Using the ClamAV daemon to scan files placed in my Downloads directory in Gentoo Linux

In a previous post I explained how to automatically detect files placed in my Downloads directory in Linux and scan them for viruses. The method I described in that post used clamscan, the command-line anti-virus scanner of ClamAV. Now, in addition ClamAV has a daemon (a program that runs continuously in the background), clamdscan, that you can enable. So I decided to switch to using clamdscan, as its response to downloaded files is much faster because the process waiting for new files to appear in ~/Downloads/ does not have to load clamscan from disk each time a new file arrives. Anyway, if you want to monitor a download directory in Gentoo Linux (running OpenRC) by using the ClamAV daemon — which will also download virus signature database updates automatically — then the procedure to set this up is given below.

1. Install clamav if it is not installed already:

root # emerge clamav

2. Add the service to the default runlevel:

root # rc-update add clamd default

The daemon will be launched automatically next time the computer boots.

3. The first download of the virus database has to be done manually:

root # freshclam

4. Start the daemon now:

root # rc-service clamd start

5. Create the Bash script ~/monitorDownloadsGUI with the following contents:



# Get rid of old log file, if any
rm $HOME/virus-scan.log 2> /dev/null

IFS=$(echo -en "\n\b")

# Optionally, you can use shopt to avoid creating two processes due to the pipe
shopt -s lastpipe
inotifywait --quiet --monitor --event close_write,moved_to --recursive --format '%w%f' $DIR | while read FILE
# Added '--recursive' so that a directory copied into $DIR also triggers clamscan/clamdscan, although downloads
# from the Web would just be files, not directories.
     # Have to check file length is nonzero otherwise commands may be repeated
     if [ -s $FILE ]; then
          # Replace 'date >' with 'date >>' if you want to keep log file entries for previous scans.
          date > $HOME/virus-scan.log
          clamdscan --move=$HOME/virus-quarantine $FILE >> $HOME/virus-scan.log
          kdialog --title "Virus scan of $FILE" --msgbox "$(cat $HOME/virus-scan.log)"

Make it executable:

user $ chmod +x ~/monitorDownloadsGUI

6. Create the directory ~/virus-quarantine/ to store infected files pending investigation/deletion:

user $ mkdir ~/virus-quarantine

7. Install kdialog if it is not already installed:

root # emerge kdialog

8. Use ‘System Settings’ > ‘Startup and Shutdown’ > ‘Autostart’ to add the script ~/monitorDownloadsGUI to the list of script files that are automatically started each time you log in to KDE.

9. Log out then back in again, and you should see that everything is running as expected:

user $ rc-status | grep clam
 clamd                                                             [  started  ]

user $ ps -ef | grep clam | grep -v grep
clamav    1920     1  0 01:48 ?        00:00:00 /usr/sbin/clamd
clamav    1929     1  0 01:48 ?        00:00:00 /usr/bin/freshclam -d

user $ ps -ef | grep GUI | grep -v grep
fitzcarraldo      9143  8971  0 13:56 ?        00:00:00 /bin/bash /home/fitzcarraldo/.config/autostart-scripts/

10. To test, surf to and download one of the EICAR test files into your ~/Downloads/ directory. You should see a pop-up KDialog window with a message similar to the following:

Virus scan of /home/fitzcarraldo/Downloads/ — KDialog

Mon 27 Feb 14:05:26 GMT 2017
/home/fitzcarraldo/Downloads/ Eicar-Test-Signature FOUND
/home/fitzcarraldo/Downloads/ moved to ‘/home/fitzcarraldo/virus-quarantine/’

———– SCAN SUMMARY ———–
Infected files: 1
Time: 0.001 sec (0 m 0 s)

Note that the above-mentioned pop-up window may be preceded by one or more pop-up windows with an error message. I’m using the Chrome browser at the moment, but you may get a similar message if you are using another browser. Here is an example:

Virus scan of /home/fitzcarraldo/Downloads/ — KDialog ?

Mon 27 Feb 14:16:30 GMT 2017
/home/fitzcarraldo/Downloads/ Access denied. ERROR

———– SCAN SUMMARY ———–
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)

Read the error message and click ‘OK’, as this is not an actual problem; it is inotifywait detecting temporary files in the ~/Downloads/ directory during the download process. With larger files sometimes several such messages are displayed, presumably because the file being downloaded is being opened and closed more than once during the downloading process. This issue does not occur if you copy or move a file into ~/Downloads/ from another directory in your installation; try it and see for yourself. Then you only get the one pop-up window with the scan result for the file you put in ~/Downloads/.

Also have a look in ~/virus-quarantine/ and you will see the EICAR test file in that directory. You can delete it if you want (it is not infected with a real virus, so does no harm).

In future be sure to read the messages in the pop-up windows before clicking ‘OK’, as they will inform you that an infected file has been moved to the quarantine directory.

That’s all there is to it. Very simple, and quite handy if you want to check quickly that files you download don’t have a malware payload. Just make sure you download all files into ~/Downloads/ or they will not be checked automatically. Also, if you are given e.g. a USB pen drive with a file on it, you can copy the file to ~/Downloads/ if you want it to be scanned for malware.

After updating Firefox for Linux, the folder icons in the bookmarks menu disappeared

Only a short post this time, but this problem has been annoying me for a few weeks. I use KDE 4.14 (kde-meta-4.14.3-r1) in Gentoo Linux on my main laptop, and recently upgraded Firefox to Version 46.0. The folder icons in Firefox’s bookmarks menu were no longer visible, although favicons were still visible in the bookmarks menu. The 2011 mozillaZine Forums thread After updating- ff4 bookmark folder icons disappeared [Linux] steered me in the right direction: I checked KDE 4’s ‘System Settings’ > ‘Application Appearance’ > ‘GTK’ and found that ‘Show icons in GTK menus’ was not ticked. I ticked this and clicked on ‘Apply’, and the problem was solved.

Automatically detecting files placed in my Downloads directory in Gentoo Linux and scanning them for viruses

I have been using Linux for almost a decade and have never been unduly concerned about viruses on my machines running Linux. However, I do receive files from people who use Windows and Mac OS, and some of those files might contain Windows or Mac OS viruses, so, as a matter of courtesy and assistance to others, it would make some sense to scan those files before passing them on. Furthermore, as I use some Windows applications under WINE, it would also make sense to scan received files for Windows viruses if I am going to use those files with a Windows application running under WINE.

External files could get into my Gentoo Linux installations via pen drives, memory cards, optical discs, e-mails, my Dropbox directory and downloads from Web sites. In this post I am going to concentrate on the last of these. All the various e-mail account providers I use already scan e-mails for viruses on their e-mail servers before I even download e-mail into the e-mail client on my laptop (standard practice these days), so e-mail is not a particular worry.

I have had ClamAV and its GUI, ClamTk, installed for a long time. Whilst ClamTk can be used to schedule a daily update of virus signatures and a daily scan of one’s home directory by ClamAV, I normally run ClamTk and ClamAV ad hoc. However, I can see some benefit in launching ClamAV automatically when I download a file from the Internet, so I decided to do the following …

Automatically scan a file downloaded via a Web browser

I use Firefox to browse the Web, and had configured it to download files to the directory /home/fitzcarraldo/Downloads/. I decided to monitor automatically the Downloads directory for the addition of any file. As I use the ext4 file system, the method I opted to use is inotify, specifically the inotifywait command which is available once you install the package sys-fs/inotify-tools.

