![]() |
@swagitda_ | |||||
I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out @googlechrome quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in \Documents\ pic.twitter.com/IQZPSVpkz7
|
||||||
|
![]() |
Kelly Shortridge
@swagitda_
|
Mar 29 |
Here’s the source on the Windows device scanning: support.google.com/chrome/answer/… “Chrome helps you find suspicious or unwanted programs on your Windows computer.”
|
||
![]() ![]() ![]() |
![]() |
Logan Attwood
@halifaxbeard
|
Mar 29 |
@SwiftOnSecurity might be interested in this
|
||
![]() ![]() ![]() |
![]() |
Xavier Ashe
@XavierAshe
|
Mar 29 |
I wonder what @googlechrome does with the data it collects via this hidden feature....
|
||
![]() ![]() ![]() |
![]() |
Kelly Shortridge
@swagitda_
|
Mar 29 |
As far as I can see, it doesn’t warn you about this anywhere in Chrome Settings (including Advanced Settings). Also couldn’t find any documentation on what exactly it’s supposed to scan, just that it does. Feels like something that should be an opt-in
|
||
![]() ![]() ![]() |
![]() |
Ant Stanley
@IamStan
|
Mar 29 |
So do I! That would be more disturbing than Google doing it... I think ...
|
||
![]() ![]() ![]() |
![]() |
Kelly Shortridge
@swagitda_
|
Mar 29 |
I’m pretty confident it’s Chrome itself, not a plug-in or script, particularly given they admit they do it. But I’ll have to test further to 100% confirm
|
||
![]() ![]() ![]() |
![]() |
Kelly Shortridge
@swagitda_
|
Mar 29 |
I’m also now wondering if this is why my box is crashing so often 🤔 when I googled the errors before, advice was to uninstall third party AV & until now I didn’t think I had any.... ffs
|
||
![]() ![]() ![]() |
![]() |
James Case
@usercyberspace
|
Mar 29 |
I wonder if they are saving and uploading the file paths 'for cloud analysis'.
|
||
![]() ![]() ![]() |
![]() |
buherator
@buherator
|
Mar 30 |
cc @justinschuh
|
||
![]() ![]() ![]() |
![]() |
Mohammed Aldoub
@Voulnet
|
Mar 30 |
No reason to think they won't be doing it anytime soon.
This makes me remember how the Google Chrome security team is so publicly against AV... And now they create a hidden one in their browser.
Undocumented too.
#Uninstall_Chrome
|
||
![]() ![]() ![]() |
![]() |
Justin Schuh 🗑
@justinschuh
|
Mar 30 |
Well, it targets Chrome hijacking rather than the much broader scope of general purpose AV/AM. But yeah, here's the announcement (and we're also preparing to open source the AV sandbox code). google.com/amp/s/www.blog…
|
||
![]() ![]() ![]() |
![]() |
Kelly Shortridge
@swagitda_
|
Mar 30 |
I think it’s super unclear from that announcement that non-system files (ie personal / professional) files will also be scanned towards that goal. I’m actually really surprised you haven’t had pushback from enterprises (if they’re aware)
|
||
![]() ![]() ![]() |
![]() |
Justin Schuh 🗑
@justinschuh
|
Mar 30 |
Just to be very clear, this is all local scans with a local signature engine—so no data from the scans should leave the system (i.e. it's absolutely not "cloud" AV). It's also a vastly narrower and less invasive scan than conventional AV/AM.
|
||
![]() ![]() ![]() |
![]() |
Justin Schuh 🗑
@justinschuh
|
Mar 30 |
I also have to double check, but I believe there's an enterprise opt-out, because this is really intended for unmanaged consumer systems (since they're the most commonly hijacked).
|
||
![]() ![]() ![]() |
![]() |
Kelly Shortridge
@swagitda_
|
Mar 30 |
Really appreciate you responding & explaining (though I still really wish there was a consumer opt-out, even just in advanced settings). Will this be part of what you’ll be posting publicly?
|
||
![]() ![]() ![]() |
![]() |
мара-яга
@marasawr
|
Mar 30 |
That ‘unwanted software policy’ is super interesting – would love to read/hear more about how Chrome-ESET makes it go
|
||
![]() ![]() ![]() |
![]() |
Justin Schuh 🗑
@justinschuh
|
Mar 30 |
A correction: There is currently no enterprise policy to disable it (because enterprise policies have been abused in the past to hijack consumer systems) but I'm having the team investigate solutions to better address enterprise concerns.
|
||
![]() ![]() ![]() |
![]() |
Justin Schuh 🗑
@justinschuh
|
Mar 30 |
The problem with consumer opt-outs is that they're the first switch that gets toggled during a hijack—so they end up being immediately self defeating. It's just a very hard set of concerns to balance.
|
||
![]() ![]() ![]() |
![]() |
Kelly Shortridge
@swagitda_
|
Mar 30 |
No doubt thought went into it, although I don’t necessarily agree with the result of it. I’ll be on the lookout for when y’all publish more info on it — again, appreciative of you taking the time to respond
|
||
![]() ![]() ![]() |