I actually used to work as a contractor on this project as a malware analyst. The cleaner was first developped by Google, but they moved to ESET after a while. For what it’s worth, the team are really privacy minded, and I can attest that it did made our job harder to track and possibly clean bad stuff. As a contractor I couldn’t even access any PII, including user report, since they could contains path with username, etc.
For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file. It’s not as if you didn’t have alternative anyway, Chromium doesn’t have this component and Firefox is quite awesome.
Anyway, if you have any question please feel free to ask! I’m not on this project anymore (Neither at Google), but I’ve been on the team since the beginning until the ESET transition and I’m still in touch with the team.
I appreciate the details. The stuff on the team isnt comforting since it could change any time. Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this. If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.
The stuff on the team isnt comforting since it could change any time.
Also true for any service you use. I know it’s hard to believe, but Google is pretty strict about PII and what can be saved where for how long and seen by who and has an organisation overseeing all of this. There are processes in place governing each team at Google that requires team to document every PII they collect and the motivation behind this. In any case, detailed reports are sent only when users opt-in to send it.
Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this.
Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?
If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.
The scanner is sandboxed (open-source, part of chromium) and somewhat limited in what it can do. It’s not your usual anti-malware tools running from the kernel and featuring RCE as a service. It also think it was reviewed by that guy ;)
Something to think about is the actual state of the internet for the broad public. While most of us here won’t benefits from this tool and at worse will find it annoying while it scans in the background, reality is that a very large portion of the internet users are currently infected by spyware and adware. While we are arguing about privacy issue due to Chrome reading some of you files on your disk (And not sending them anywhere), most people have their whole internet history tracked by shady adware corporation and are being shown ads tricking them into buying fraud application and calling fake tech support. And I’m not even talking about the fact most of those software have backdoor usable by any actors to run arbitrary payload. Want an easy botnet? Reverse some of those freeware “updaters”.
Of course the Chrome Cleanup Tool doesn’t fix the root cause, but it could be argued that’s it’s better than nothing. And from Google point of view, there are benefits from it other than invade more of its user privacy. When Chrome is crashing due to an adware injecting its unstable DLL, guess who get the blame? I’ve even seen many report blaming Google about how Chrome is sending PII or rewriting ads when in fact it was adware being installed on user machine. It’s in Google interest to fix this issue before getting in the point where IE was with the toolbars hell.
So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.
Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?
I don’t want my tools to do things they’re not advertised as doing. Chrome’s job isn’t to scan my files, so it should never do that without telling me.
So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.
I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.
And now, Google has a list of files on their servers. Ones that a malicious employee can access, or which might be given in bulk to the NSA, should the NSA ask.
Should they force them, too. Also, in the Lavabit court records, the FBI told the judge the founder could avoid reputational damage by hiding that he gave over the key. He’d just keep telling users it was a private service. The judge agreed. Probably wasn’t the first or won’t be the last agreeing to give the government what they want while telling the company to lie that it couldn’t or didn’t happen.
I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.
People hire Chrome to manage their banking account or browse trusted content. When Chrome begins to display more ads than it should, try to trick the user into paying fake service or simply steal users data, the same users that end up installing those malware are unlikely to understand they are the culprit in the first place. They trusted Chrome to protect them from themselve. Chrome only defense at that point is to clean after the user. Chrome is not annoying, user behavior is, and Chrome Cleanup Tool is only a hack trying to fix a part of the issue.
You don’t expect the contractor to rewire you kitchen because you won’t blame them if you break your wiring. Chrome is a whole another story. You expect someone to tell you if your wiring is about to burn your house down. This is exactly what Chrome is doing here. Many house have burn down, blame have been put on Chrome. Now Chrome is doing a quick check up from time to time, and if it find some fire hazard it gives you an opportunity to fix it. Chrome is only fixing once you gave it your explicit consent. It also won’t tell anyone unless you tell him otherwise.
It is scanning without consent. For all we know this could be a tool for corporate espionage. Frankly with this knowledge no business and especially no software business should allow their employees to use chrome. I regularly recommended chrome to others, but never again.
The goal of Chrome may not be to keep your whole computer malware free, but it is to keep itself secure. If Chrome can be taken over by malware (and as the most used browser, it has a huge target on its back), then how can users trust it as a safe software? If anything, this feature makes it a safer browser.