It is surprisingly easy to create a shell script to detect files downloaded into a directory. The following script, running continuously in a terminal, would detect any files created in my /home/fitzcarraldo/Downloads directory, scan the new files with ClamAV and display a report in the terminal window:



inotifywait -q -m -e create --format '%w%f' $DIR | while read FILE
     echo "File $FILE has been detected. Scanning it for viruses now ..."
     clamscan $FILE

A usable script would need to be a bit more sophisticated than the one shown above, because an existing file in the directory could be overwritten by one with the same name, or opened and amended. Furthermore, the script above would need a permanently open terminal window. Therefore I created a script to run in the background and use a GUI dialogue tool to pop up a window with the virus scanner’s report when the script detects a new or changed file in the Downloads directory. As this laptop has KDE 4 installed I opted to use KDialog to display the pop-up window, but I could instead have used Zenity. The final script is shown below.



# Get rid of old log file
rm $HOME/virus-scan.log 2> /dev/null

inotifywait -q -m -e close_write,moved_to --format '%w%f' $DIR | while read FILE
     # Have to check file length is nonzero otherwise commands may be repeated
     if [ -s $FILE ]; then
          date > $HOME/virus-scan.log
          clamscan $FILE >> $HOME/virus-scan.log
          kdialog --title "Virus scan of $FILE" --msgbox "$(cat $HOME/virus-scan.log)"

Now when I download a file in Firefox, a window pops up, displaying a message similar to the following:

Virus scan of /home/fitzcarraldo/Downloads/ – KDialog

Fri 19 Feb 23:42:02 GMT 2016
/home/fitzcarraldo/Downloads/ Eicar-Test-Signature FOUND

———– SCAN SUMMARY ———–
Known viruses: 4259980
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 4.595 sec (0 m 4 s)

Notice in the above message that ClamAV detected a virus in a file that I downloaded from the European Expert Group for IT Security Web site (originally ‘European Institute for Computer Antivirus Research’). In fact the executable does not contain a real virus; it was designed to contain a known signature that virus scanner creators and users can use in checking anti-virus software. You can find out more about the virus test files on the EICAR Web site.

Of course, if I use applications other than Firefox to download files, I need to make sure they download the files into the applicable directory so that the script can detect and scan the files:

fitzcarraldo@clevow230ss ~ $ cd Downloads/
fitzcarraldo@clevow230ss ~/Downloads $ youtube-dl -o Carnavalito.mp4 -f 18
ZDUL3w7zFD4: Downloading webpage
ZDUL3w7zFD4: Downloading video info webpage
ZDUL3w7zFD4: Extracting video information
ZDUL3w7zFD4: Downloading MPD manifest
[download] Destination: Carnavalito.mp4
[download] 100% of 16.61MiB in 00:05

So, now I have a shell script that pops up a window informing me whether or not any file I put in $HOME/Downloads/ contains a virus. But I would like the script to be launched automatically when I login to the Desktop Environment. Therefore, as I use KDE 4, I selected ‘System Settings’ > ‘Startup and Shutdown’ and, in the ‘Autostart’ pane, clicked on ‘Add Script…’ and entered the path to my shell script (I left ‘create as symlink’ ticked). Now, every time I use KDE, any file placed (automatically or manually) into $HOME/Downloads/ is scanned for viruses automatically and a window pops up giving the result.

As my laptop is not always connected to the Internet, I prefer to update the ClamAV virus signatures database manually, which I do either using the ClamTk GUI or via the command line using the freshclam command:

fitzcarraldo@clevow230ss ~ $ su
clevow230ss fitzcarraldo # freshclam
ClamAV update process started at Sat Feb 20 10:51:01 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.7 Recommended version: 0.99
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Downloading daily-21375.cdiff [100%]
Downloading daily-21376.cdiff [100%]
Downloading daily-21377.cdiff [100%]
Downloading daily-21378.cdiff [100%]
Downloading daily-21379.cdiff [100%]
Downloading daily-21380.cdiff [100%]
Downloading daily-21381.cdiff [100%]
Downloading daily-21382.cdiff [100%]
Downloading daily-21383.cdiff [100%]
Downloading daily-21384.cdiff [100%]
Downloading daily-21385.cdiff [100%]
Downloading daily-21386.cdiff [100%]
Downloading daily-21387.cdiff [100%]
Downloading daily-21388.cdiff [100%]
Downloading daily-21389.cdiff [100%]
Downloading daily-21390.cdiff [100%]
Downloading daily-21391.cdiff [100%]
daily.cld updated (version: 21391, sigs: 1850214, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)
Database updated (4274486 signatures) from (IP:
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory

Using a Samsung Xpress C460FW with Gentoo Linux and Android KitKat for printing and scanning


A work colleague has just received a Samsung Xpress C460FW MFP (laser printer, scanner, copier and fax machine) for small print jobs. It is possible to connect to it via USB, Direct USB, wired network, wireless network, Wi-Fi Direct and NFC; that’s impressive for a MFP that can be purchased for GBP 270 in the UK.

I wanted to use the C460FW to print and scan from my laptop running Gentoo Linux, and also to print and scan from my Samsung Galaxy Note 4 running Android KiKat. It turned out that I was able to do all of those, and it was not difficult to set up.

A technician from the IT Support department had already entered a static IP address, subnet mask and default gateway IP address via the C460FW’s control panel to connect it to the office’s wired network. So my options to connect to this particular C460FW are: the wired network for Linux; Wi-Fi Direct for Linux and Android; NFC for Android.

I had never used Wi-Fi Direct before, but it turned out to be easy in Gentoo Linux on my laptop, and also easy in Android KitKat on my Samsung Galaxy Note 4. I had never used NFC before either, and that also turned out to be easy on my Samsung Galaxy Note 4.

Samsung has a series of videos on YouTube explaining how to use Wi-Fi Direct and NFC for printing, scanning and faxing with the C460FW from a Samsung smartphone; here are links to a few of them:

Samsung Smart Printing – 01 NFC Connect

Samsung Smart Printing – 02 Wi Fi Direct

Samsung Smart Printing – 03 Wi Fi

Samsung Smart Printing – 04 NFC Print

Samsung Smart Printing – 05 NFC Scan

Samsung Smart Printing – 06 NFC Fax

Samsung Smart Printing – 11 Samsung Mobile Print App(Printer Status)



Wired connection

I had installed the package net-print/samsung-unified-linux-driver Version 1.02 from a Portage local overlay back in March 2013 when I needed to print to a different model of Samsung MFP, so I thought I would see if that driver would work with the C460FW. I opened the CUPS Printer Manager in a browser window (http://localhost:631/) to configure my Gentoo installation to print to the device via the wired network. ‘Samsung C460 Series‘ was in the list of discovered network printers in the CUPS Printer Manager, and the driver ‘Samsung C460 Series PS‘ was displayed at the top of the list of models, so it was a piece of cake to set up the printer via CUPS, and I was able to print a test page in no time at all. My colleague uses a laptop running Windows 7, and he had to install the Windows driver from a Samsung CD that came with the C460FW.

Wireless connection

As the IT Support technician had configured the C460FW to print via the office wired network rather than the office wireless network, I decided to configure my laptop to print via Wi-Fi Direct, just to learn about Wi-Fi Direct, really. On the C460FW’s control panel I selected Network > Wireless > Wi-Fi Direct and enabled Wi-Fi Direct. Scrolling through the Wi-Fi Direct entries in the LCD I saw the following information:

Device Name: C460 Series
Network Key: <an 8-digit code>
IP address:

Two new networks were listed under ‘Available connections’ in plasma-nm (the KDE GUI front-end to NetworkManager) on my laptop: ‘DIRECT-HeC460 Series‘ and ‘DIRECT-SqC460 Series‘, both using WPA2-PSK encryption. I used the control panel of the C460FW to print a network configuration report in order to check which of the two SSIDs I should select, and it is ‘DIRECT-HeC460 Series‘ (I found out later that an adjacent room also has a C460FW and its Wi-Fi Direct SSID is ‘DIRECT-SqC460 Series‘). So I selected ‘DIRECT-HeC460 Series‘ and plasma-nm prompted me to enter a network password. I entered the 8-digit key I had found from the C460FW’s LCD panel (it’s also listed in the printed network configuration report), and NetworkManager connected to the printer.

