Unattended Browser Communicating More than Expected
FireFox 23.0 is communicating over the Internet while my computer is unattended and the browser is open to just one ordinary Web site (a single satellite image from http://www.ssec.wisc.edu). The following data come from the LAN Connection Status on my XP SP3 computer with the assumption that one "packet" = 1500 bytes:
Overall data rates are about 3.23 MB/hr up and 4.58 MB/hr down (averaged over 2 hr 17 min) with Firefox open. With Firefox closed I'm showing only about 0.12 MB/hr up and 0.050 MB/hr down (averaged over 4 hr 22 min), which I presume can be attributed to Windows.
Question: Is this level of "chatter" reasonable, given FireFox's desire to update itself, it's databases, and its plugins (I have read https://support.mozilla.org/en-US/kb/how-stop-firefox-automatically-making-connections?esab=a&s=automatic+reload&r=3&as=s; no live bookmarks, newsfeeds, etc. are set up), or is this in itself a cause for concern? I have no other obvious symptoms of infection. The above data result solely from my own curiosity about how much bandwidth I was using.
All Replies (11)
The most likely cause would be the anti-malware and anti-phishing databases. As I recall, they get updated approximately every 20 minutes. Double-check by examining which servers Firefox is contacting. If you can't do that using your firewall, use TCPView.
Sounds plausible about the FireFox databases reloading, but I have two questions:
1) I don't have the patience to gaze at the screen for 20 min. or more waiting for an update, and I can't seem to get TCPView to "integrate" long enough that I can walk away and come back to find the byte counts exchanged. (5 sec seems the longest integration time.) Am I missing a log file or something that stores this information?
2) I normally run FireFox inside of a SandBoxie sandbox, so most stuff that gets changed during a session is lost when I close the browser. Is that a problem for these database updates, or are they updated also each time FireFox starts? If not, is there some way to have them saved outside the sandbox? (I've already set that up from a cookbook for changes to the bookmarks and a couple of other things...)
Thanks again for your help!
Diubah
OK, Thanks. I have a log. Now I just have to learn how to read and make sense out of it! Any suggested references? --JCW2
I haven't seen one of these log files but usually each HTTP request starts with GET followed by a space. If you use the find feature of your text editor can you skip through the piles of data finding the individual requests that way?
Edit: Just a note that PSPad (for Windows) has a handy Copy button in its find dialog. If you click Copy rather than Find, it copies all matching lines to a new document. Other text editors may have a similar feature.
Diubah
More Log-File Interpretation Help Needed:
>>...usually each HTTP request starts with GET followed by a space.<<
Thanks for the elementary HTTP lesson to get me started. I certainly have not become an expert, but I have searched the log file that I created by following instructions in "https://developer.mozilla.org/en/HTTP_Logging" for the problem described in my original post. Starting after my home Web page had finished loading (as indicated, I think, by the line, "Lookup completed for host [home page]."), I copied all unique URLs in the "Host: URL" lines that come immediately after the key commands, "GET" and "POST" ("PUT does not appear in the log file). I also searched for additional occurrences of the line, "Lookup completed for host [URL]." Here's what I found:
"POST" commands to:
safebrowsing.clients.google.com
"GET" commands to:
apis.google.com (many)
www.higherspeed.net (my ISP and home page)
ssl.gstatic.com (very many!)
easylist-downloads.adblockplus.org (one of my FireFox add-ons)
"Lookup completed for host [URL].":
easylist-downloads.adblockplus.org (one of my FireFox add-ons)
I forgot to mention that, over the hour and a half that it took to make this approximately 34 MB log file, there was a burst of logging activity almost every second, even though the browser was operating unattended. (A similar log file that lasted only the minute or two that it took for FireFox to boot up and load the home page was only about 5 MB.) I haven't attempted to figure out how frequently the largest bursts were...
Now a few specific questions:
1) Do these command and site combinations represent activity that FireFox (or its add-ons) would legitimately visit during an unattended session? (My add-on extensions are Addblock Plus, BetterPrivacy, LinkExtend, Microsoft .NET Framework Assistant, NoScript, NoSquint, and WOT.)
2) If this activity is just updating FireFox databases (as suggested by the first respondent to my OP), why is the number of bytes uploaded almost as large as that downloaded?
3) Is there a convenient way of determining how large are the blocks of data that were uploaded/downloaded by the various GET and POST commands? (Is this worth the effort?)
