Microsoft: Sorry not sorry, Google Crome is malware now || Microsoft Defender error causes a false positive flagging Google crome updates

[darknessblade]

Summary

A Microsoft Defender error, causes a false positive flagging Google crome updates

 

Quotes

Quote

Several recent Google Chrome updates have been flagged as potentially harmful by Microsoft's in-built antivirus and endpoint protection service, reports have claimed.

A number of Windows system admin reports have shown that Microsoft Defender for Endpoint has been tagging browser updates delivered via the Google Update service as suspicious.

 

The activity is thought to be down to a false positive issue, but it's another possible headache for both Microsoft and Google as they try and disseminate their wares to as wide an audience as possible.

 

My thoughts

Something makes me think that this was a deliberately caused issue, that Microsoft tries to shove under the rug, saying its a bug, in the hope people get scared enough to stop using Crome, and use Edge instead. if it were not for that Microsoft office was also flagged as malware by defender.

 

Sources

https://www.bleepingcomputer.com/news/security/microsoft-defender-flags-google-chrome-updates-as-suspicious/

https://www.techradar.com/news/these-google-chrome-updates-were-flagged-as-dodgy-by-microsoft-defender

https://www.windowscentral.com/google-chrome-updates-labeled-suspicious-due-microsoft-defender-false-positive-issue

Microsoft office false positive

https://www.bleepingcomputer.com/news/security/microsoft-defender-tags-office-updates-as-ransomware-activity/

[WhitetailAni]

1 minute ago, darknessblade said:

if it were not for that Microsoft office was also flagged as malware by defender.

Switch to WordPerfect!

[bmx6454]

seems a little too "tinfoil hat" to me to think that they did it deliberately. definitely funny though.

[Needfuldoer]

Years and years ago at work, our antivirus quarantined its own update service as a false positive. That was a fun mess to detangle!

[jagdtigger]

3 minutes ago, bmx6454 said:

seems a little too "tinfoil hat" to me to think that they did it deliberately

After all the shenanigans around forcing edge id say its well within their MO....

[darknessblade]

6 minutes ago, bmx6454 said:

seems a little too "tinfoil hat" to me to think that they did it deliberately. definitely funny though.

Well with everything going on around Edge, and how desperately they want you to use it, in combination with Bing, There might be some truth, in that they caused the false-positive on purpose.

 

 

[bmx6454]

Just now, darknessblade said:

Well with everything going on around Edge, and how desperately they want you to use it, in combination with Bing, There might be some truth, in that they caused the false-positive on purpose.

 

 

at the very least, i'm sure it was a "happy accident" lol

[An0maly_76]

Stuff like this is why I have disabled Defender in favor of McAfee, deleted Edge in favor of Firefox, and so forth. I use very little Microsoft other than Windows. If they stop trying to put their hand in my pocket every time I boot my computer, maybe that will change. They tried to charge me for a codec I already had on my computer about five months ago.

[Doobeedoo]

In a way it kinda is though.

[GoodBytes]

It's not Windows Defender, it's Windows Defender for Endpoint.

Different product, but whatever. Click bait for the win.

 

But if you want to think it is Microsoft playing games, perhaps it was retaliation to Google "accidentally" banning Chromium Edge on its sites. Or Google blocking Windows Phone's from its services all these years ago.

 

Anyways, false positive is always a thing with security software. Better be safe than skip some.

[Ydfhlx]

3 hours ago, Needfuldoer said:

Years and years ago at work, our antivirus quarantined its own update service as a false positive. That was a fun mess to detangle!

I mean... Nowadays, most antiviruses are actually malware. They don't really protect against anything, you can't uninstall them easily, and they scan all your things and files in the background making your PC really slow. Now, considering that nothing is free... Just saying

[GhostRoadieBL]

Given how Chrome/Google scrapes data, not out of the realm of possibility that Chrome acts like malware. Office must be doing something similar.

Remember 2019?

https://www.bleepingcomputer.com/news/microsoft/microsoft-office-asking-users-to-send-more-usage-data/

[jagdtigger]

7 hours ago, GoodBytes said:

perhaps it was retaliation to Google "accidentally" banning Chromium Edge on its sites. Or Google blocking Windows Phone's from its services all these years ago.

What is this, kindergarten? It wasnt fine back then what google did and it isnt fine what ATM ms did.....