In exactly the same way as I do when setting up any printer in Linux, I launched Firefox, opened the CUPS Printer Manager page, clicked on ‘Administration’ > ‘Add Printer’ and entered the user name ‘root’ and the password in the pop-up window. Again the ‘Add Printer’ page had ‘Samsung C460 Series‘ in the list of discovered network printers, so I just selected it and clicked on ‘Continue’. As I had already set up the printer in CUPS for the wired network connection and given it the name ‘Samsung_C460FW_office‘, I entered the name ‘Samsung_C460FW_office_WiFi_Direct‘ to distinguish it from the wired network entry, entered a Description and Location, and clicked on ‘Continue’. The next page had ‘Samsung C460 Series PS‘ first in the driver list so I selected that, clicked on ‘Add Printer’ and that was it. I was able to print a test page from the CUPS Printer Manager, and the printer is now included the list of printers in Linux applications’ print dialogues.

When I want to print using Wi-Fi Direct the only thing I need to remember to do first is select ‘DIRECT-HeC460 Series‘ in the network GUI on the KDE Panel, so that the connection is active when I click ‘Print’ in whichever application I want to print from.

Given the ease of printing via the wired network and Wi-Fi Direct, I have no doubts that printing would also work had the C460FW been configured for the office wireless network instead of the wired network.

Duplex printing

The only downside to the Samsung Xpress C460FW is that it only supports manual duplex printing. If you specify duplex printing when printing from Windows, Samsung’s Windows driver prints all the odd-numbered pages in reverse order and displays a message in Windows telling you what to do next (turn over the pile of paper and put it back in the paper tray!), but in Linux it’s not difficult to work out what you have to do: you simply have to print all the odd-numbered sides first, turn over the paper, then print all the even-numbered sides. The print dialogue in Linux applications gives you the option to print only odd-numbered pages or only even-numbered pages, so there is no problem. The print dialogue in some Linux applications allows you to print pages in reverse order as well but, if not, you have to reverse the order yourself before printing the even-numbered pages (i.e. put Page 1 face down at the top of the pile then Page 3 face down under it, and so on). It’s not a big deal unless the document has a large number of pages.


As you would expect with devices from the same manufacturer, setting up my Samsung Galaxy Note 4 to print with the Samsung Xpress C460FW via WPS (Wi-Fi Protected Setup) was easy. When I selected ‘Print’ on the Galaxy Note 4, it gave me the option to print via wireless network or Wi-Fi Direct. I chose the latter and, as I had already enabled Wi-Fi Direct on the C460FW’s control panel, the printer name was displayed in the list of available devices. I selected it, a blue LED began flashing on the C460FW’s control panel and the LCD prompted me to press the WPS button (on the left of the control panel). As soon as I pressed that, the C460FW printed the document sent by my Galaxy Note 4. From then onwards, I just needed to select ‘Print’ on the Galaxy Note 4, select the printer from the list of available devices, and the document is printed. When I want to print using Wi-Fi Direct the only thing I need to remember to do first on the Galaxy Note 4 is select ‘DIRECT-HeC460 Series‘ as the Wi-Fi network.


I then decided to try to print using NFC. I placed the Galaxy Note 4, without Wi-Fi enabled and with the Home Screen displayed (not the Lock Screen), on the NFC label on top of the C460FW; Android launched Play Store and prompted me to install Samsung Mobile Print, which I did. Now when I place the Galaxy Note 4 on the NFC label, the Galaxy Note 4 automatically enables Wi-Fi, connects to the C460FW directly and displays the Mobile Print app showing the options Print, Scan and Fax, and a page of icons labelled: Gallery, Camera, Google Drive, E-mail, Web page, Document, Facebook, DropBox, Evernote, OneDrive and Box, as well as a Settings icon to configure the printer (paper size etc.). I am able to select a document, photograph, Web page, etc. on the Galaxy Note 4 and print it. It is also possible to launch the Mobile Print app first and then place the Galaxy Note 4 on the C460FW.

NFC is not entirely trouble-free, though. Sometimes the Galaxy Note 4 displays a ‘Device not found‘ message but I can still print. Sometimes the Galaxy Note 4 displays the message ‘Connecting printer. There was some error while connecting to this device. Check your printer and try again. If NFC Pin was changed then please enter new NFC Pin.‘ and the two devices will not connect. Powering off then on the C460FW solves that. Sometimes the Galaxy Note 4 connects to another wireless network instead of to the C460FW via Wi-Fi Direct and the Samsung Galaxy Note 4 then has to disconnect automatically from the other network. Sometimes the C460FW prompts me to press its WPS button and the Galaxy Note 4 then connects via Wi-Fi Direct but the Mobile Print app then displays the error message ‘Device not found. To troubleshoot please check – C460 Series is powered on. – Wi-Fi direct is enabled on C460 Series. – C460 Series and Mobile are connected to the same network.‘. Again, powering off then on the C460FW solves that. Despite these hiccups, printing via NFC is still handy.



I found out how to get the C460FW scanner working by consulting the third-party Web site The Samsung Unified Linux Driver Repository which someone created to provide .deb packages for the Samsung driver as well as tips on how to get Samsung printers and scanners working in Linux. It turned out to be relatively straightforward to scan, both via the office wired network and via Wi-Fi Direct. I edited the file /etc/sane.d/xerox_mfp.conf and replaced the following:

#Samsung C460 Series
usb 0x04e8 0x3468

with the following in order to use the C460FW to scan via the office wired network:

#Samsung C460 Series
#usb 0x04e8 0x3468
#Wired network static address of this C460FW:

or with the following in order to use the C460FW to scan via Wi-Fi Direct:

#Samsung C460 Series
#usb 0x04e8 0x3468
#Wi-Fi Direct address of this C460FW:

I found the IP addresses from the network configuration report I printed earlier.

I was able to use the two Linux scanning applications I normally use, XSane and gscan2pdf, to scan via the wired network and via Wi-Fi Direct. The resulting scans were very good. Given the ease of scanning via the wired network and Wi-Fi Direct, I have no doubts that scanning would work via a wireless network had the C460FW been configured for the office wireless network instead of the wired network.


To use NFC to scan a document I place the Galaxy Note 4, without Wi-Fi enabled and with the Home Screen displayed (not the Lock Screen), on the NFC label on top of the C460FW. The Galaxy Note 4 enables Wi-Fi, connects automatically to the C460FW directly and launches the Mobile Print app showing the options Print, Scan and Fax. It is also possible to launch the Mobile Print app first and then place the Galaxy Note 4 on the C460FW. In other words, the procedure is exactly the same as when wanting to print via NFC. If I select Scan, the Galaxy Note 4 displays buttons for previewing and scanning. Amongst other things, the app’s Settings menu allows you to select whether you want to save the scanned image as a JPEG, PNG or PDF file. The hiccups mentioned above when printing via NFC also apply to scanning. Nevertheless, scanning from the C460FW to the Samsung Galaxy Note 4 via NFC is still handy.


As I am mainly interested in printing text documents I have only tried to print a few colour photographs on plain copier paper, and they look good. Text in documents looks crisp. Despite the lack of automatic duplex printing the C460FW is an excellent peripheral, especially for the price, although I don’t pay for the consumables so I have no idea of the operating costs. The ease with which I got it printing and scanning in Gentoo Linux (laptop) and Android KitKat (Samsung Galaxy Note 4) means that I would definitely consider purchasing this model for home use.

Preventing a DNS Leak and WebRTC Leak when using Tor in Linux


I have added to my 2011 Tor post a note on how to avoid a DNS Leak and WebRTC Leak, but am repeating it here in a new post, along with a Bash script that can be used to toggle the relevant Firefox user preferences before and after using Firefox with Tor, which makes the process easier.

