DigiCert Inc
C = US
Algoritm: sha1RSA

RESULT: NO download warning





Comment 45 Deleted

Hi yaekontable - can you send me links to the files to heinichen@chromium.org?

Thanks.
Hello heinic:

today the warnings have disappeared. Before I sent back the sitemap of my website through Google Webmaster Tools. I do not know if this has influenced...
I am having this Set.upzip is not commonly downloaded ..... Problem too, can it be fixed?
Hi all

I have been having the same issue for a few months, it was fine and then all of a sudden chrome started to flag everything as potentially dangerous.

My company produces software to print on to labels, the software is completely designed by us and contains no malware or viruses.  We check this regularly and religiously.

this site in question is www.planglowcloud.com/software  and the file in question is http://planglowcloud.com/software/LabelLogic%206.0.74.exe

Any help would be greatly appreciated.

Hello @Heinic

I’m adding this post because I seem to be having very similar issues to the other reports here.

Some reports indicate that their issues have gone away after a time, presumed solved with some sort of scan where Google has verified the website contents.

I have not seen anywhere a definitive reason that some downloads are marked potentially dangerous and some have not…. Which is frustrating !

In my particular case, we have a number of subscriber downloads from a https website that requires the customer to login.

The downloads are from 1 week through to up to 4 years old. Several months ago some of the downloads started to be marked with the dreaded  File "not commonly downloaded and could be dangerous".

Gradually all downloads now have the same treatment.

The particular downloads that are marked potentially dangerous:-

•	Downloads are zip files containing msi and/or exe
•	The exe and msi’s are signed to latest standards

During testing we have tried many things to address this issue. The most interesting findings are :-

•	Zip files containing exe or msi whether signed, unsigned or whatever generate a warning
•	Zip files containing text only do not warn
•	Downloading the above msi or exe unzipped do NOT warn
•	Double zipping exe, msi files do not warn.

We even did the following test

1.	Downloaded an exe from Microsoft site (SHA1 signed). No warning from Chrome
2.	Upload to our test site. Downloads fine without warning.
3.	Zipped same file to test site. Generates warning when downloaded.

Note that Google Webmaster Tools report that there are no known issues with the site and that there has been scanning activity regularly.

So my questions are 

1.	Exactly what is the criteria that Google Chrome uses to mark a particular download as “uncommon and potentially dangerous”. Only seems to affect zipped files.
2.	How is this remedied/reported ? There is no option to request a scan ? The site/downloads seem to have been scanned continuously. How do I check?
3.	The site requires a login to access the downloads. Is this affecting the ability to scan the downloads ? 
4.	There seem to be scant specific information/recommendations on this process/issue which is frankly unacceptable and this is affecting peoples business and reputation.

I’d appreciate a response to this problem

Thanks

Hi all --

@pienewman - I am unable to reproduce the issue. It appears to be resolved. Are you still experiencing this issue?

@p.stratton - Could you please provide the URL in question, or an email address at which you can be contacted?

Comment 52 Deleted

Hello @Heinic
I send you several links demonstrating the issue with zip download.
Did you get a chance to test ?

Thanks
Paul
@Heinic

Any feedback on this issue ?
@Heinic

Are you able to respond to my previous posts ?
We have also had this problem for over a year now.
If you download any of our four product installation files from https://www.cogneticsystems.com/download/index.html, you will get the dreaded 
"...exe is not commonly downloaded and could be dangerous" message. There are no errors reported for our site on the Google search console.  

The Nsis installer and Linux zipped files are not signed, since the products of many small companies and open source projects are often not signed and can be downloaded on Google Chrome without getting the "could be dangerous" error message.  

On February 13th I added links to the four download program files to our site’s sitemap so that the Google crawler could find them and hopefully classify them as being safe.

Any help in resolving this issue would be appreciated.  I will mail you the four problem links if you can send me an email address.

Thanks

@Heinic, or anyone from Google !!!.... Is this forum still being monitored ?
Your customers are still experiencing this issue but there are no responses.

Has this bug tracking migrated to "Monorail" already ? If so I think this needs to be made clear. I don't see anything on Monorail relating to this issue

I also raised  Issue 585830  on this forum, but again, no responses!

I'll try and raise this direct on Monorail as this is still a problem for us and we seem to be getting nowhere !


Well somehow this seems resolved now. Although I have had no update from Google to explain why the issue in the first place, or what the resolution was .... most frustrating !

Comment 59 by st...@stevelamb.io, Mar 31 2016

I started seeing this same issue last week, on a download that has been working for months without the warning. 

URL: https://getscribeware.com/download
Signed by digitcert
Verified virus/malware free by virustotal.com
Site is in Webmaster Tools, no security issues listed.

Any suggestions?



Once an exe has been downloaded enough times, it will get scanned+verified and will no longer be classified as "uncommon." So it may have been a new version at the time.
I am not sure why this bug is marked as closed. I have a few files on my commercial web site and very few people have access to those after paying monthly fee to use them. 

Every time someone is trying to access those files they are being warned that this file is uncommon and possibly dangerous (?!). 

How come you people decided that have the power to ruin other people business models?  My files are properly signed and I payed personally ~ 500$ for this but it is not enough for you...obviously. I need to have 1000 downloads per day:) Well I will never have this downloads, does this mean I will be always bugged with this stupid warning? 
Hello I have been flagged by Google about Malware, uncommon downloads. I have ran multiple malware scans using 4 different Malware Scan Plugins and nothing comes up. My Hosting company checked my site and didn't find anything. I am not sure what is going on...please help
Owner: heinichen@chromium.org
Please refer to our Help Center https://support.google.com/webmasters/answer/3258249 -- see "Uncommonly Downloaded" warning section at the bottom.

Thanks!

Sign in to add a comment