“ I don’t seem understand what you want to convey here.”
“For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file.”
This was in the general sense a false claim that I’ve seen way too many times, usually with nefarious features. That association is why I counter it quickly. They could definitely roll out the ability for a user, within the browser UI or as a standalone tool, to change this or other settings where they’re checked at startup and not enabled. Even the AV programs allow this. They let me tell it not to scan things for a certain period of time or at all. Let’s me mix and match features of various vendors should I choose to accept the challenges or risk that poses. The attacks on the AV’s so far have been malicious input into components that interact with network or files (like the scanners), not the switches in the UI.
That they were stealthy about this and didn’t allow anyone to turn it off means they just don’t care whether all users wanted it or still want it. Them not caring about users’ preferences is a separate issue that other browser vendors have done themselves on some of their components.
“Also true for any service you use.”
It’s always true that people or priorities can change at any time. From there, we look at the organization’s charter/purpose, the business model, its operating environment, and past behavior to assess risk. This is about a widely-deployed application people do tons of private stuff with developed by a publicly-traded, surveillance company working to get closer to Washington, DC. A team in that company rolled out something that started scanning people’s files without their knowledge. I don’t believe it’s nefarious at this point but it’s not just any company or product we’re talking about. The circumstances give more reason to worry than usual for some people.
They shouldn’t have done it or should let people disable it. All that said, I like they at least added some sandboxing and restrictions to it. That’s good.
Yes I agree, it might be a good idea to block it with whatever virus scanner you’re currently using and report it as spyware since it literally is spyware. My method stops it from being installed but it’s not a long term solution since they could merely install it somewhere else.
To be honest I have seen so much controversy about Antivirus software, that I think they pretty much defeat their purpose. (remote code execution, often in elevated context, non-sandboxed execution of untrusted code, etc)
I mostly use Windows as desktop environment, and it mostly suits my needs. I do not wish to pay for extra vulnurabilities and spyware, but the Windows 10 Defender cannot be completely disabled. When the JS analysis engine was found to execute untrusted JS code in SYSTEM context, and that it was actively exploited I added the Downloads folder to exclusion list, as that was a major threat vector.
I try to defend against these threats by browsing cautiously and trying to stick to trustworthy, signed software whenever possible, often compiled from source by myself. Does this protect me against every threat? Definitely not, but might be enough for “drive by” assaults. Does this protect me better than an AV suite? Who knows.
What I know: I have never had any problem with cryptolockers on Windows, while i know people who used AV suites, and still had problems.
What I don’t know: is my machine currently infectd by something malicious.
I’m open to suggestions, but my tin-foil-hat period is over, as it had too much cost, and I am dubious if it had any benefits.
The sandbox engine downloading and running ESET actually appears to be in Chromium: https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/chrome_cleaner/ so developpers are free to review it and remove any reference to it. If my memory serve me well, Chrome Cleaner is not special and should appear in chrome://components/ along other optional close source components, although I don’t have a windows machine to validate right now. It should (Or at least used to) be disabled for other build than Google Chrome.
isra17’s reply implies there’s no scanner in Chromium, only Chrome. [I wrote this referring to his separate comment–now he has another reply here.] It probably wouldn’t make sense to have this on Linux anyway, just because there isn’t the same size of malware ecosystem there.
(And I think the reporting/story would be different if the scanner were open source–we’d have an analysis based on the source code, people working on patched Chromium to remove it, and so on.)
for those looking how to remove it
C:\Users\username\AppData\Local\Google\Chrome\User Data\SwReporter
is where it is.
I suspect it’s only a matter of time til some replaces software_reporter_tool.exe with a virus given its obscure nature. Either way you can using permissions prevent this folder from being written to. Also no disrespect intended to ISRA, but this program is spyware no matter how benign or helpful it was intended to be.
I actually used to work as a contractor on this project as a malware analyst. The cleaner was first developped by Google, but they moved to ESET after a while. For what it’s worth, the team are really privacy minded, and I can attest that it did made our job harder to track and possibly clean bad stuff. As a contractor I couldn’t even access any PII, including user report, since they could contains path with username, etc.
For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file. It’s not as if you didn’t have alternative anyway, Chromium doesn’t have this component and Firefox is quite awesome.
