
Microsoft security tools nuking Chrome browser - FrancescoRizzi
http://www.zdnet.com/blog/security/microsoft-security-tools-nuking-chrome-browser/9515
======
martokus
On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was
identified. On September 30th, 2011, Microsoft released an update that
addresses the issue. Signature versions 1.113.672.0 and higher include this
update.
[http://www.microsoft.com/security/portal/Threat/Encyclopedia...](http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=PWS:Win32/Zbot&threatid=2147598479)

~~~
_--_----_--_
case closed?

------
kevingadd
The sad reality is that a modern app like Chrome does look a lot like malware.
It does a bunch of crazy things you might not expect a regular piece of
software to do - manipulating file permissions and spawning large groups of
processes, installing into a rather obscure part of the user's appdata folder
instead of into program files, downloading arbitrary payloads from the
internet and then using those payloads to modify executables on the user's
machine...

It's always unpleasant when you get flagged by a virus scanner. Antivirus
vendors basically ignore you unless enough of your customers complain to get
their signature database updated. Hopefully in this case, since it's a high-
profile application (Chrome), Microsoft will address the problem quickly.

~~~
hullo
I'm going to guess that this is also partially a consequence of Chrome's
update strategy - presumably Microsoft has a bank of machines with commonly
installed software that they regression test malware updates with - but Chrome
is updating so frequently and 'transparently' (i.e. different than most
commonly installed software) that Microsoft's test framework wasn't prepared
to deal with it, and chrome 11 or 9 or whatever is still passing with flying
colors while 14 is getting zapped in the real world.

~~~
JonnieCache
The delta based in-place patching technique that chrome uses to update itself
probably looks really fishy from the outside as well.

~~~
vetinari
Chrome does not update the running exe - it makes a new copy in another
directory. Then the launcher checks for latest directory and runs that.

Existing executables are not modified. Only created and deleted.

------
pohl
How do these malware-signature-matching mechanisms work? What are the odds
that Chrome produces the same matchable-characteristics as Zeus malware? I
don't want to leap to the conclusion that something fishy is going on here.

~~~
wccrawford
With some of the more advanced things like NaCl, it wouldn't surprise me at
all if some of the functionality looked the same, or even had quite a similar
purpose.

We don't know if the malware signature is on bits that do bad things, or just
bits that had been unique to Zeus until now.

Edit: Also, some people are reporting no problems. It could be that those
Chrome instances really were infected. We don't know where they got the
download for Chrome from.

------
blinkingled
Doesn't code signing give any advantage to Chrome? If an executable and all
its dependent libraries are signed by trusted party MSE ought to be able to
lower its aggression level a bit. How likely is that a Google signed Chrome
exe could be injected or rewritten with malicious code without invalidating
the signature? That coupled with some white listing and these type of things
should never happen.

~~~
pilif
I don't think that's a good idea. At least not in general. Signing only proves
the identity of whoever signed it. It doesn't say whether the signers
infrastructure was infected at the time between compiling and signing.

Granted. Google is probably safe. But can you tell that for every thirdparty
vendor who has a code signing certificate (they are quite easy to get)

------
runjake
That should be "nuked", the issue was fixed in under an hour this morning.

------
axusgrad
This happened to me today. MSE does give the choice of what action to take, I
figured better safe than sorry. I'll reinstall once it gets straightened out.

------
stanleydrew
Oh dear. No matter what the reality of the situation Microsoft ends up looking
really terrible here.

~~~
runjake
No they don't. This happens all the time with various anti-virus software.
Modern software is complex.

If it didn't get fixed promptly (it was fixed almost immediately), that's
where looking terrible starts.

For what it's worth, I run MSE & Chrome (2 run the beta, 1 runs release) on
all 3 of my Windows 7 computers and none of them have flagged Chrome so far,
so people's mileage may vary.

~~~
learc83
Doesn't look terrible to you, but just wait, sometime today I'll get an email
from my mom with a link to a news story about how "microsoft was automatically
uninstalling chrome."

~~~
wickedchicken
Wrong. "That chrome thing you installed was really a virus! I'm going back to
the blue internet button, that worked better"

------
gto16108
It's the same problem with iTunes on the windows platform. When you sync your
iOS device to your computer it requires so much personal information (e.g
music, movies, photos, contacts) that this process looks fishy. Windows is
rarely ever ok with this. Seems no different with Chrome.

~~~
pohl
[iOS5]...to the iCloud!...[/iOS5]

------
CurtHagenlocher
When you have a list of constantly-updated virus signatures being matched
against a set of constantly-updated program binaries, this sort of thing seems
like only a matter of time...

------
RexRollman
I just reinstalled Windows 7 with Chrome on my desktop PC last night. It will
be interesting to see what happens when I get home today.

~~~
drzaiusapelord
The virus definition that caused this has been long pulled. Nothing will
happen.

