I downloaded an image from iCloud, which ends up as a zip file containing a JPEG file and a MOV file. This is because the iPhone takes a motion image (MOV) over a brief interval of time, and then generates a JPEG still image.
Firefox complained that the file contained malware, which required me to explicitly allow the download. I then scanned it with with Windows Defender. All seems fine.
This seems to be due to some weird interaction between Firefox and Windows Defender. How is it possible for Firefox to get triggered by the download when the AV says it's fine?
After allowing the download, further picture downloads don't trigger the warning. From the Firefox download history, the message is "This file contains a virus or malware -- iCloud-content.com".
A further search reveals this. Firefox checks the site but not the content. It defers to "Google’s Safe Browsing service [to see] if the software is safe by sending it some of the download’s metadata."
Furthermore: "Windows users: This online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher. Most of the common and safe software for Windows is signed, and so this final check won’t always need to happen."
Since I'm not downloading software, Google’s Safe Browsing service isn't being used (according to the above). Furthermore, iCloud is a very well established site. So it's unclear why Firefox is being triggered.
P.S. I'd like to suggest that even though the root cause seems to be pointing toward Firefox, this is only with investigative digging. When someone encounters this, it isn't clear what the cause is, and naive first guesses might place the cause as an interaction between Firefox and Windows Defender. Therefore, I'd like to propose not closing this so that people running into this problem can find this and see where the problem really lies. Or at least, where it is likely to lie -- Firefox is just a guess and it is still possible that Windows plays into this, even if that is seeming to be less likely at the time of writing this "P.S.".
