Twitter | Search | |
Kelly Shortridge
I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in \Documents\
Reply Retweet Like More
Kelly Shortridge 29 Mar 18
Replying to @swagitda_
Here’s the source on the Windows device scanning: “Chrome helps you find suspicious or unwanted programs on your Windows computer.”
Reply Retweet Like
Xavier Ashe 29 Mar 18
I wonder what does with the data it collects via this hidden feature....
Reply Retweet Like
Kelly Shortridge 29 Mar 18
As far as I can see, it doesn’t warn you about this anywhere in Chrome Settings (including Advanced Settings). Also couldn’t find any documentation on what exactly it’s supposed to scan, just that it does. Feels like something that should be an opt-in
Reply Retweet Like
Ant Stanley 29 Mar 18
So do I! That would be more disturbing than Google doing it... I think ...
Reply Retweet Like
Kelly Shortridge 29 Mar 18
Replying to @IamStan @googlechrome
I’m pretty confident it’s Chrome itself, not a plug-in or script, particularly given they admit they do it. But I’ll have to test further to 100% confirm
Reply Retweet Like
Kelly Shortridge 29 Mar 18
Replying to @swagitda_
I’m also now wondering if this is why my box is crashing so often 🤔 when I googled the errors before, advice was to uninstall third party AV & until now I didn’t think I had any.... ffs
Reply Retweet Like
Justin Schuh 🗑 30 Mar 18
Replying to @swagitda_ @laparisa
Well, it targets Chrome hijacking rather than the much broader scope of general purpose AV/AM. But yeah, here's the announcement (and we're also preparing to open source the AV sandbox code).
Reply Retweet Like
Kelly Shortridge 30 Mar 18
Replying to @justinschuh @laparisa
I think it’s super unclear from that announcement that non-system files (ie personal / professional) files will also be scanned towards that goal. I’m actually really surprised you haven’t had pushback from enterprises (if they’re aware)
Reply Retweet Like
Justin Schuh 🗑 30 Mar 18
Replying to @swagitda_ @laparisa
I also have to double check, but I believe there's an enterprise opt-out, because this is really intended for unmanaged consumer systems (since they're the most commonly hijacked).
Reply Retweet Like
Kelly Shortridge 30 Mar 18
Replying to @justinschuh @laparisa
Really appreciate you responding & explaining (though I still really wish there was a consumer opt-out, even just in advanced settings). Will this be part of what you’ll be posting publicly?
Reply Retweet Like
Justin Schuh 🗑 30 Mar 18
Replying to @swagitda_ @laparisa
The problem with consumer opt-outs is that they're the first switch that gets toggled during a hijack—so they end up being immediately self defeating. It's just a very hard set of concerns to balance.
Reply Retweet Like
Kelly Shortridge 30 Mar 18
Replying to @justinschuh @laparisa
No doubt thought went into it, although I don’t necessarily agree with the result of it. I’ll be on the lookout for when y’all publish more info on it — again, appreciative of you taking the time to respond
Reply Retweet Like
Alex Haines 31 Mar 18
Is there a chrome setting to stop this ESET / Chrome partnership running?
Reply Retweet Like
Kelly Shortridge 31 Mar 18
Replying to @swagitda_
FYI for people joining the thread late, here is someone from google chrome’s response:
Reply Retweet Like
Kelly Shortridge 31 Mar 18
see the response here:
Reply Retweet Like
Kelly Shortridge 31 Mar 18
Replying to @swagitda_
Follow up from the google chrome security lead for those navigating the thread:
Reply Retweet Like
justin_lister 31 Mar 18
Is this ALL system files or only those downloaded via Chrome including Chrome extension and settings? seems to infer the later - if the former then definitely see serious concern (even though intention was good)
Reply Retweet Like
Kelly Shortridge 31 Mar 18
The way I discovered it was a non-system file (in my Documents\) folder
Reply Retweet Like
Kelly Shortridge 1 Apr 18
Replying to @justinschuh
Update: another thread by from Chrome’s team to read (read before DMing him!):
Reply Retweet Like