Issue with Malware in AppData and Chrome Folders

Hello ML Rankin,

[disclaimer: I'm not Sophos]
malware is a general term and often used for all kind of unwanted and dubious stuff like, for example, tracking cookies.

An infection is normally not so picky that it would confine itself to, say, the Chrome UserData folder. What Malwarebytes finds a fault with could be associated with add-ons. I won't rule out that there's something that is strictly malware - but even if it is, how could someone answer your why NOT? Malwarebytes likely gives these malwares names, and in addition the names of the files that are allegedly infected might help to assess the situation.

Christian

I understand.  However, if MalwareBytes is finding these infections and giving them names, it helps us identify issues and resolve them.  It was our hope that Sophos would be able to identify these infections for us.  Do we need to also run MalwareBytes on our endpoints to guard against these infections? 

Thanks Shweta for responding.  I understand and will be searching for more infections and hopefully send you a report of the scan through the above "submit a sample" link.  

Just a thought on this, 

Sophos and Malwarebytes aside a good system administrator will have Defense in Depth, users are capable of installing add-on's in Chrome because they have control over the folders within there user profile.  Because of this there is a large amount of malware, spyware and more that is out there that will attempt to exploit, in many cases some of this the user agrees too and is analytics that a AV might flag as malware or spyware.  When I read this post it seems as though we are treating Sophos or Malwarebytes as a stop all solution.  Which will never work, what you can do in this specific case is install the enterprise edition Chrome, download the associated admx files for group policy and take control over how your users are capable of using Chrome which will help to compliment your AV solution.  For example you can simply deny installing of all add-on's then create a white-list of the ones you have vented as not malicious and only allow those.  I only say this because I often see to much dependence on AV today, the Sophos on my network is there to stop the things I missed with other defenses my other defenses are there to stop the things Sophos may miss.

I agree.  The first time I encountered this issue it was with an add-on being infected.  The second was from software that installed as a web app.  I agree, this is the best plan of action. 

Glad I could help, I was actually in your boat about a year ago, was driving me nuts with the alerts or weird issues.  Once I took over management of Chrome and simply did not allow users to install whatever they felt like most of it went away.  What was really funny was how I got a few cases after this were users wanted a specific addon or something that they already had on there system they just did not know about it.

 The other variable is what exclusions you have implemented in your Sophos scanning policy. There is an option to exclude a folder and all child folders - if you do this then malware or PUAs can run in those folders without issue. Sophos will scan them but will discard the result because you have told us to. You can also exclude by hash.

If you are seeing real malware in those folders (open the Endpoint Self Help tool and go to the file information pane and drop the file there to get scan data (this is the scanner result without exclusions included):

This will let you see the exact results the scanner is getting for those specific files. 

There can be different results from different products. So our scanner might not be detecting these. If you see that and you feel it is a False Negative, then please submit a sample to our Labs department and they will take another look.

I hope this helps give you the information you need to protect your network.

Sincerely,

Richard

Man I mean Man I really hope somebody did not exclude the Chrome App Data folder from scanning lol.

I completely agree.

:)

Just something to check to make sure though.

Richard

WoW this is nice.  Thanks for this information.  

I just uploaded a sample scan report from MalwareBytes so Sophos.  The affected machine was having a weird popup outside of Chrome.  Hopefully I find out more detail later.  

You may want to consider deleting Chrome on any suspect computer, aside from uninstalling Chrome you almost have to go into each users app data folders to completely remove everything, which can be a pain, unless you know the user in question.  There is a bunch of tutorials out there on how to completely uninstall it all, if I remember right one time I had to even use a registry cleaner to get rid of everything.  Chrome is great but not managed properly and with a user that has terrible security habits it can be a nightmare.

Hopefully thought Sophos will let you know what the difference is or maybe perhaps maybe you discovered something new and they will name it the Rankin attack!

You may want to consider deleting Chrome on any suspect computer, aside from uninstalling Chrome you almost have to go into each users app data folders to completely remove everything, which can be a pain, unless you know the user in question.  There is a bunch of tutorials out there on how to completely uninstall it all, if I remember right one time I had to even use a registry cleaner to get rid of everything.  Chrome is great but not managed properly and with a user that has terrible security habits it can be a nightmare.

Hopefully thought Sophos will let you know what the difference is or maybe perhaps maybe you discovered something new and they will name it the Rankin attack!

Ok, I manually went in and extracted/deleted the potential registry keys and removed the potentially affected add-ons.  I am currently installing policies on IE and Chrome create a blacklist so I can slowly disabled the add-on in our environment being affected.  

You may want to consider a whitelist, which will deny all except what you allow, which is much easier to manage since nothing gets in except for what you know about.

There are pretty good instructions here for this-

https://medium.com/@rootsecdev/controlling-google-chrome-web-extensions-for-the-enterprise-7414bf8cc326

https://securebox.comodo.com/whitelist-vs-blacklist/

That makes sense.  We decided to start with a blacklist first since we already know the add-ones that are throwing off the potential threats indicators in MalwareBytes.  Sophos is doing a great job of the protection so far.   Our organization uses alot of different add-ons that are non-malicious so I don't want to get too much fuss back from end users.  But trust me....I got the new group policy template pretty tight.  I can tweak it as we go.  ;-)