The original eleven steps I gave in my above-mentioned post will not prevent the so-called DNS Leak problem. If your Web browser is not configured correctly it will still use your ISP’s DNS servers instead of the DNS servers favoured by Tor, in which case your ISP will know which sites you are accessing. See What is a DNS leak? for details. Reference 1 at the end of this post is a link to an article about DNS leakage, and Reference 2 is a link to an article on the Tor Browser, a browser designed to help avoid DNS leakage.

Furthermore, now that WebRTC is incorporated in some browsers, a ‘WebRTC Leak‘ is also possible if you have not configured your browser correctly.

Using the Tor Browser

Instead of performing Steps 1 to 11 in my original Tor post, download the Tor Browser, unpack it (no installation is required) and use that browser. Reference 3 below is a link to the download page, and Reference 4 below is a link to the instructions on how to unpack the tarball and launch the browser.

If you want even more security, you could instead download the ISO for the Tails Linux distribution, burn a LiveDVD or LivePenDrive — see my post Help for Windows users: How to create a Linux LiveCD, LiveDVD or LivePenDrive from an ISO file if you don’t know how to do that — and launch the browser from a Live Environment.

Using Tor with Firefox

However, if you still want to use the method I gave in my original Tor post then you could try all the additional steps given below to stop DNS leakage and WebRTC leakage.

  1. Use the OpenDNS servers instead of your ISP’s DNS servers. That will not help, though, if your ISP is using a Transparent DNS Proxy.
  2. Make the following changes to the preferences in Firefox (enter about:config in the Firefox address bar):
    Preference Name                       Status   Type     Value
    network.dns.disableIPv6               default  boolean  false  Change to true
    network.dns.disablePrefetch           default  boolean  false  Change to true
    network.proxy.socks_remote_dns        default  boolean  false  Change to true
    browser.safebrowsing.enabled          default  boolean  true   Change to false
    browser.safebrowsing.malware.enabled  default  boolean  true   Change to false
    media.peerconnection.enabled          default  boolean  true   Change to false

    (When you have finished using Tor, set media.peerconnection.enabled back to true if you want to use WebRTC. If you also want Firefox to warn you of phishing Web sites and Web sites that download malware, also set browser.safebrowsing.enabled and browser.safebrowsing.enabled back to true after you have finished using Tor.)

    You may be wondering why I disable IPv6 DNS requests. It is because some IPv6-capable DNS servers may return an IPv4 address when an IPv6 address is requested. I disable the two ‘safe browsing’ preferences because, if enabled, they cause Firefox to compare visited URLs against a remotely-stored blacklist or submit URLs to a third party to determine whether a site is legitimate, and I don’t want the possibility of Firefox contacting other sites outside Tor or trying to find an IP address for a URL. The PeerConnection preference relates to WebRTC, and I disable that to stop Firefox contacting STUN servers (see Reference 5 below).

  3. Test if there is still leakage by visiting the DNS leak test Web site and clicking on the Standard test button, and visiting the IP/DNS Detect site.

Furthermore, do not forget to use a Private Browsing window in Firefox.

Automate the editing of Firefox user preferences

Using about:config to change the user preferences in Firefox is laborious, so I created a Bash script to toggle the relevant user preferences:

# Script to change Firefox user preferences rather than
# using about:config from within Firefox.
# Make sure you only run this script when Firefox is not running.
STATE=$(grep media.peerconnection.enabled $FILE | cut -c 43- | cut -d')' -f1)
if ! grep -q media.peerconnection.enabled $FILE ; then
  echo 'user_pref("media.peerconnection.enabled", false);' >> $FILE
  echo 'Added media.peerconnection.enabled false (secure) to prefs.js'
elif [ $STATE = "true" ]; then
     sed -i s/^.*media.peerconnection.enabled.*$/'user_pref("media.peerconnection.enabled", false);'/ $FILE
     echo 'media.peerconnection.enabled changed to false (secure) in prefs.js'
     sed -i s/^.*media.peerconnection.enabled.*$/'user_pref("media.peerconnection.enabled", true);'/ $FILE
     echo 'media.peerconnection.enabled changed to true (not secure) in prefs.js'
STATE=$(grep browser.safebrowsing.malware.enabled $FILE | cut -c 51- | cut -d')' -f1)
if ! grep -q browser.safebrowsing.malware.enabled $FILE ; then
  echo 'user_pref("browser.safebrowsing.malware.enabled", false);' >> $FILE
  echo 'Added browser.safebrowsing.malware.enabled false (secure) to prefs.js'
elif [ $STATE = "true" ]; then
     sed -i s/^.*browser.safebrowsing.malware.enabled.*$/'user_pref("browser.safebrowsing.malware.enabled", false);'/ $FILE
     echo 'browser.safebrowsing.malware.enabled changed to false (secure) in prefs.js'
     sed -i s/^.*browser.safebrowsing.malware.enabled.*$/'user_pref("browser.safebrowsing.malware.enabled", true);'/ $FILE
     echo 'browser.safebrowsing.malware.enabled changed to true (not secure) in prefs.js'
STATE=$(grep browser.safebrowsing.enabled $FILE | cut -c 43- | cut -d')' -f1)
if ! grep -q browser.safebrowsing.enabled $FILE ; then
  echo 'user_pref("browser.safebrowsing.enabled", false);' >> $FILE
  echo 'Added browser.safebrowsing.enabled false (secure) to prefs.js'
elif [ $STATE = "true" ]; then
     sed -i s/^.*browser.safebrowsing.enabled.*$/'user_pref("browser.safebrowsing.enabled", false);'/ $FILE
     echo 'browser.safebrowsing.enabled changed to false (secure) in prefs.js'
     sed -i s/^.*browser.safebrowsing.enabled.*$/'user_pref("browser.safebrowsing.enabled", true);'/ $FILE
     echo 'browser.safebrowsing.enabled changed to true (not secure) in prefs.js'
STATE=$(grep network.proxy.socks_remote_dns $FILE | cut -c 45- | cut -d')' -f1)
if ! grep -q network.proxy.socks_remote_dns $FILE ; then
  echo 'user_pref("network.proxy.socks_remote_dns", true);' >> $FILE
  echo 'Added network.proxy.socks_remote_dns true (secure) to prefs.js'
elif [ $STATE = "true" ]; then
     sed -i s/^.*network.proxy.socks_remote_dns.*$/'user_pref("network.proxy.socks_remote_dns", false);'/ $FILE
     echo 'network.proxy.socks_remote_dns changed to false (not secure) in prefs.js'
     sed -i s/^.*network.proxy.socks_remote_dns.*$/'user_pref("network.proxy.socks_remote_dns", true);'/ $FILE
     echo 'network.proxy.socks_remote_dns changed to true (secure) in prefs.js'
STATE=$(grep network.dns.disablePrefetch $FILE | cut -c 42- | cut -d')' -f1)
if ! grep -q network.dns.disablePrefetch $FILE ; then
  echo 'user_pref("network.dns.disablePrefetch", true);' >> $FILE
  echo 'Added network.dns.disablePrefetch true (secure) to prefs.js'
elif [ $STATE = "true" ]; then
     sed -i s/^.*network.dns.disablePrefetch.*$/'user_pref("network.dns.disablePrefetch", false);'/ $FILE
     echo 'network.dns.disablePrefetch changed to false (not secure) in prefs.js'
     sed -i s/^.*network.dns.disablePrefetch.*$/'user_pref("network.dns.disablePrefetch", true);'/ $FILE
     echo 'network.dns.disablePrefetch changed to true (secure) in prefs.js'
STATE=$(grep network.dns.disableIPv6 $FILE | cut -c 38- | cut -d')' -f1)
if ! grep -q network.dns.disableIPv6 $FILE ; then
  echo 'user_pref("network.dns.disableIPv6", true);' >> $FILE
  echo 'Added network.dns.disableIPv6 true (secure) to prefs.js'
elif [ $STATE = "true" ]; then
     sed -i s/^.*network.dns.disableIPv6.*$/'user_pref("network.dns.disableIPv6", false);'/ $FILE
     echo 'network.dns.disableIPv6 changed to false (not secure) in prefs.js'
     sed -i s/^.*network.dns.disableIPv6.*$/'user_pref("network.dns.disableIPv6", true);'/ $FILE
     echo 'network.dns.disableIPv6 changed to true (secure) in prefs.js'