Again, the main purpose of this investigation is neither to understand what FireFox is doing unattended, nor to reduce the volume of this "chatter" (I found document listed in the OP explaining how to reduce the legitimate FireFox communications, but I have not followed it up), but to make re-assure myself that all of this unattended chatter is not an indication of some malware infection. (I have done scans with various tools including MalwareBytes and MSE - my resident antivirus software -- and found no infections.)
Any further help on this issue would be greatly appreciated! -- JCW2
Diubah
Just a few notes:
Safebrowsing is Google's service to download a list of phishing sites. This is a built-in feature of Firefox.
OCSP is the protocol used to check on whether an SSL certificate is still valid.
It looks like Web Security Guard is related to the LinkExtend extension.
Gingerbread_Man -- I've added a lot of information to this thread since you weighed in. If you're still there, can you suggest a better resource for addressing my questions?
What I still want to know is whether any of FireFox's **voluminous** self-initiated Internet communication is pernicious -- see data rates in the OP. It's particularly worrisome that the upstream traffic is almost as great as the downstream, which doesn't sound like simply updating databases to me.
I'm not getting very far with the suggestions posted here, and I don't really have a day or two to spend turning add-ons on and off in an experiment to determine which one(s), if any, are the source of these communications. Even if I did location the source(s), I would then still not know whether or not they constituted a threat...
Thanks in advance for any further assistance. -- JCW2
JCW2 wrote:
I don't really have a day or two to spend turning add-ons on and off in an experiment to determine which one(s), if any, are the source of these communications.
Your initial complaint was about excessive traffic in the space of 2 hours, not days. I suggest disabling LinkExtend and WOT, restarting Firefox, then checking to see if there's a difference in the amount of traffic.
LinkExtend is marked as "preliminarily reviewed" although the latest version dates back to December 12, 2011. This means the add-on likely has bugs that haven't been resolved, so it's not marked as fully reviewed.
WOT will by design create additional traffic every time you visit a website.
JCW2 wrote:
[...] re-assure myself that all of this unattended chatter is not an indication of some malware infection.
I didn't spot any malicious destinations in the list you posted. I find Web Security Guard dubious, because it's an ad-supported security product published by a toolbar maker. But websecurityguard.com is being contacted because of the LinkExtend add-on that you installed, so it appears to be legitimate traffic.
JCW2 wrote:
apis.google.com (many)
You're bound to see connections to this domain when visiting most sites. Among other things, it hosts the jQuery JavaScript library.
JCW2 wrote:
ssl.gstatic.com (very many!)
Another Google-owned domain hosting things like scripts, stylesheets and images.
You should also double-check your cache settings:
1. Under Options - Advanced - Network, make sure "Override automatic cache management" is not checked.
2. In the address bar, type about:config and press Enter.
3. Press the big button to bypass the warning.
4. In the search field, paste browser.cache.check_doc_frequency
5. In the search results, if browser.cache.check_doc_frequency appears in bold text, right-click it and choose Reset.
Gingerbread_Man -- Thanks for the VERY helpful reply. I can live without LinkExtend; and from what you say, I probably should since WOT covers many of the same threats.
I ran relatively short byte counts with and without LinkExtend and WOT enabled for about 1 hr 40 min each. The conditions of the test were daytime (Microsoft should not be pushing down updates for MSE, etc.), Firefox running inside SandBoxie and open to this page only, computer unattended with nothing else except Windows Explorer explicitly open. On the assumption that 1 "packet" (as reported by Windows XP SP3) equals 1500 bytes, here are the paradoxical results:
Direction: Sent Received
Enabled 1.19 MB/hr 1.47 MB/hr
Disabled 4.87 MB/hr 7.03 MB/hr
I suppose this paradox is due to insufficient integration time (running such tests for several hours creates conflicts for me during daytime), but these results clearly indicate that something else FireFox is doing is generating most of the chatter.
I also checked "browser.cache.check_doc_frequency," and it's set to the (apparently default) value of 3.
Since you aren't seeing anything suspicious in my transcription of contacted URLs, I guess I should just put this issue to bed. Do you agree? -- JCW2
Diubah
You could consider running something like the Fiddler proxy to record all the HTTP traffic. I typically use it only to study a problem with one page, so I don't haven't studied how to filter down large volumes of requests into a useful list... http://fiddler2.com/