duo.com Open in urlscan Pro
13.33.46.38  Public Scan

Form analysis
1 forms found in the DOM

GET /decipher/search

<form class="d-search__form" action="/decipher/search" method="GET" onsubmit="submitForm(); return false; " __bizdiag="0" __biza="WJ__">
  <input id="input_search" class="d-search__input" type="text" placeholder="Search..." value="">
  <button class="btn-magnify js-btn-magnify"><svg class="icon-magnify-thick" viewBox="0 0 512 512">
      <path
        d="m430 393l-114-114c13-20 22-44 22-71 0-69-56-125-126-125-69 0-125 56-125 125 0 69 56 126 125 126 27 0 51-8 71-23l115 115c4 4 10 7 16 7 6 0 12-3 16-7 9-9 9-24 0-33z m-297-185c0-43 35-78 79-78 43 0 78 35 78 78 0 44-35 79-78 79-44 0-79-35-79-79z">
      </path>
    </svg></button>
</form>

Text Content

 * All Articles
 * Who We Are
 * * 
   * 
   * 
   * 


Security news that informs and inspires


SEARCH





Apr 2, 2018


HERE’S WHY CHROME IS SCANNING YOUR COMPUTER FOR MALWARE

By Fahmida Y. Rashid
Share

Despite recent comments to the contrary, Google does not have a secret antivirus
in the Chrome web browser, and it is not collecting information about the files
on Windows PCs. Google had good intentions—improved security—but it should have
been more explicit about what Chrome Cleanup is doing much earlier, instead of
waiting until people started asking questions.

“Turns out @googlechrome quietly began performing AV scans on Windows devices
last fall,” Kelly Shortridge, a product manager at security risk management
company Security Scorecard, posted on Twitter over the weekend. She’d noticed
Chrome scanning non-system folders on her computer, including Documents,
Pictures, and GitHub.

Shortridge was referring to Chrome Cleanup, a heavily sandboxed version of the
endpoint scanning tool from ESET that detects potentially unwanted software and
offers to remove it and return Chrome to default settings. Intended for Windows
10, 8.1, 8, and 7, this tool removes software that may cause Chrome to crash,
modify Chrome to install unexpected startup pages and toolbars, display ads that
aren’t easy to remove, and otherwise change the browsing experience. That
includes software such as pop-up ads, unwanted Chrome extensions, toolbars, and
browser redirecting software.

Google defines user-friendly software as those applications that require the
user to give explicit permission to install the software, are easy to remove,
behave as expected, and are transparent about what user data is being collected
and how it is being transmitted. Software that tries to trick users into
installing or piggybacks on the installation of some other program, or has
features the user doesn’t know about, is considered harmful and “we will take
steps to protect users from it,” Google wrote in its Unwanted Software Policy.

> It’s absolutely not “cloud AV.”



When the scanner finds something that could be potentially malicious, it
displays an alert to the user and asks permission to remove the suspicious file.
The scanner doesn’t remove files automatically. If the user doesn’t opt out of
reporting details to Google (a checkbox on the prompt), the scanner sends
metadata about programs installed or running on the system that could be
associated with harmful software, such as services and processes, scheduled
tasks, system registry values, Windows proxy settings, and software modules
loaded into Chrome of the network stack.

Keeping unwanted software off the computers is a laudable goal, but the fact
that all this is happening with little public awareness is disconcerting for
some. The initial announcement and other publicly available information about
Chrome Cleanup did not explicitly state that the tool would be scanning personal
files such as images and documents. It’s probably the case that Chrome isn’t
looking at the contents of the files being scanned, but the fact remains that
this entire process is not very clearly described.

“At no point during my usage of Chrome did I enable a setting for or receive a
notification explicitly asking me to agree to allowing Chrome to scan my
personal files,” Shortridge said.

Chrome Cleanup is a local signature engine and performs all the scans locally,
head of Google Chrome security Justin Schuh said on Twitter in response to
Shortridge’s comments. He called it a “vastly narrower and less invasive scan”
than conventional antivirus as it looks only for files and processes that
interact with Chrome. Back in October, Google product manager Philippe Rivard
emphasized that Chrome Cleanup should not be considered a general-purpose
antivirus as it only removes software that falls under Google’s definition of
unwanted software, and Schuh reiterated that point.

“It’s absolutely not 'cloud AV,’” Schuh said.



While Schuh said it wasn’t a “system-wide scan," the public information also
states the tool looks for “browser hijacking points,” which appears to mean
points at which the browser can be manipulated. So while he is accurate in
saying Chrome Cleanup isn’t scanning the entire disk, such as the kernel and
other deep parts of the system, the tool has an extremely broad mandate. When so
much of modern software is delivered through the browser, it’s hard to say which
file could be considered a potential threat to the browser. It also isn’t
specified how Chrome decides which files would be scanned.

“While I understand the Chrome team’s motivations for this, since browser
hijacking is indeed a prevalent threat for Windows users, I also feel there is
danger in scope creep from just Chrome-related files to system files to personal
files, depending on how the Chrome team defines relevant files,” Shortridge
said.

Schuh also said the tool runs weekly at “background priority and [with] normal
user privs [privileges] for up to 15 minutes,” which doesn’t match Shortridge’s
observation that Chrome scanned non-system folders multiple times. It’s just one
of the many areas on how Chrome Cleanup works that need more clarification.

Currently, there is no way to turn off this scanning, either on the individual
level (through settings) or via enterprise policy. The Chrome team made the call
to make this opt-in for everyone, without a way to turn it off, although Schuh
said on Twitter the team is now “investigating more opt outs.”

"In this case, Google prioritized ensuring that malicious software cannot bypass
the security measure,” Shortridge said.

The irony in this whole discussion is the fact that the way Chrome is performing
these scans could fall under the category of “doesn’t tell the user about all of
its principal and significant functions,” Google’s own criteria for declaring
software as potentially harmful.

Google should have been upfront about how Chrome is behaving on the computer
right from the start. The typical user assumes that there is only one antivirus
engine running on their system, the one they installed, and would be unaware
that something else is also checking the contents of the computer. It is also
not easy to find information about what kind of data is being collected or sent
back to Google.

“This was a non-trivial change to Chrome for Windows users, and it should not
have taken a tweet to lead to proper, explicit disclosure of Chrome Cleanup's
methods and the motivations behind its addition, even though the stated
intentions are noble,” Shortridge said.

Google

Related

Google


URGENT UPDATE FOR CHROME FIXES ZERO DAY UNDER ATTACK

Google has patched a zero day in the V8 engine in Chrome that is under active
attack.

Google


GOOGLE DETAILS NEW ‘EXOTIC LILY’ INITIAL ACCESS GROUP

A new initial access broker known as Exotic Lily has used exploits for zero days
and sells network access to cybercrime teams...

Cisa


CISA ORDERS FEDERAL AGENCIES TO PATCH EXPLOITED GOOGLE, ADOBE FLAWS

Federal agencies have until March 1 to fix a pair of actively exploited flaws in
Google Chrome and Adobe's Commerce and Magento...

 * 
 * 
 * 
 * 

All Articles Who We Are
Copyright 2022 Duo Security
Terms & Conditions Privacy Notice
Top