Twitter | Search | |
Kelly Shortridge
I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in \Documents\
2:58 PM - 29 Mar 2018
Twitter
by: Kelly Shortridge @swagitda_
Reply Retweet Like More
Kelly Shortridge Mar 29
Replying to @swagitda_
Here’s the source on the Windows device scanning: “Chrome helps you find suspicious or unwanted programs on your Windows computer.”
View conversation · Reply Retweet Like
Logan Attwood Mar 29
Replying to @swagitda_ @SwiftOnSecurity
might be interested in this
View conversation · Reply Retweet Like
Xavier Ashe Mar 29
Replying to @swagitda_ @googlechrome
I wonder what does with the data it collects via this hidden feature....
View conversation · Reply Retweet Like
Kelly Shortridge Mar 29
Replying to @XavierAshe @googlechrome
As far as I can see, it doesn’t warn you about this anywhere in Chrome Settings (including Advanced Settings). Also couldn’t find any documentation on what exactly it’s supposed to scan, just that it does. Feels like something that should be an opt-in
View conversation · Reply Retweet Like
Ant Stanley Mar 29
Replying to @swagitda_ @googlechrome
So do I! That would be more disturbing than Google doing it... I think ...
View conversation · Reply Retweet Like
Kelly Shortridge Mar 29
Replying to @IamStan @googlechrome
I’m pretty confident it’s Chrome itself, not a plug-in or script, particularly given they admit they do it. But I’ll have to test further to 100% confirm
View conversation · Reply Retweet Like
Kelly Shortridge Mar 29
Replying to @swagitda_
I’m also now wondering if this is why my box is crashing so often 🤔 when I googled the errors before, advice was to uninstall third party AV & until now I didn’t think I had any.... ffs
View conversation · Reply Retweet Like
James Case Mar 29
Replying to @swagitda_
I wonder if they are saving and uploading the file paths 'for cloud analysis'.
View conversation · Reply Retweet Like
buherator Mar 30
Replying to @swagitda_ @laparisa @justinschuh
cc
View conversation · Reply Retweet Like
Mohammed Aldoub Mar 30
Replying to @usercyberspace @swagitda_
No reason to think they won't be doing it anytime soon. This makes me remember how the Google Chrome security team is so publicly against AV... And now they create a hidden one in their browser. Undocumented too.
View conversation · Reply Retweet Like
Justin Schuh 🗑 Mar 30
Replying to @swagitda_ @laparisa
Well, it targets Chrome hijacking rather than the much broader scope of general purpose AV/AM. But yeah, here's the announcement (and we're also preparing to open source the AV sandbox code).
View conversation · Reply Retweet Like
Kelly Shortridge Mar 30
Replying to @justinschuh @laparisa
I think it’s super unclear from that announcement that non-system files (ie personal / professional) files will also be scanned towards that goal. I’m actually really surprised you haven’t had pushback from enterprises (if they’re aware)
View conversation · Reply Retweet Like
Justin Schuh 🗑 Mar 30
Replying to @swagitda_ @laparisa
Just to be very clear, this is all local scans with a local signature engine—so no data from the scans should leave the system (i.e. it's absolutely not "cloud" AV). It's also a vastly narrower and less invasive scan than conventional AV/AM.
View conversation · Reply Retweet Like
Justin Schuh 🗑 Mar 30
Replying to @swagitda_ @laparisa
I also have to double check, but I believe there's an enterprise opt-out, because this is really intended for unmanaged consumer systems (since they're the most commonly hijacked).
View conversation · Reply Retweet Like
Kelly Shortridge Mar 30
Replying to @justinschuh @laparisa
Really appreciate you responding & explaining (though I still really wish there was a consumer opt-out, even just in advanced settings). Will this be part of what you’ll be posting publicly?
View conversation · Reply Retweet Like
мара-яга Mar 30
Replying to @justinschuh @swagitda_ @laparisa
That ‘unwanted software policy’ is super interesting – would love to read/hear more about how Chrome-ESET makes it go
View conversation · Reply Retweet Like
Justin Schuh 🗑 Mar 30
Replying to @swagitda_ @laparisa
A correction: There is currently no enterprise policy to disable it (because enterprise policies have been abused in the past to hijack consumer systems) but I'm having the team investigate solutions to better address enterprise concerns.
View conversation · Reply Retweet Like
Justin Schuh 🗑 Mar 30
Replying to @swagitda_ @laparisa
The problem with consumer opt-outs is that they're the first switch that gets toggled during a hijack—so they end up being immediately self defeating. It's just a very hard set of concerns to balance.
View conversation · Reply Retweet Like
Kelly Shortridge Mar 30
Replying to @justinschuh @laparisa
No doubt thought went into it, although I don’t necessarily agree with the result of it. I’ll be on the lookout for when y’all publish more info on it — again, appreciative of you taking the time to respond
View conversation · Reply Retweet Like