Chrome "Suspicious download blocked" - TPM 10.9.1 isolation test

The thrivethemes.com download of TPM 10.9.1 surfaces "Suspicious download blocked" in Chrome. This page isolates the trigger.

Findings so far

Hypothesis 1 (the SWF inside the archive is the trigger): Falsified. A 1.2 KB zip containing only ZeroClipboard.swf downloads fine. A copy of the original archive with the SWF removed also downloads fine. The SWF is not the cause.

Hypothesis 2 (specific SHA-256 of the released file is on a global block list): Falsified by Mario's test. The byte-identical file (same SHA-256 as the thrivethemes.com release) downloads cleanly when served from this Cloudflare Pages domain. So the global hash list isn't the trigger.

Current working hypothesis: Safe Browsing is reacting to the source URL/host (thrivethemes.com or its specific download path), not the file. The block correlates strongly with the EDD migration on May 20-21 - new hosting infrastructure resets domain reputation, and Safe Browsing's domain models react to that churn by surfacing "uncommon download" warnings until reputation rebuilds.

Profile-state divergence resolved: Vijay tested the same URL on a different Chrome profile - everything downloaded cleanly. Confirms the block on his original profile is a locally-cached Safe Browsing verdict tied to the hash, persisted from earlier thrivethemes.com downloads. Profile-isolated. Not a property of the file or the test domain.

All variants

#	File	Description	SHA-256	Result (Mario)	Result (Vijay normal)
A	original.zip	Untouched bytes from thrivethemes.com.	`1a08756a82e5`	passed	blocked
B	no-swf.zip	Original minus `ZeroClipboard.swf`.	new	passed	passed
C	swf-only.zip	Just the SWF, nothing else.	new	passed	passed
D	swf-renamed.zip	Original with SWF renamed to `.bin`.	new	passed	passed
E	original-rezipped.zip	Same files, re-zipped with different metadata.	new	?	passed
F	original-tweaked.zip	Original.zip with one trailing `\n`.	new	?	passed

Conclusion

The released TPM 10.9.1 file is benign. The block is not driven by any byte inside the archive. It's the source URL: thrivethemes.com's download path has lost Safe Browsing reputation, most likely as fallout from the EDD migration on May 20-21 (new serving infrastructure → fresh reputation state → Chrome surfaces "uncommon download" warnings until volume rebuilds confidence).

Behavior is intermittent across users. Once any given Chrome profile sees the warning once, the local Safe Browsing cache can carry a hash-level verdict forward for some time, blocking the same file even from clean sources until the cache rotates.

Remediation

Formal fix: submit a Safe Browsing false-positive review for thrivethemes.com via Google Search Console (Security & Manual Actions → Security issues). Needs someone with verified access to the property.
Faster workaround for customers: serve TPM downloads from a CDN endpoint or a fresh-reputation subdomain. Cloudflare R2 / Pages would do.
Wait it out: domain reputation typically rebuilds in days-to-weeks as legitimate downloads accumulate without abuse reports.
No code change in the plugin is required - the SWF removal we initially discussed would have been chasing a coincidence.

Hosted on Cloudflare Pages, fresh hostname, no positive reputation. Files served as application/zip with Content-Disposition: attachment.