Issue with Malware in AppData and Chrome Folders

Hello ML Rankin,

[disclaimer: I'm not Sophos]
malware is a general term and often used for all kind of unwanted and dubious stuff like, for example, tracking cookies.

An infection is normally not so picky that it would confine itself to, say, the Chrome UserData folder. What Malwarebytes finds a fault with could be associated with add-ons. I won't rule out that there's something that is strictly malware - but even if it is, how could someone answer your why NOT? Malwarebytes likely gives these malwares names, and in addition the names of the files that are allegedly infected might help to assess the situation.

Christian

I understand.  However, if MalwareBytes is finding these infections and giving them names, it helps us identify issues and resolve them.  It was our hope that Sophos would be able to identify these infections for us.  Do we need to also run MalwareBytes on our endpoints to guard against these infections? 

Hello ML Rankin,

it's still not clear what you call malware and infections. I've never really used Malwarebytes, once or twice perhaps. IIRC it is pretty "aggressive". AV proper (SAV in this case) usually ignores things like cookies and non-executables. Intercept X (HitmanPro.Alert) monitors execution, i.e. what processes do or attempt to do, it doesn't care about static and "immobile" stuff.
Dunno how Sophos Clean (SophosClean.exe) is integrated with Central Intercept X, it can scan for malware remnants and cookies. AFAIK it is called to mop up when Intercept X detected certain threats.

Christian

I guess I will have to wait until something else gets infected or breaks and I have to run MalwareBytes to see what it finds.  I did not take a screenshot to show it more specifically.  But I will say that there is a huge difference between what Sophos is finding and what MalwareBytes sees.  It is only significant when a machine breaks or some weird issue happens in Chrome.  but this our way of letting Sophos know that the AppData folders being used by Google Chrome is NOT being scanned or protected properly.    

Hi ML Rankin 

Sophos Anti Virus is capable of detecting and removing malicious or potentially unwanted browser extensions. In addition, if you are using Sophos Intercept X, that is capable of detecting potentially malicious behavior from those extensions and stopping the browser process.

Likewise when a file is saved/created Sophos performs a scan before the files are written to the drive. This is default behavior if you have Real-Time scanning enabled (which itself is enabled by default).When you install an extension in Chrome on a Windows workstation, files get created under "C:\Users\[login_name]\AppData\Local\Google\Chrome\User Data\Default\Extensions". When those files are being created is when Sophos actively scans the newly created extensions. 

In this case, I would request you to submit a sample to Sophos labs if you have any, which are not being scanned as per your observations.  

Hi ML Rankin 

Sophos Anti Virus is capable of detecting and removing malicious or potentially unwanted browser extensions. In addition, if you are using Sophos Intercept X, that is capable of detecting potentially malicious behavior from those extensions and stopping the browser process.

Likewise when a file is saved/created Sophos performs a scan before the files are written to the drive. This is default behavior if you have Real-Time scanning enabled (which itself is enabled by default).When you install an extension in Chrome on a Windows workstation, files get created under "C:\Users\[login_name]\AppData\Local\Google\Chrome\User Data\Default\Extensions". When those files are being created is when Sophos actively scans the newly created extensions. 

In this case, I would request you to submit a sample to Sophos labs if you have any, which are not being scanned as per your observations.  

Thanks Shweta for responding.  I understand and will be searching for more infections and hopefully send you a report of the scan through the above "submit a sample" link.  

Just a thought on this, 

Sophos and Malwarebytes aside a good system administrator will have Defense in Depth, users are capable of installing add-on's in Chrome because they have control over the folders within there user profile.  Because of this there is a large amount of malware, spyware and more that is out there that will attempt to exploit, in many cases some of this the user agrees too and is analytics that a AV might flag as malware or spyware.  When I read this post it seems as though we are treating Sophos or Malwarebytes as a stop all solution.  Which will never work, what you can do in this specific case is install the enterprise edition Chrome, download the associated admx files for group policy and take control over how your users are capable of using Chrome which will help to compliment your AV solution.  For example you can simply deny installing of all add-on's then create a white-list of the ones you have vented as not malicious and only allow those.  I only say this because I often see to much dependence on AV today, the Sophos on my network is there to stop the things I missed with other defenses my other defenses are there to stop the things Sophos may miss.

I agree.  The first time I encountered this issue it was with an add-on being infected.  The second was from software that installed as a web app.  I agree, this is the best plan of action. 

Glad I could help, I was actually in your boat about a year ago, was driving me nuts with the alerts or weird issues.  Once I took over management of Chrome and simply did not allow users to install whatever they felt like most of it went away.  What was really funny was how I got a few cases after this were users wanted a specific addon or something that they already had on there system they just did not know about it.

 The other variable is what exclusions you have implemented in your Sophos scanning policy. There is an option to exclude a folder and all child folders - if you do this then malware or PUAs can run in those folders without issue. Sophos will scan them but will discard the result because you have told us to. You can also exclude by hash.

If you are seeing real malware in those folders (open the Endpoint Self Help tool and go to the file information pane and drop the file there to get scan data (this is the scanner result without exclusions included):

This will let you see the exact results the scanner is getting for those specific files. 

There can be different results from different products. So our scanner might not be detecting these. If you see that and you feel it is a False Negative, then please submit a sample to our Labs department and they will take another look.

I hope this helps give you the information you need to protect your network.

Sincerely,

Richard

Man I mean Man I really hope somebody did not exclude the Chrome App Data folder from scanning lol.

I completely agree.

:)

Just something to check to make sure though.

Richard

WoW this is nice.  Thanks for this information.