You will need to change the path to the Firefox prefs.js file in the sixth line of the script, to suit your installation. If you have the utility mlocate installed you can find the file easily by using the command:

$ locate prefs.js | grep firefox

You will also need to make the script executable:

$ chmod +x

You can see below how the script works:

$ ./
media.peerconnection.enabled changed to false (secure) in prefs.js
browser.safebrowsing.malware.enabled changed to false (secure) in prefs.js
browser.safebrowsing.enabled changed to false (secure) in prefs.js
network.proxy.socks_remote_dns changed to true (secure) in prefs.js
network.dns.disablePrefetch changed to true (secure) in prefs.js
network.dns.disableIPv6 changed to true (secure) in prefs.js
$ ./
media.peerconnection.enabled changed to true (not secure) in prefs.js
browser.safebrowsing.malware.enabled changed to true (not secure) in prefs.js
browser.safebrowsing.enabled changed to true (not secure) in prefs.js
network.proxy.socks_remote_dns changed to false (not secure) in prefs.js
network.dns.disablePrefetch changed to false (not secure) in prefs.js
network.dns.disableIPv6 changed to false (not secure) in prefs.js

Procedure to use Tor

So, if I am not using the Tor Browser, in summary I do the following (refer to my 2011 Tor post for the details):

  1. Launch Polipo from a Konsole window.
  2. Launch Vidalia from a Konsole window.
  3. Launch to make sure the relevant user preferences are set securely.
  4. Launch Firefox and change the network settings to enable use of Polipo and Vidalia.
  5. Launch a Firefox Private Browsing window and close the original window.
  6. Visit TorCheck at, What Is My IP Address?, DNS leak test and IP/DNS Detect to be sure I am using Tor and that there is no DNS leak or WebRTC leak.

The router provided by my ISP does not allow me to change its DNS server settings. Using the router’s Web browser interface I was able to view the IP addresses of the DNS servers the router uses (Whois Lookup is a good place to check to whom an IP address belongs), and they are indeed owned by the ISP. However, the leak test Web sites I mention above show me that there is no DNS leakage to the ISP’s DNS servers when I have performed all the steps above.

When I have finished using Tor, I do the following:

  1. Exit Firefox.
  2. Stop Tor from the Vidalia GUI, exit Vidalia and end the Konsole session.
  3. Stop Polipo and end the Konsole session.
  4. Launch to set the relevant user preferences back to their original settings.
  5. Launch Firefox and change the network settings back to the original settings.


1. Preventing Tor DNS Leaks
2. Tor new advice (February 2014)
3. Download Tor Browser
4. Linux Instructions for Tor Browser
5. New Browser Based Flaw Leaks VPN Users’ IP Addresses

Make Firefox for Linux use Dolphin to ‘Open Containing Folder’

When I click on the Download Manager icon on the tool bar, Firefox for Linux 32.0 opens a small pane listing downloads in progress, if any, and a link ‘Show All Downloads’. If I click on the link, Firefox pops up a window listing all the files downloaded via the browser, each with a folder icon beside it. Hovering the mouse pointer over the folder icon displays a tooltip ‘Open Containing Folder’. For as long as I can remember with Firefox for Linux, clicking that folder icon resulted in the Audacious music player launching and playing an MP4 file that happens to be in my ~/Downloads/ directory!

Firstly, I have no idea why Firefox was launching a media player instead of opening the directory. Secondly, I have no idea why Firefox wanted to open that specific file rather than any of the other files in the directory. Thirdly, I have no idea why it was launching Audacious, because Audacious is not even specified as the default media player for MP4 files in KDE’s ‘System Settings’ > ‘File Associations’.

This has annoyed me for a long time, but only today did I resolve to fix it, although it was not so easy to find a working solution by searching the Web. It seems it is a common problem with Firefox in Linux, and I found threads in various forums recommending the creation of a set of preferences by using about:config. Some of those threads state that one of those preferences should specify Konqueror; other threads state that one of the preferences should specify a shell script. In the end I discovered a post in an openSUSE Forums thread from 2012 Re: How use Dolphin to “open containing folder” from firefox downloads? providing a broken link to a thread at a different Web site and, fortunately, quoting the solution which worked for me, which is to create a file named ~/.local/share/applications/defaults.list containing the following:

[Default Applications]

Now when I click on the ‘Open Containing Folder’ icon in Firefox, Dolphin launches and displays the contents of ~/Downloads/ just as I would have expected from the beginning.

Opening multiple browser tabs simultaneously — AutoKey comes to the rescue

hotkey to launch an application

I sometimes consult several dictionary Web sites concurrently. Typically I have them open simultaneously on different browser tabs so that I can switch between them quickly. Naturally I have the sites bookmarked, but it is still a bit of a nuisance to have to open each site by clicking on the browser’s ‘Open a new tab’ icon and then clicking on a bookmark. So I thought it would be nice if I could have an icon in the browser or on the Desktop that I could click to open all the desired Web pages at once.

Well, I could have created a Desktop Configuration File in ~/Desktop/ to launch a command such as the one listed below, and given the file a nice icon.


Then I would have been able to double-click on the icon on my Desktop, which would have launched a separate Firefox window with those five required Web sites in different tabs. But what if I happened to have an existing window maximised? I would then have to move it to be able to see the icon on the Desktop. So I decided that was not an ideal approach.

Next I thought about the possibility of a Firefox extension, so I searched the Mozilla Add-ons site and found one called Open Multiple Locations. But, from what I read, it seems the extension is no longer being maintained. Furthermore, it appears it would have to be launched from the browser’s File menu, which would still be a little inconvenient.

Then I remembered that I have the excellent utility AutoKey installed, so why not define a hotkey sequence to do what I wanted? This is what I did.

When you install AutoKey, it creates a directory ~/.config/autokey/data/My Phrases/ which contains directories named Addresses and Sample Scripts. The latter two directories contain examples of what you can do with AutoKey. Now, one of the example scripts in Sample Scripts is Insert, a very simple script which enables you to issue the Linux date command with a hotkey combination, preconfigured as Ctrl-Alt-d (Click on the Insert Date entry in the left pane of the AutoKey window and notice in the lower right pane that the hotkey is listed and there are Set and Clear buttons to enable you to change it).

So I used the Desktop Environment’s GUI to navigate to the directory ~/.config/autokey/data/My Phrases/ and created a directory which I called ~/.config/autokey/data/My Phrases/My Scripts/. I copied the file ~/.config/autokey/data/My Phrases/Sample Scripts/Insert into the new directory and renamed it then set its AutoKey hotkey combination to be Ctrl-Alt-f and edited it to contain the desired command:

output = system.exec_command("firefox")

Now, when I am using a browser (be it Firefox, Chrome, Konqueror or whatever) or any other application and I need to consult those dictionaries, I just press Ctrl-Alt-f and up pops a Firefox window containing five tabs with the Web sites I wish to be able to use. Done and done.

Of course, if you happen to be using a Desktop Environment that has its own shortcut tool, you can use that instead. For example, in KDE I could have instead used ‘System Settings’ > ‘Shortcuts and Gestures’ | ‘Custom Shortcuts’ and configured Ctrl-Alt-f to run the above-mentioned command to launch Firefox with those five URLs. (You need to log out of KDE and log in again for the shortcut to become active.) That would have achieved exactly the same result as with AutoKey.