Anyway, if you have any question please feel free to ask! I’m not on this project anymore (Neither at Google), but I’ve been on the team since the beginning until the ESET transition and I’m still in touch with the team.
I appreciate the details. The stuff on the team isnt comforting since it could change any time. Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this. If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.
Also true for any service you use. I know it’s hard to believe, but Google is pretty strict about PII and what can be saved where for how long and seen by who and has an organisation overseeing all of this. There are processes in place governing each team at Google that requires team to document every PII they collect and the motivation behind this. In any case, detailed reports are sent only when users opt-in to send it.
Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?
The scanner is sandboxed (open-source, part of chromium) and somewhat limited in what it can do. It’s not your usual anti-malware tools running from the kernel and featuring RCE as a service. It also think it was reviewed by that guy ;)
Something to think about is the actual state of the internet for the broad public. While most of us here won’t benefits from this tool and at worse will find it annoying while it scans in the background, reality is that a very large portion of the internet users are currently infected by spyware and adware. While we are arguing about privacy issue due to Chrome reading some of you files on your disk (And not sending them anywhere), most people have their whole internet history tracked by shady adware corporation and are being shown ads tricking them into buying fraud application and calling fake tech support. And I’m not even talking about the fact most of those software have backdoor usable by any actors to run arbitrary payload. Want an easy botnet? Reverse some of those freeware “updaters”.
Of course the Chrome Cleanup Tool doesn’t fix the root cause, but it could be argued that’s it’s better than nothing. And from Google point of view, there are benefits from it other than invade more of its user privacy. When Chrome is crashing due to an adware injecting its unstable DLL, guess who get the blame? I’ve even seen many report blaming Google about how Chrome is sending PII or rewriting ads when in fact it was adware being installed on user machine. It’s in Google interest to fix this issue before getting in the point where IE was with the toolbars hell.
So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.
I don’t want my tools to do things they’re not advertised as doing. Chrome’s job isn’t to scan my files, so it should never do that without telling me.
I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.
And now, Google has a list of files on their servers. Ones that a malicious employee can access, or which might be given in bulk to the NSA, should the NSA ask.
It’s not just annoying. It’s a breach of trust.
“should the NSA ask.”
Should they force them, too. Also, in the Lavabit court records, the FBI told the judge the founder could avoid reputational damage by hiding that he gave over the key. He’d just keep telling users it was a private service. The judge agreed. Probably wasn’t the first or won’t be the last agreeing to give the government what they want while telling the company to lie that it couldn’t or didn’t happen.
People hire Chrome to manage their banking account or browse trusted content. When Chrome begins to display more ads than it should, try to trick the user into paying fake service or simply steal users data, the same users that end up installing those malware are unlikely to understand they are the culprit in the first place. They trusted Chrome to protect them from themselve. Chrome only defense at that point is to clean after the user. Chrome is not annoying, user behavior is, and Chrome Cleanup Tool is only a hack trying to fix a part of the issue.
You don’t expect the contractor to rewire you kitchen because you won’t blame them if you break your wiring. Chrome is a whole another story. You expect someone to tell you if your wiring is about to burn your house down. This is exactly what Chrome is doing here. Many house have burn down, blame have been put on Chrome. Now Chrome is doing a quick check up from time to time, and if it find some fire hazard it gives you an opportunity to fix it. Chrome is only fixing once you gave it your explicit consent. It also won’t tell anyone unless you tell him otherwise.
It is scanning without consent. For all we know this could be a tool for corporate espionage. Frankly with this knowledge no business and especially no software business should allow their employees to use chrome. I regularly recommended chrome to others, but never again.
The goal of Chrome may not be to keep your whole computer malware free, but it is to keep itself secure. If Chrome can be taken over by malware (and as the most used browser, it has a huge target on its back), then how can users trust it as a safe software? If anything, this feature makes it a safer browser.
So to keep itself secure it should also check for vulnerable IoT devices in the network and use the webcam to prevent unauthorized access? /s
“ I don’t seem understand what you want to convey here.”
“For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file.”