[Needfuldoer]

14 hours ago, Ydfhlx said:

I mean... Nowadays, most antiviruses are actually malware. They don't really protect against anything, you can't uninstall them easily, and they scan all your things and files in the background making your PC really slow. Now, considering that nothing is free... Just saying

This was over a decade ago, we still had Windows XP deployed on about half of the PCs in the company.

 

I haven't had an antivirus make a PC "really slow" in even longer than that. Maybe if you're running one of the freebie ones that are only supported by advertising, or maybe a boxed copy of Norton or McAfee off the shelf...

[Arika]

18 hours ago, darknessblade said:

Something makes me think that this was a deliberately caused issue, that Microsoft tries to shove under the rug, saying its a bug, in the hope people get scared enough to stop using Crome, and use Edge instead.

yes, Google is so very much in danger of losing top spot......

 

 

 

also people SHOULD stop using chrome. Google has enough control over the internet already....

[RockSolid1106]

3 hours ago, Arika S said:

also people SHOULD stop using chrome. Google has enough control over the internet already....

And Edge or any Chromium based browser is probably also not a good choice if you would like to support an open internet, since it relies on the underlying Chromium, which is developed by Chrome/Google.

I found this video informative on why Chrome should not dominate the Web.

Edited April 24, 2022 by RockSolid1106

[Mark Kaine]

6 hours ago, RockSolid1106 said:

And Edge or any Chromium based browser is probably also not a good choice if you would like to support an open internet, since it relies on the underlying Chromium, which is developed by Chrome/Google.

I found this video informative on why Chrome should not dominate the Web.

While its also chromium based... it really sucks Samsung internet isnt available outside of Android... best browser hands down (fast, lots of options, great design, imo)

 

chrome:

its just boring, even the settings lol

 

samsung internet:

 

true black instead of bluish gray gray, instant win! : D

 

(tbf chrome on pc can at least be made dark with some themes)

 

Does Firefox still have "tab collection"? i hate it so much tbh...

 

 

(and the dreadful gray is back too!)

[LAwLz]

I am sure some people will say this was an accident, but honestly, how many times do we give Microsoft the benefit out the doubt?

It seems like every other week that Microsoft gets caught "accidentally" doing something that benefits themselves greatly at the expense of someone else. 

[Mark Kaine]

Tbh i have windows defender and chrome... nothing at all happened yet... kinda call fake on this lol..

 

 

23 hours ago, GoodBytes said:

It's not Windows Defender, it's Windows Defender for Endpoint.

Different product, but whatever. Click bait for the win.

 

 

Ah, i see! so "kinda fake news" lol.

 

23 hours ago, GoodBytes said:

Or Google blocking Windows Phone's from its services all these years ago.

i seem to remember this... that was really petty... i could understand the playstore, but gmail, etc too? On the other hand ms really bungled the windows phone, they should have made sure they had support from the other big guys - or maybe it just wasn't meant to be, its a shame cause i liked the hardware and OS, it just seemed it had really poor app support  (if true or not)

[SirShanova]

Yeah this doesn't surprise me at all. MS regularly tries BS like this.

[LAwLz]

On 4/24/2022 at 12:25 AM, GoodBytes said:

Or Google blocking Windows Phone's from its services all these years ago.

7 hours ago, Mark Kaine said:

i seem to remember this... that was really petty... i could understand the playstore, but gmail, etc too? On the other hand ms really bungled the windows phone, they should have made sure they had support from the other big guys - or maybe it just wasn't meant to be, its a shame cause i liked the hardware and OS, it just seemed it had really poor app support  (if true or not)

It's worth noting that things were not really as black and white as some reports might make it seem.

Basically, writing apps for WP was awful (required the use of Silverlight, Microsoft's flash competitor), and since barely anyone used WP Google didn't bother developing it.

Microsoft's response to this was to develop their own Youtube client, except they also included things that broke the Youtube ToS like adblocking and video downloading.

 

When Microsoft crawled back to Google, begging for forgiveness, Google took advantage of the situation and asked Microsoft to develop a web-based app. Why? Because Microsoft at the time were extremely against open web standards, which of course pissed Google off. So this was Google trying to leverage the situation to make Microsoft implement proper standards support for their browsers.

Did Google take advantage of the situation? Absolutely.

Was the issue as one-sided as some people want to paint it, where Google were being unreasonably evil and Microsoft were just a poor victim of abuse? Absolutely not.

[Mihle]

10 hours ago, Mark Kaine said:

While its also chromium based... it really sucks Samsung internet isnt available outside of Android... best browser hands down (fast, lots of options, great design, imo)

 

chrome:

its just boring, even the settings lol

 

samsung internet:

true black instead of bluish gray gray, instant win! : D

 

(tbf chrome on pc can at least be made dark with some themes)

 

(and the dreadful gray is back too!)

I prefer dark grey to actual black.

That said, I use Vivaldi everywhere.

 

My biggest issue with Samsung internet was that on dark mode, it made photos on websites darker too, I don't want that.

Also, I don't remember if you could turn off dark mode on individual sites like you can on Vivaldi on phones?

[Mark Kaine]

3 hours ago, Mihle said:

I prefer dark grey to actual black.

i can see that, i mean there has to be some accents for sure, but i definitely prefer mostly black, its just easier to read for me, gray/white is (by definition) a bad mix imo.

 

I had to mod my steam client for example because i just couldn't take the gray anymore... its now a mix of true black (0/0/0) and bright pink! : p

looks cool *and* is easy to read (far from perfect tho since some buttons are difficult to see since they're also almost black, but that would just require a bit more tinkering...)

 

That said, I dont use the dark mode in Samsung internet actually (just checked)... but i have dark mode on my phone actually - but thats different to the browser dark mode apparently - whats also cool even in "light mode" the color scheme is exactly the same as the rest on my phone, so it always feels "familar"... i would prefer even more black, but its pretty good how it is lol.

 

I also use my phones "dark mode" 24h, its not a night thing to me, i just cant stand most "light modes" ¯\_(ツ)_/¯

 

3 hours ago, Mihle said:

Also, I don't remember if you could turn off dark mode on individual sites like you can on Vivaldi on phones?

i dont think you can, although might be in a newer version...

 

i probably should try vivaldi because i havent, but then its also really difficult to switch browsers,  on my desktop i use Chrome, because its actually the most *lightweight* other browsers are memory hogs in my experience,  bad because i often stream and play games... (1 yt window + stream is like 200-400mb max)

 

[leadeater]

On 4/24/2022 at 10:25 AM, GoodBytes said:

It's not Windows Defender, it's Windows Defender for Endpoint.

Different product, but whatever. Click bait for the win.

To be fair the naming is highly confusing. The re-usage of the naming Defender makes it really hard for those not in the know that it's actually a reporting and analytics platform with some co-management of the Defender client/agent in Windows (depending if Windows 10 and newer or using legacy client application which requires installing and on Server OS Microsoft Monitoring Agent software also installed).

 

The problem really comes down to the threat response rules that have been defined in the MDE configuration, this could result in an alert/warning only or could put clients in to isolation mode. The impact is basically entirely down to security policies each company/network has.

 

It's a pitty since one of the good things about actual Defender was it's low rate of false positives compared to say Symantec.

 

As to why this got triggered, well that's rather simple actually. The component of the MDE solution that is involved is Endpoint Detection and Response (EDR) which is a behavioral and telemetry based approach/system and something like Monthly or less frequent automatic application updates can easy get caught be theses as they are by these standards of security abnormal activity.

 

Then on the technical level Google is not blameless either as their update process makes it very easy to trigger this. The Google Update application downloads a new set of files that are not signed correctly to the user's temp directory in their profile and then replaces the current, correctly signed files in the Google Chrome installed location. Part of the update process these replaced files do get correctly signed, how not sure but I'm looking at the MDE alerts in the portal right now and I can clearly see the files in C:\users\[account]\AppData\Local\temp\ are not signed and that's a real problem because if they were signed then signed files with the same signature and file name replacing each other would not trigger MDE EDR.

 

What I don't know is if this applies to only user installed per account Google Chrome installs or All Users system installed, that difference could well matter.

 

Quote

The dll loaded is posing as the one usually loaded by this executable, but is actually different. This may indicate potential dll side-loading, a technique used by adversaries to load malicious code into a trusted executable for the purpose of gaining higher privileges, hiding from antivirus programs, or command and control communication.

 

TL;DR Google you need to fix your updater and file signing.

[leadeater]

13 hours ago, LAwLz said:

I am sure some people will say this was an accident, but honestly, how many times do we give Microsoft the benefit out the doubt?

It seems like every other week that Microsoft gets caught "accidentally" doing something that benefits themselves greatly at the expense of someone else. 

I'd read my above post, Google isn't so "not to blame here" heh. Also not a good idea security wise to just flag these known files as trusted and then ignore them, that's why signing exists and that's why the files not being signed through all stages of the update process is a problem.