WebRTC – A viable alternative to Skype

webrtc_logoSkype for Linux 4.3 and upwards requires the use of PulseAudio, which has caused discontent amongst those Linux users who do not use PulseAudio. Although I do use PulseAudio, I recently found out about WebRTC, an API (application programming interface) for browser-based communication offering most of the functions provided by Skype, namely: voice calling, video chat, text chat, file sharing and screen sharing. The official WebRTC site states:

WebRTC is a free, open project that enables web browsers with Real-Time Communications (RTC) capabilities via simple JavaScript APIs. The WebRTC components have been optimized to best serve this purpose.

Our mission: To enable rich, high quality, RTC applications to be developed in the browser via simple JavaScript APIs and HTML5.

WebRTC was originally released by Google but is now a draft standard of the World Wide Web Consortium, and is supported by Chrome, Firefox and Opera browsers. Several commercial Web sites offer WebRTC-based communications to fee-paying customers, but I thought I would try WebRTC by using one of the so-called ‘demo’ WebRTC pages. AppRTC is a WebRTC demo page which can be reached from a link on the official WebRTC site, but I prefer Multi-Party WebRTC Demo by TokBox which offers a more polished experience with better features. Both are free to use and viable substitutes to Skype for video chatting (one-to-one or conference).

So, how do you actually use WebRTC-based sites? Below is a quick guide to get you going.

Text and video chatting

Open the following URL in Chrome or Firefox:

Enter a Room Name that is likely to be unique. I used ‘fitzchat’ (without the quotes), but you can use any name you want.

The other party or parties can do the same thing, i.e. they enter the same Room Name as you, and you will all become connected.

Alternatively, to send an e-mail invitation to someone, click on the URL at the top of the pane on the right-hand side (which is Invite: in this example, as I chose to name the Room ‘fitzchat’). The partially visible pane at the right-hand side of the browser window will slide into full view when you click on it.

That’s all there is to it. You should see a video window showing each party, and they should see the same. Each party should also be able to hear the other parties. In the top right-hand corner of each video window is an icon (microphone for you; speaker for each of the other parties) which you can click on to mute/un-mute that party.

Click on the partially visible pane at the right-hand side of the browser window. Notice the ‘chat bar’ at the bottom where you enter commands and chat text. Read the grey instructions listed near the top of the pane:

Welcome to OpenTokRTC by TokBox
Type /nick your_name to change your name
Type /list to see list of users in the room
Type /help to see a list of commands
Type /hide to hide chat bar
Type /focus to lead the group
Type /unfocus to put everybody on equal standing

For example, to give myself a meaningful name instead of the default username Guest-0120e48c which was given to me automatically, I entered the following:

           /nick Fitz

Screen sharing

I found that screen sharing already works well in Chrome 36.0.1985.125 but is not yet supported in Firefox 31.0. It will be supported in Firefox 32 or 33, apparently, or you can already use Firefox Nightly providing you add the appropriate preferences via about:config.

To be able to share screens in Chrome, I had to perform two steps: enable a Chrome flag and install a Chrome extension. The two steps, which do not need to be repeated, are given below (see Ref. 1).

To enable screen sharing in Chrome, do the following:

  1. Open a new tab or window in Chrome.
  2. Copy the following link: chrome://flags/#enable-usermedia-screen-capture and paste it in the location bar.
  3. Click on the ‘Enable’ link below ‘Enable screen capture support in getUserMedia().’ at the very top of the screen.
  4. Click on the ‘Relaunch Now’ button at the bottom of the page to restart Chrome.

To install the screen sharing extension in Chrome, do the following:

  1. Launch Chrome and click on the Menu icon.
  2. Click on ‘Settings’.
  3. Click on ‘Extensions’.
  4. Click on ‘Get more extensions’ and search for ‘webrtc’.
  5. Download ‘WebRTC Desktop Sharing’.
  6. This places an icon to the right of the URL bar in Chrome.

To share your screen or just a window, do the following in Chrome:

  1. Click on the ‘Share Desktop’ icon to the right of the URL bar and select either ‘Screen’ or the window you wish to share.
  2. Click ‘Share’.
  3. When sharing has started in a new Chrome window, select the URL of the relevant tab in that window and send it to the other parties via the chat pane on the right-hand side of the first browser window.

To stop sharing, click on ‘Stop sharing’ and click on the ‘Share Desktop’ icon to the right of the URL bar to get it to return to displaying the ‘Share Desktop’ icon instead of the || (Pause) icon.

File sharing

I did not bother to try file sharing using WebRTC, but there are various Web sites you can use to do that. One such is ShareDrop, and googling will find others.


Chrome 36.0.1985.125 and Firefox 31.0 were used in this trial (I did not try Opera). I found that video chat worked faultlessly when both parties were using Chrome, and when both parties were using Firefox. However, when one of the parties was using Firefox and the other was using Chrome, I could not see myself in one of the video boxes in the browser window (although I could see the other party in the other video box in the browser window). Furthermore, there was a grey bar across the middle of the video images in the AppRTC demo, whereas the Multi-Party WebRTC Demo video images were normal. Other than those two issues, the experience was smooth and straightforward. My recommendation would therefore be to use Multi-Party WebRTC Demo and for all the parties to use the same browser, be it Chrome or Firefox. If you want to share your screen or a window, the logical choice at the moment would be Chrome.


1 LiveMinutes Blog – Beta Testers: How To Activate Screen Sharing!

UPDATE (January 2, 2015): Mozilla has added a button to Firefox 34 to provide account-free video chat using WebRTC. Mozilla calls this feature ‘Firefox Hello’.

I have it in Firefox 34.0.5 (I had to drag the ‘Hello’ button from ‘Customise’ | ‘Additional Tools and Features’). It works quite well. I didn’t bother creating an account; I just clicked on the ‘Email’ button to e-mail the automatically-generated URL to someone, and he clicked on the URL in the e-mail he received, which launched Firefox on his laptop and rang Firefox on my laptop. We tried both video and audio-only conversations, and both worked well. Firefox Hello is not as polished as Skype but, if Mozilla keeps working on it, they could end up with a good product.

Installing and using the Pipelight browser plug-in with Firefox 30 for Linux

pipelight-logoI use Gentoo Linux (~amd64) on my main laptop. Although I do not use Netflix or any of the other streaming video services that require the Microsoft Silverlight browser plug-in, I do need to use a browser with the Silverlight plug-in to access an office Intranet site. So I was interested in installing the Pipelight plug-in.

Although Pipelight works with most of the Silverlight test sites I have found on the Web, I cannot get it to work with the above-mentioned office Intranet site, which is why I ended up installing Firefox for Windows and Silverlight in WINE (see my previous post). Anyway, below I explain how I installed and configured Pipelight and Firefox 30.0 for Linux. Even if you use a different Linux distribution to me, almost all of this post will still be relevant; only the package installation commands will differ.

Google Chrome 34 and onwards does not support NPAPI, so Pipelight does not work any more with Chrome. Actually, Mozilla has disabled some NPAPI support by default in Firefox 30: with the exception of the Flash plug-in you have to explicitly give permission for plug-ins to be activated via Click-to-Activate (also known as Click-to-Play). You can configure how Firefox Click-to-Activate behaves via Open menu > Add-ons > Plugins (choose either ‘Ask to Activate’, ‘Always Activate’ or ‘Never Activate’). See ‘Issues related to plugins – 4.1 Click to Play in Mozilla browser versions 23 and above‘ on the mozillaZine Website and ‘How to always activate a plugin for a trusted website‘ on the Mozilla Support Website.

