Google is overhauling Chrome’s malware detection to include password-protected executables that users can upload for deep scanning, a change the browser maker says will allow it to detect more malicious threats.
Google has long allowed users to turn on the enhanced Safe Browsing mode, a Chrome feature that warns users when they download a file it thinks is dangerous either because of suspicious characteristics or because it’s on a list of known malware. With enhanced mode enabled, Google will prompt users to upload suspicious files that are not allowed or blocked by its detection mechanism. Under the new changes, Google will prompt these users to provide the password needed to open the file.
Beware of password-protected archives
In a post published on Wednesday, Jasika Bawa, Lily Chen and Daniel Rubery of the Chrome security team wrote:
Not all deep scans can be performed automatically. A current trend in cookie-stealing malware distribution is to package the malware in an encrypted archive—a password-protected .zip, .7z, or .rar file—that hides the file’s contents from Safe Browsing and other anti-virus detection scans. To combat this evasion technique, we implemented two protection mechanisms depending on the safe browsing mode selected by the user in Chrome.
Attackers often make passwords for encrypted backups available in places such as the page from which the file was downloaded or in the name of the download file. For Enhanced Protection users, downloads of suspicious encrypted archives will now prompt the user to enter the file’s password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan can be performed. Uploaded files and file passwords are deleted shortly after they are scanned, and all data collected is only used by Safe Browsing to provide better download protection.
Zoom in / Enter a file password to send an encrypted file for malware scanning
Google
For those using the standard protection mode that is Chrome’s default, we still wanted to be able to provide some level of protection. In standard protection mode, downloading a suspicious encrypted archive will also trigger a prompt for the file’s password, but in this case both the file and the password remain on the local drive and only the metadata of the archive’s contents is checked with Safe Browsing. As such, in this mode users are still protected as long as Safe Browsing has previously seen and categorized the malware.
Sending Google an executable file accidentally downloaded from a site advertising a screensaver or media player is likely to cause little, if any, hesitation. For more sensitive files, such as a password-protected work archive, however, there is likely to be more pushback. Despite assurances that the file and password will be deleted immediately, things sometimes go wrong and go undetected for months or years, if at all. People using Chrome with enhanced mode turned on should be careful.
The second change Google is making to Safe Browsing is a two-tier notification system when users download files. They are:
Suspicious files, meaning that Google’s file review system has given a verdict of lower trust, with an unknown risk of harm to users
Dangerous files or those with a high degree of confidence that they pose a high risk of harm to the user
The new levels are highlighted through iconography, color and text in an effort to make it easier for users to easily distinguish between different levels of risk. “Overall, these improvements in clarity and consistency led to significant changes in user behavior, including fewer skipped warnings, faster attention to warnings, and overall better protection against malicious downloads,” the Google authors wrote.
Previously, Safe Browsing notifications looked like this:
Zoom in / Distinguish between questionable and dangerous warnings.
Google
Over the past year, Chrome has not budged from its continued support for third-party cookies, a solution that allows companies large and small to track users of that browser as they navigate from website to website to website. Google’s alternative to tracking cookies, known as Privacy Sandbox, has also received low marks from privacy advocates because it tracks users’ interests based on their browser usage.
However, Chrome has long been a leader in introducing protections, such as a secure sandbox that isolates risky code so it can’t mix with sensitive data and operating system functions. Those who stick with Chrome should at least keep the standard Safe Browsing mode turned on. Users with the experience to choose wisely which files to send to Google should consider turning on enhanced mode.