This was in the general sense a false claim that I’ve seen way too many times, usually with nefarious features. That association is why I counter it quickly. They could definitely roll out the ability for a user, within the browser UI or as a standalone tool, to change this or other settings where they’re checked at startup and not enabled. Even the AV programs allow this. They let me tell it not to scan things for a certain period of time or at all. Let’s me mix and match features of various vendors should I choose to accept the challenges or risk that poses. The attacks on the AV’s so far have been malicious input into components that interact with network or files (like the scanners), not the switches in the UI.
That they were stealthy about this and didn’t allow anyone to turn it off means they just don’t care whether all users wanted it or still want it. Them not caring about users’ preferences is a separate issue that other browser vendors have done themselves on some of their components.
“Also true for any service you use.”
It’s always true that people or priorities can change at any time. From there, we look at the organization’s charter/purpose, the business model, its operating environment, and past behavior to assess risk. This is about a widely-deployed application people do tons of private stuff with developed by a publicly-traded, surveillance company working to get closer to Washington, DC. A team in that company rolled out something that started scanning people’s files without their knowledge. I don’t believe it’s nefarious at this point but it’s not just any company or product we’re talking about. The circumstances give more reason to worry than usual for some people.
They shouldn’t have done it or should let people disable it. All that said, I like they at least added some sandboxing and restrictions to it. That’s good.
In my opinion the Chrome malware scanner is a malware itself.
Yes I agree, it might be a good idea to block it with whatever virus scanner you’re currently using and report it as spyware since it literally is spyware. My method stops it from being installed but it’s not a long term solution since they could merely install it somewhere else.
To be honest I have seen so much controversy about Antivirus software, that I think they pretty much defeat their purpose. (remote code execution, often in elevated context, non-sandboxed execution of untrusted code, etc)
I mostly use Windows as desktop environment, and it mostly suits my needs. I do not wish to pay for extra vulnurabilities and spyware, but the Windows 10 Defender cannot be completely disabled. When the JS analysis engine was found to execute untrusted JS code in SYSTEM context, and that it was actively exploited I added the Downloads folder to exclusion list, as that was a major threat vector.
I try to defend against these threats by browsing cautiously and trying to stick to trustworthy, signed software whenever possible, often compiled from source by myself. Does this protect me against every threat? Definitely not, but might be enough for “drive by” assaults. Does this protect me better than an AV suite? Who knows.
What I know: I have never had any problem with cryptolockers on Windows, while i know people who used AV suites, and still had problems. What I don’t know: is my machine currently infectd by something malicious.
I’m open to suggestions, but my tin-foil-hat period is over, as it had too much cost, and I am dubious if it had any benefits.
chromium-browser is scrutinized closely enough that this would be noticed on ubuntu, right?
The sandbox engine downloading and running ESET actually appears to be in Chromium: https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/chrome_cleaner/ so developpers are free to review it and remove any reference to it. If my memory serve me well, Chrome Cleaner is not special and should appear in chrome://components/ along other optional close source components, although I don’t have a windows machine to validate right now. It should (Or at least used to) be disabled for other build than Google Chrome.
Thanks. It doesn’t appear in chrome://components for me, at any rate.
If I look at it on windows I can see the entry: Software Reporter Tool - Version: 27.147.200
Excellent, a positive control.
isra17’s reply implies there’s no scanner in Chromium, only Chrome. [I wrote this referring to his separate comment–now he has another reply here.] It probably wouldn’t make sense to have this on Linux anyway, just because there isn’t the same size of malware ecosystem there.
(And I think the reporting/story would be different if the scanner were open source–we’d have an analysis based on the source code, people working on patched Chromium to remove it, and so on.)
I’m curious about MacOS. I don’t run Chrome usually, but I have to in some cases, e.g. to use Google Meets for work.
I don’t have an authoritative answer, but https://www.blog.google/products/chrome/cleaner-safer-web-chrome-cleanup/ only talks about Windows.
I don’t see it in chrome://components on my Mac, if that is indeed where it is supposed to appear.
http://www.thewindowsclub.com/disable-google-chrome-software-reporter-tool
for those looking how to remove it C:\Users\username\AppData\Local\Google\Chrome\User Data\SwReporter
is where it is.
I suspect it’s only a matter of time til some replaces
software_reporter_tool.exewith a virus given its obscure nature. Either way you can using permissions prevent this folder from being written to. Also no disrespect intended to ISRA, but this program is spyware no matter how benign or helpful it was intended to be.