Despite recent comments to the contrary, Google does not have a secret antivirus in the Chrome web browser, and it is not collecting information about the files on Windows PCs. Google had good intentions—improved security—but it should have been more explicit about what Chrome Cleanup is doing much earlier, instead of waiting until people started asking questions.
“Turns out @googlechrome quietly began performing AV scans on Windows devices last fall,” Kelly Shortridge, a product manager at security risk management company Security Scorecard, posted on Twitter over the weekend. She’d noticed Chrome scanning non-system folders on her computer, including Documents, Pictures, and GitHub.
Shortridge was referring to Chrome Cleanup, a heavily sandboxed version of the endpoint scanning tool from ESET that detects potentially unwanted software and offers to remove it and return Chrome to default settings. Intended for Windows 10, 8.1, 8, and 7, this tool removes software that may cause Chrome to crash, modify Chrome to install unexpected startup pages and toolbars, display ads that aren’t easy to remove, and otherwise change the browsing experience. That includes software such as pop-up ads, unwanted Chrome extensions, toolbars, and browser redirecting software.
Google defines user-friendly software as those applications that require the user to give explicit permission to install the software, are easy to remove, behave as expected, and are transparent about what user data is being collected and how it is being transmitted. Software that tries to trick users into installing or piggybacks on the installation of some other program, or has features the user doesn’t know about, is considered harmful and “we will take steps to protect users from it,” Google wrote in its Unwanted Software Policy.
It’s absolutely not “cloud AV.”
When the scanner finds something that could be potentially malicious, it displays an alert to the user and asks permission to remove the suspicious file. The scanner doesn’t remove files automatically. If the user doesn’t opt out of reporting details to Google (a checkbox on the prompt), the scanner sends metadata about programs installed or running on the system that could be associated with harmful software, such as services and processes, scheduled tasks, system registry values, Windows proxy settings, and software modules loaded into Chrome of the network stack.
Keeping unwanted software off the computers is a laudable goal, but the fact that all this is happening with little public awareness is disconcerting for some. The initial announcement and other publicly available information about Chrome Cleanup did not explicitly state that the tool would be scanning personal files such as images and documents. It’s probably the case that Chrome isn’t looking at the contents of the files being scanned, but the fact remains that this entire process is not very clearly described.
“At no point during my usage of Chrome did I enable a setting for or receive a notification explicitly asking me to agree to allowing Chrome to scan my personal files,” Shortridge said.
Chrome Cleanup is a local signature engine and performs all the scans locally, head of Google Chrome security Justin Schuh said on Twitter in response to Shortridge’s comments. He called it a “vastly narrower and less invasive scan” than conventional antivirus as it looks only for files and processes that interact with Chrome. Back in October, Google product manager Philippe Rivard emphasized that Chrome Cleanup should not be considered a general-purpose antivirus as it only removes software that falls under Google’s definition of unwanted software, and Schuh reiterated that point.
“It’s absolutely not 'cloud AV,’” Schuh said.
While Schuh said it wasn’t a “system-wide scan," the public information also states the tool looks for “browser hijacking points,” which appears to mean points at which the browser can be manipulated. So while he is accurate in saying Chrome Cleanup isn’t scanning the entire disk, such as the kernel and other deep parts of the system, the tool has an extremely broad mandate. When so much of modern software is delivered through the browser, it’s hard to say which file could be considered a potential threat to the browser. It also isn’t specified how Chrome decides which files would be scanned.
“While I understand the Chrome team’s motivations for this, since browser hijacking is indeed a prevalent threat for Windows users, I also feel there is danger in scope creep from just Chrome-related files to system files to personal files, depending on how the Chrome team defines relevant files,” Shortridge said.
Schuh also said the tool runs weekly at “background priority and [with] normal user privs [privileges] for up to 15 minutes,” which doesn’t match Shortridge’s observation that Chrome scanned non-system folders multiple times. It’s just one of the many areas on how Chrome Cleanup works that need more clarification.
Currently, there is no way to turn off this scanning, either on the individual level (through settings) or via enterprise policy. The Chrome team made the call to make this opt-in for everyone, without a way to turn it off, although Schuh said on Twitter the team is now “investigating more opt outs.”
"In this case, Google prioritized ensuring that malicious software cannot bypass the security measure,” Shortridge said.
The irony in this whole discussion is the fact that the way Chrome is performing these scans could fall under the category of “doesn’t tell the user about all of its principal and significant functions,” Google’s own criteria for declaring software as potentially harmful.
Google should have been upfront about how Chrome is behaving on the computer right from the start. The typical user assumes that there is only one antivirus engine running on their system, the one they installed, and would be unaware that something else is also checking the contents of the computer. It is also not easy to find information about what kind of data is being collected or sent back to Google.
“This was a non-trivial change to Chrome for Windows users, and it should not have taken a tweet to lead to proper, explicit disclosure of Chrome Cleanup's methods and the motivations behind its addition, even though the stated intentions are noble,” Shortridge said.