|
@swagitda_ | |||||
|
I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out @googlechrome quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in \Documents\ pic.twitter.com/IQZPSVpkz7
|
||||||
|
||||||
|
|
Kelly Shortridge
@swagitda_
|
29 Mar 18 |
|
Here’s the source on the Windows device scanning: support.google.com/chrome/answer/… “Chrome helps you find suspicious or unwanted programs on your Windows computer.”
|
||
|
||
|
Xavier Ashe
@XavierAshe
|
29 Mar 18 |
|
I wonder what @googlechrome does with the data it collects via this hidden feature....
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
29 Mar 18 |
|
As far as I can see, it doesn’t warn you about this anywhere in Chrome Settings (including Advanced Settings). Also couldn’t find any documentation on what exactly it’s supposed to scan, just that it does. Feels like something that should be an opt-in
|
||
|
|
||
|
Ant Stanley
@IamStan
|
29 Mar 18 |
|
So do I! That would be more disturbing than Google doing it... I think ...
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
29 Mar 18 |
|
I’m pretty confident it’s Chrome itself, not a plug-in or script, particularly given they admit they do it. But I’ll have to test further to 100% confirm
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
29 Mar 18 |
|
I’m also now wondering if this is why my box is crashing so often 🤔 when I googled the errors before, advice was to uninstall third party AV & until now I didn’t think I had any.... ffs
|
||
|
|
||
|
Justin Schuh 🗑
@justinschuh
|
30 Mar 18 |
|
Well, it targets Chrome hijacking rather than the much broader scope of general purpose AV/AM. But yeah, here's the announcement (and we're also preparing to open source the AV sandbox code). google.com/amp/s/www.blog…
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
30 Mar 18 |
|
I think it’s super unclear from that announcement that non-system files (ie personal / professional) files will also be scanned towards that goal. I’m actually really surprised you haven’t had pushback from enterprises (if they’re aware)
|
||
|
|
||
|
|
Justin Schuh 🗑
@justinschuh
|
30 Mar 18 |
|
I also have to double check, but I believe there's an enterprise opt-out, because this is really intended for unmanaged consumer systems (since they're the most commonly hijacked).
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
30 Mar 18 |
|
Really appreciate you responding & explaining (though I still really wish there was a consumer opt-out, even just in advanced settings). Will this be part of what you’ll be posting publicly?
|
||
|
|
||
|
|
Justin Schuh 🗑
@justinschuh
|
30 Mar 18 |
|
The problem with consumer opt-outs is that they're the first switch that gets toggled during a hijack—so they end up being immediately self defeating. It's just a very hard set of concerns to balance.
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
30 Mar 18 |
|
No doubt thought went into it, although I don’t necessarily agree with the result of it. I’ll be on the lookout for when y’all publish more info on it — again, appreciative of you taking the time to respond
|
||
|
|
||
|
Alex Haines
@AlexJamesHaines
|
31 Mar 18 |
|
Is there a chrome setting to stop this ESET / Chrome partnership running?
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
31 Mar 18 |
|
FYI for people joining the thread late, here is someone from google chrome’s response: twitter.com/justinschuh/st…
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
31 Mar 18 |
|
see the response here: twitter.com/justinschuh/st…
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
31 Mar 18 |
|
Follow up from the google chrome security lead for those navigating the thread: twitter.com/justinschuh/st…
|
||
|
|
||
|
justin_lister
@justin_lister
|
31 Mar 18 |
|
Is this ALL system files or only those downloaded via Chrome including Chrome extension and settings? blog.google/products/chrom… seems to infer the later - if the former then definitely see serious concern (even though intention was good)
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
31 Mar 18 |
|
The way I discovered it was a non-system file (in my Documents\) folder
|
||
|
|
||
|
|
Kelly Shortridge
@swagitda_
|
1 Apr 18 |
|
Update: another thread by @justinschuh from Chrome’s team to read (read before DMing him!): twitter.com/justinschuh/st…
|
||
|
|
||