Skip to content

April 7, 2018

Yes Chrome is scanning your Windows PC, but it might be a bug

by John_A

A few days ago Kelly Shortridge, a product manager at SecurityScorecard detected some unexpected behavior on her PC, as a honeypot Canarytoken reported being accessed by Chrome.exe. That’s not what you’d expect from a web browser normally, except for one thing — Google did add some antivirus-y capabilities to its browser on Windows late last year as an enhancement to its Chrome Cleanup tool that can help reset hijacked settings. Google Chrome security lead Justin Schuh explained how the feature works and pointed to some documentation about it, and that was that — until last night.

If you are hitting this issue and you want a fix right now then go to chrome://downloads in your browser, go to the menu in the top right, and select Clear All. That will clear Chrome’s list of downloaded files so that it won’t have any files to existence-check at startup. If you have a large list of downloaded files then this will improve startup time slightly.

It turns out the “AV scanning” wasn’t that at all, and what it was doing could affect you right now. It turns out that Chrome is checking the integrity of downloaded files at startup, and a bug lead it to that particular folder. It relies on the Downloaded History list for this check, and if you have a lot of files in there, it could slow down your computer when you start Chrome. While the dev team is working to skip the check entirely in a future update, users worried about it can fix it by clearing their download history. Easy, right?

I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out @googlechrome quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in Documents pic.twitter.com/IQZPSVpkz7

— Kelly Shortridge (@swagitda_) March 29, 2018

Followed up with @swagitda_ and it turns out the log events weren’t CCT scans. Chrome existence-checks (code below) previously downloaded files, but a bug moved the checks into the startup path. Clearing download history stops the checks. Bug filed here: https://t.co/gLNHJRSGq2 pic.twitter.com/r0aeVAsurr

— Justin Schuh 😑 (@justinschuh) April 6, 2018

Unwanted software protection

The Windows version of Chrome is able to detect and remove certain types of software that violate Google’s Unwanted Software Policy. If left in your system, this software may perform unwanted actions, such as changing your Chrome settings without your approval. Chrome periodically scans your device to detect potentially unwanted software. In addition, if you have opted in to automatically report details of possible security incidents to Google, Chrome will report information about unwanted software, including relevant file metadata and system settings linked to the unwanted software found on your computer.

If you perform an unwanted software check on your computer from the Settings page, Chrome reports information about unwanted software and your system. System information includes metadata about programs installed or running on your system that could be associated with harmful software, such as: services and processes, scheduled tasks, system registry values commonly used by malicious software, Windows proxy settings, and software modules loaded into Chrome or the network stack. You can opt out of sharing this data by deselecting the checkbox next to “Report details to Google” before starting the scan.

If unwanted software is detected, Chrome will offer you an option to remove the software by using the Chrome Cleanup Tool. The Chrome Cleanup Tool also reports information about unwanted software and your system to Google, and again you can opt out of sharing this data by deselecting the checkbox next to “Report details to Google” before starting the cleanup.

This data is used for the purpose of improving Google’s ability to detect unwanted software and offer better protection to Chrome users. It is used in accordance with Google’s Privacy Policy and is stored for up to 14 days, after which only aggregated statistics are retained.

Source: Chromium bugs

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: