Chrome will now ask some users to send passwords for suspicious files

 

Chrome will now ask some users to send passwords for suspicious files

Google is redesigning Chrome’s malware detections to include password-protected executable files that users can download for in-depth analysis, a change the browser maker says will help it detect more malicious threats.

Google has long allowed users to enable its Safe Browsing Enhanced Mode, a Chrome feature that warns users when they download a file that is considered dangerous, either because of suspicious characteristics or because it is on a list of known malware. When Enhanced Mode is enabled, Google prompts users to download suspicious files that are not allowed or blocked by its detection engine. Under the new changes, Google will prompt those users to provide any passwords needed to open the file.

Beware of password protected archives

In a post published Wednesday, Jasika Bawa, Lily Chen, and Daniel Rubery of the Chrome Security team wrote:

Not all deep scans can be performed automatically. A current trend in the distribution of cookie-stealing malware is to bundle malware into an encrypted archive (a password-protected .zip, .7z, or .rar file) that hides the file contents from Safe Browsing and other antivirus scans. To combat this evasion technique, we have introduced two protection mechanisms based on the Safe Browsing mode selected by the user in Chrome.

Hackers often make passwords for encrypted archives available in places like the page the file was downloaded from or in the name of the downloaded file. For users with Enhanced Protection, suspicious encrypted archive downloads will now prompt the user to enter the file password and send it along with the file to Safe Browsing so that the file can be opened and a deeper scan can be performed. Downloaded files and file passwords are deleted shortly after they are scanned, and any data collected is only used by Safe Browsing to provide better download protections.

Enter a file password to send an encrypted file for malware scanning

Enlarge / Enter a file password to send an encrypted file for malware scanning

Google

For those using Standard Protection Mode, which is Chrome’s default mode, we still wanted to be able to provide some level of protection. In Standard Protection Mode, downloading a suspicious encrypted archive will also prompt for the file’s password, but in this case, the file and password remain on the local device and only the metadata of the archive’s contents are verified with Safe Browsing. So, in this mode, users are still protected as long as Safe Browsing has previously detected and categorized the malware.

Submitting an executable file randomly downloaded from a site promoting a screen saver or media player to Google is likely to meet with little or no hesitation. More sensitive files, such as a password-protected work archive, however, are likely to encounter more resistance. Despite assurances that the file and password will be promptly deleted, problems sometimes arise that are not discovered until months or even years later. People using Chrome with Enhanced Mode enabled should exercise caution.

A second change Google is making to Safe Browsing is a two-tiered notification system when users download files. These changes are as follows:

Suspicious files, meaning Google’s file verification engine gave a lower trust verdict, with an unknown risk of harm to the user

Dangerous files or those with a high confidence verdict that they pose a high risk of harm to the user

The new levels are highlighted with iconography, colors, and text to make it easier for users to distinguish between different risk levels. “Overall, these improvements in clarity and consistency have resulted in meaningful changes in user behavior, including fewer ignored warnings, faster response to warnings, and overall better protection against malicious downloads,” Google’s authors wrote.

Previously, Safe Browsing notifications looked like this:

Differentiating between suspicious and dangerous warnings.

Enlarge / Differentiating between suspicious and dangerous warnings.

Google

Over the past year, Chrome has not budged on its continued support for third-party cookies, a move that allows companies large and small to track users of the browser as they move from website to website. Google’s alternative to tracking cookies, known as the Privacy Sandbox, has also gotten poor marks from privacy advocates for tracking users’ interests based on their browser usage.

That said, Chrome has long been a leader in introducing protections, such as a security sandbox that blocks risky code from interfering with sensitive data and operating system functions. Those who stick with Chrome should at a minimum keep the standard Safe Browsing mode enabled. Users with the experience to wisely choose which files to send to Google should consider enabling Enhanced mode.