I updated an existing Pipelight ebuild so that it will install the latest version of Pipelight ( via a Portage local overlay. You can download the new ebuild from Gentoo Bugzilla Bug Report No. 481596 (see Comment 40). I can only get it to merge by using the binary-pluginloader USE flag. [Update August 18, 2014: The package is now in the main Portage tree, at least for ~amd64]


Install Firefox if it has not already been installed:

root # emerge firefox

Install Pipelight (installation fails unless I disable binary-pluginloader):

root # USE="-binary-pluginloader" emerge pipelight

Install WINE with the Compholio patches:

root # USE="pipelight" emerge wine

As you can see below, I have wine-1.7.21 and pipelight- installed.

user $ eix -I wine
[I] app-emulation/wine
Available versions: 1.2.3^t (~)1.3.28^t 1.4.1^t 1.6.1^t 1.6.2^t (~)1.7.0^t (~)1.7.3^t (~)1.7.4^t (~)1.7.8^t (~)1.7.9^t (~)1.7.10^t (~)1.7.11^t (~)1.7.12^t (~)1.7.13^t (~)1.7.14^t (~)1.7.15^t (~)1.7.16^t (~)1.7.17^t (~)1.7.18^t (~)1.7.19-r1^t (~)1.7.20^t (~)1.7.21^t **9999^t {+X (+)alsa capi cups custom-cflags dbus dos (+)fontconfig +gecko gnutls gphoto2 gsm gstreamer jack (+)jpeg lcms ldap +mono mp3 nas ncurses netapi nls odbc openal opencl +opengl osmesa (+)oss +perl pipelight (+)png +prelink pulseaudio +realtime +run-exes samba scanner selinux (+)ssl test +threads +truetype (+)udisks v4l +win32 +win64 xcomposite xinerama (+)xml ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_X86="(+)32 (+)64 x32" ELIBC="glibc" LINGUAS="ar bg ca cs da de el en en_US eo es fa fi fr he hi hr hu it ja ko lt ml nb_NO nl or pa pl pt_BR pt_PT rm ro ru sk sl sr_RS@cyrillic sr_RS@latin sv te th tr uk wa zh_CN zh_TW"}
Installed versions: 1.7.21^t(13:39:36 06/07/14)(X alsa cups fontconfig gecko gphoto2 gsm jpeg lcms mp3 ncurses nls openal opengl perl pipelight png prelink pulseaudio realtime run-exes scanner ssl threads truetype udisks v4l xinerama xml -capi -custom-cflags -dos -gstreamer -ldap -mono -netapi -odbc -opencl -osmesa -oss -samba -selinux -test -xcomposite ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_X86="32 64 -x32" ELIBC="glibc" LINGUAS="en pt_BR -ar -bg -ca -cs -da -de -el -en_US -eo -es -fa -fi -fr -he -hi -hr -hu -it -ja -ko -lt -ml -nb_NO -nl -or -pa -pl -pt_PT -rm -ro -ru -sk -sl -sr_RS@cyrillic -sr_RS@latin -sv -te -th -tr -uk -wa -zh_CN -zh_TW")
Description: Free implementation of Windows(tm) on Unix

user $ eix -I pipelight
[I] www-plugins/pipelight
Available versions: (~)0.2.3[1] (~)0.2.6[2] (~)[2] {adobereader +binary-pluginloader flash foxitpdf grandstream installation-dialogs npactivex roblox shockwave +silverlight static unity3d}
Installed versions:[2](21:57:35 10/07/14)(silverlight -adobereader -binary-pluginloader -flash -foxitpdf -grandstream -installation-dialogs -npactivex -roblox -shockwave -static -unity3d)
Description: A browser plugin which allows one to use windows-only plugins inside Linux browsers.

[1] "sabayon" /var/lib/layman/sabayon
[2] "local_overlay" /usr/local/portage

Now update the dependency-installer script and enable the plug-in:

user $ sudo pipelight-plugin --update # sudo has to be used for this command only.
user $ pipelight-plugin --enable silverlight

Applies to AMD ATI GPUs only: My main laptop has an AMD ATI HD 5850 GPU, and hardware acceleration causes Firefox to hang when the Pipelight plug-in is enabled, so I have to disable hardware acceleration:

user $ cp /usr/share/pipelight/configs/pipelight-silverlight5.1 ~/.config/

Edit the Pipelight configuration file:

user $ nano ~/.config/pipelight-silverlight5.1

In order to force GPU acceleration uncomment the line:
overwriteArg = enableGPUAcceleration=true

In order to disable GPU acceleration (even if your graphic driver is probably supported) uncomment the line:
overwriteArg = enableGPUAcceleration=false

Instead of disabling GPU hardware acceleration in the Pipelight configuration file (pipelight-silverlight5.1), I could have instead done it each time I launch Firefox by entering the following command:


But I prefer to be able to enter just the following command:

user $ firefox

or to launch Firefox from the as-installed entry for Firefox in the Desktop Environment’s launcher menu.

After launching Firefox for the first time, a series of pop-up windows will show that the Silverlight plug-in is being installed. Once the final pop-up window has closed, install the Firefox extension User Agent Overrider (do not install User Agent Switcher or any other user agent selection extension for Firefox), click on the down-arrow of the User Agent Overrider icon in Firefox and select ‘Windows / Firefox 29’ from the pull-down menu. I also selected ‘Preferences…’ and added another user agent string to the end of the list:

# Custom
Windows / Firefox 15: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1

Check that the plug-in is installed correctly

Enter about:plugins in the Firefox Address bar to check which plug-ins are installed, their version and current state.

Use the Pipelight diagnostic page to check the plug-in is working.

Pipelight options

To see what commands the Pipelight plug-in supports, enter the following command in a Konsole/Terminal window:

user $ pipelight-plugin --help

Further information

Below are some links to Silverlight tests and other information regarding Pipelight and Silverlight.

Silverlight test pages

Silverlight Version Test

Bubblemark animation test

Silverlight Project Test Page | Deep Zoom

Silverlight DRM Test (Select ‘No DRM’ because the following bug report says that the Silverlight DRM test at the aforementioned Web page is broken and Microsoft will not fix it: Bug 762056.)

Becky’s Silverlight Test Site

Microsoft Silverlight – IIS Smooth Streaming Demo

Experience IIS Smooth Streaming

Silverlight Project Test Page | Deep Zoom Tag Browser

Microsoft Case Studies

Silverlight Demos

Here is an article on Netflix’s intention to dump the awful Silverlight plug-in:
Netflix to dump Silverlight, Microsoft’s stalled technology

Background information on the Pipelight project

This presentation was made by the Pipelight developers:
Pipelight – Windows browser plugins on Linux

Useful pages on the Pipelight Web site

Pipelight | News

This page, about selecting a User Agent String that will work, is important to read if you’re having problems:
Pipelight | Installation – User Agent

Background reading on User Agent Strings

How to Change Your Browser’s User Agent Without Installing Any Extensions

The IE10 User-Agent String

You can find out your current user agent string by using the following link:
What’s My User Agent?

UPDATE (16 February 2017): Pipelight has been discontinued

Michael Müller, the developer of pipelight, posted the following notice in mid December 2016 (see

Pipelight has been discontinued!
What does this mean?

Pipelight will not suddenly stop working, but you will not receive any further updates. As a result all enabled plugins (e.g. Silverlight/Flash) stay at the same version and do not get any security fixes. This might be a security threat for your system and we therefore recommend to remove Pipelight using the package manager of your distribution.

Alternative to using Pipelight

If you still have trouble viewing Web pages that use Silverlight, you might like to try an alternative approach: use Firefox for Windows and the Silverlight plug-in in WINE. See my previous blog post Installing Firefox for Windows and the Silverlight plug-in in WINE.

Installing Firefox for Windows and the Silverlight plug-in in WINE

I use 64-bit (~amd64) multilib Gentoo Linux on my main laptop, and had been using successfully Version 0.2.3 of the Pipelight browser plug-in in 64-bit Firefox 29.0.1 for Linux to access an office Intranet Web site that uses Microsoft Silverlight. However, after installing 64-bit Firefox 30.0 for Linux recently I found that Mozilla has removed NPAPI support by default in Firefox 30, and Web sites using Silverlight would no longer load.

By updating Pipelight to Version 0.2.6 and changing the user agent string — see ‘Firefox UserAgent Switcher list‘ — I was able to browse in Firefox 30.0 for Linux only some of the Web sites that use Silverlight, but the aforementioned Intranet Web site would no longer load and displayed the following error message instead:

It appears the browser you are using to access this site is unsupported. Please use one of the following browsers …

· Internet Explorer 8.0

· Internet Explorer 9.0

· Internet Explorer 10.0

If you are using one of these browsers and you are still seeing this message, please contact company support.

I tried changing Firefox’s user agent string to the following, which I found from the post ‘Firefox UserAgent Switcher list‘:

Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0

That user agent string allowed the Intranet’s Web page to start loading, but a window popped-up displaying the error message shown below and Firefox stopped responding (froze).

Error reading Localization file

Arguments: Content-Type,”,’,4,18
Debugging resource strings unavailable. Often the key and arguments provide
sufficient information to diagnose the problem. See

After trying various user agent strings without success I decided to install 64-bit Firefox 30.0 for Windows and the 64-bit Silverlight plug-in in WINE. The 64-bit Firefox 30.0 for Windows installed successfully and I could launch it and browse the Internet. However, I found that the 64-bit Silverlight plug-in would not install (according to a message in the Silverlight Installer window, installation of the plug-in crashed at 82% complete), so I then installed 32-bit Firefox 30.0 for Windows with the 32-bit Silverlight plug-in, and that worked. Below I list the steps I used to install and configure 32-bit Firefox 30.0 with the 32-bit Silverlight plug-in in WINE (which, in my installation, was compiled to support both 32-bit and 64-bit Windows applications).

Installation and configuration of 32-bit Firefox for Windows and the Silverlight plug-in

1. I used a Web browser to download the file ‘Firefox Setup 30.0.exe‘ from the Mozilla Firefox Web site to the /home/fitzcarraldo/Downloads/ directory. The Mozilla Web site offers a choice of localised versions, so I downloaded the installer for Firefox for Windows in British English.

2. I opened a Konsole window and entered the following commands:

$ cd
$ export WINEPREFIX=$HOME/.wine-firefox
$ export WINEARCH="win32"
$ winecfg # Set Windows Version to Window 7.
$ cd ./.wine-firefox/drive_c/
$ wget # Download winetricks so I can install Windows fonts.
$ chmod +x winetricks # Make winetricks script executable.
$ ./winetricks # Launch winetricks and install Windows fonts.
$ cp /home/fitzcarraldo/Downloads/Firefox\ Setup\ 30.0.exe .
$ wine Firefox\ Setup\ 30.0.exe
$ env WINEPREFIX="/home/fitzcarraldo/.wine-firefox" WINEARCH="win32" wine /home/fitzcarraldo/.wine-firefox/drive_c/Program\ Files/Mozilla\ Firefox/firefox.exe # Launch Firefox and download the Silverlight installer.

N.B. Keep the Konsole window open and use it to enter all the commands listed in this post.

Notice that I downloaded and launched the excellent winetricks script so that I could install some Windows fonts that Firefox for Windows might need to use. When the winetricks window opens, all I needed to do was:

  • Select ‘Select the default wineprefix’ and click ‘OK’
  • Select ‘Install a font’and click ‘OK’.
  • Select ‘allfonts’ and click ‘OK’.
  • Optionally, if you have an LCD monitor and you would like to enable subpixel font smoothing, select ‘Change Settings’ then ‘fontsmooth=rgb’ and click ‘OK’.

3. I used the 32-bit Firefox for Windows Web browser to download the Silverlight plug-in installer to the /home/fitzcarraldo/Downloads/ directory. The files downloaded were Silverlight.exe and Silverlight.exe:Zone.Identifier which were both downloaded when I clicked on the ‘Click to Install’ button on the ‘Get Microsoft Silverlight‘ Web page and I then moved them from the directory /home/fitzcarraldo/Desktop/ to the /home/fitzcarraldo/Downloads/ directory.

4. I exited Firefox for Windows and installed the Silverlight plug-in:

$ cp /home/fitzcarraldo/Downloads/Silverlight* .
$ wine Silverlight.exe # Now install 32-bit Silverlight.

5. Then I launched Firefox for Windows again to configure the User Agent:

$ env WINEPREFIX="/home/fitzcarraldo/.wine-firefox" WINEARCH="win32" wine /home/fitzcarraldo/.wine-firefox/drive_c/Program\ Files/Mozilla\ Firefox/firefox.exe

I entered ‘about:config‘ (without the quotes) in the Address bar and added a new preference named general.useragent.override containing the following string (it is a User Agent string for Microsoft Internet Explorer 10.6 in 32-bit Windows 7):

Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0

N.B. This is the user agent string I used to get a specific office’s Intranet Web site that uses Silverlight to load in the Firefox 30.0 for Windows browser. You may need to use a different user agent string for the particular Web site you want to load. Use a search engine to search the Web for suitable user agent strings for the specific Web site you wish to browse. I have seen various user agent strings given for Netflix, for example, so you may have to try several to find one that works for you.

Alternatively, rather than using about:config you could install a Firefox extension such as User Agent Switcher and the associated ‘useragentswitcher.xml‘ file (see the ‘Firefox UserAgent Switcher list’ reference above for details of how to install), which would allow you to add, edit and select user agent strings more easily. An alternative to User Agent Switcher is the Firefox extension User Agent Overrider which may give you better results than User Agent Switcher on some Web sites that use Silverlight. I have tried it and it enables me to view the Silverlight test pages on the Web (I selected ‘Windows / Firefox 29’ from the User Agent Overrider pull-down menu).

6. I also made sure that plugins.click_to_play is set to ‘true’ (it should be by default) and I gave permission to Firefox to use the Silverlight plug-in on the relevant Web site I wish to use (Open menu > Add-ons > Plugins). See ‘Issues related to plugins – 4.1 Click to Play in Mozilla browser versions 23 and above‘ on the mozillaZine Website and ‘How to always activate a plugin for a trusted website‘ on the Mozilla Support Website.

Launching Firefox for Windows correctly in Linux

To launch Firefox for Windows from the command line you will need to enter either of the following commands:

$ env WINEPREFIX="/home/fitzcarraldo/.wine-firefox" WINEARCH="win32" wine /home/fitzcarraldo/.wine-firefox/drive_c/Program\ Files/Mozilla\ Firefox/firefox.exe

$ env WINEPREFIX="/home/fitzcarraldo/.wine-firefox" WINEARCH="win32" wine C:\\windows\\command\\start.exe /Unix /home/fitzcarraldo/.wine-firefox/dosdevices/c:/users/Public/Start\ Menu/Programs/Mozilla\ Firefox.lnk

Alternatively, you can set up a Desktop Configuration File (.desktop file) on your Desktop and/or an entry in the Desktop Environment’s launcher menu. In my case, WINE took care of doing both of those during the installation of Firefox for Windows, and it used the standard Firefox icon. I just needed to edit the entry’s command for launching Firefox, to make it match one of the commands listed above.


Regarding the file Silverlight.exe:Zone.Identifier that was downloaded when I downloaded the Silverlight installer (Silverlight.exe), I had never come across such a file type before but have now found out what it is:

File that contains metadata describing the security zones associated with another file; generated automatically when a file is downloaded from the Internet or received as an email attachment; often created by Internet Explorer.

See the article .ZONE.IDENTIFIER File Extension for details.

You can therefore forget about the Silverlight.exe:Zone.Identifier file (if one even exists in your case). The important thing is to download the Silverlight installer, which is a single .exe file.