I accidently opened a highly suspicious PDF on firefox. Came with one of those typical scam-looking emails. I wanted to download it and open it in a disposable, but firefox was configured to open downloaded PDFs automatically.
It was opened in-browser.
How do I procede?
I have files on that qube I need. Should I just restart the qube (I shut it down) and move all files to a new qube or should I treat all data on that qube as compromised and confine it to an offline qube, to be processed later?
I loathe that feature - turn it off in all firefox instances. (Do this
under “Applications” to use system default, and set that to open file in
offline disposable.)
In your current situation, I would adopt your second approach. What you
do next will depend on the state of your last backups. If you have nothing
to lose, kill and remove that qube, create another, and restore data to
it. If you dont have a backup, I would create an offline qube, copy
needed files to it, and try to clean them as best you can. Still delete
the original qube. But I would always treat that data as potentially
compromised.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Sorry, @unman , can you elaborate on this? Do you mean in the right-click menu of the file, and going to “Open With”? If so, then I suppose I should be specifying the defaultDispVM for that VM to be an offline VM (because I don’t see a native option to open in offline VM)? Or am I missing something?
Likewise, I don’t see an option to set this in “Applications” for the AppVM (i.e., via Qubes settings).
Although it’s too late for OP, I have used the"revert" function before. Just by itself, it’s enough reason to switch to Qubes: https://www.qubes-os.org/doc/volume-backup-revert/
Now I must go and verify that it works as I remember…
