Kelly Shortridge, a product manager at SecurityScorecard, detected some unusual behavior on her PC a few days ago. She noticed that a honeypot Canarytoken was being accessed by Chrome.exe. This is unusual because you wouldn’t expect a web browser to behave that way, but there’s one thing to keep in mind: Google added some antivirus capabilities to Chrome on Windows late last year to bring more enhancements to its Chrome Cleanup tool.
Google Chrome security lead Justin Schuh explained how the feature is supposed to work and pointed everyone to documentation about it, and that was it, until last night.
If you are hitting this issue and you want a fix right now then go to chrome://downloads in your browser, go to the menu in the top right, and select Clear All. That will clear Chrome’s list of downloaded files so that it won’t have any files to existence-check at startup. If you have a large list of downloaded files then this will improve startup time slightly.
Apparently it wasn’t behaving the way it was supposed to, and could be affecting you right now. Turns out that Chrome is checking the integrity of downloaded files at startup, and a bug lead it to that particular folder. The feature relies on the Downloaded History list, and if you have a lot of files in your downloads folder, it could slow your computer down when you start up Chrome.
The dev team has said that they’re working to skip this check entirely in a future update. Users that are worried about this can fix it by cheating their download history. Simply enough, right?
I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out @googlechrome quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in Documents pic.twitter.com/IQZPSVpkz7
— Kelly Shortridge (@swagitda_) March 29, 2018
Followed up with @swagitda_ and it turns out the log events weren't CCT scans. Chrome existence-checks (code below) previously downloaded files, but a bug moved the checks into the startup path. Clearing download history stops the checks. Bug filed here: https://t.co/gLNHJRSGq2 pic.twitter.com/r0aeVAsurr
— Justin Schuh 😷 (@justinschuh) April 6, 2018
Unwanted software protection
The Windows version of Chrome is able to detect and remove certain types of software that violate Google’s Unwanted Software Policy. If left in your system, this software may perform unwanted actions, such as changing your Chrome settings without your approval. Chrome periodically scans your device to detect potentially unwanted software. In addition, if you have opted in to automatically report details of possible security incidents to Google, Chrome will report information about unwanted software, including relevant file metadata and system settings linked to the unwanted software found on your computer.
If you perform an unwanted software check on your computer from the Settings page, Chrome reports information about unwanted software and your system. System information includes metadata about programs installed or running on your system that could be associated with harmful software, such as: services and processes, scheduled tasks, system registry values commonly used by malicious software, Windows proxy settings, and software modules loaded into Chrome or the network stack. You can opt out of sharing this data by deselecting the checkbox next to “Report details to Google” before starting the scan.
If unwanted software is detected, Chrome will offer you an option to remove the software by using the Chrome Cleanup Tool. The Chrome Cleanup Tool also reports information about unwanted software and your system to Google, and again you can opt out of sharing this data by deselecting the checkbox next to “Report details to Google” before starting the cleanup.