Issue with Malware in AppData and Chrome Folders

Question

Hello All, 
 
 I wanted to bring a major issue to Sophos' attention. We keep getting malware in our endpoint user profiles. The specific folder that sometimes become infected are associated with Google Chrome is C:\Users\<usernam>\AppData\Local\Google\Chrome\UserData folders. If I run MalwareBytes on some machines, we are finding tons of malware infecting these files. At first they seemed to be associated with Chrome Add-Ons which we removed and the issues resided. However, I encountered a machine yesterday that was so infected in these Chrome files I had to issue the user a new machine and nuke the HD on the old one. 
 My question is "Why is Sophos Antivirus/Endpoint protection NOT finding these malwares and removing them or even protecting our endpoints? We are using Sophos Central and all machines have IntercepterX installed with newest Sophos Antivirus.

Badrobot · Accepted Answer

Just a thought on this, 
 Sophos and Malwarebytes aside a good system administrator will have Defense in Depth, users are capable of installing add-on's in Chrome because they have control over the folders within there user profile. Because of this there is a large amount of malware, spyware and more that is out there that will attempt to exploit, in many cases some of this the user agrees too and is analytics that a AV might flag as malware or spyware. When I read this post it seems as though we are treating Sophos or Malwarebytes as a stop all solution. Which will never work, what you can do in this specific case is install the enterprise edition Chrome, download the associated admx files for group policy and take control over how your users are capable of using Chrome which will help to compliment your AV solution. For example you can simply deny installing of all add-on's then create a white-list of the ones you have vented as not malicious and only allow those. I only say this because I often see to much dependence on AV today, the Sophos on my network is there to stop the things I missed with other defenses my other defenses are there to stop the things Sophos may miss.

RichardP · Answer

The other variable is what exclusions you have implemented in your Sophos scanning policy. There is an option to exclude a folder and all child folders - if you do this then malware or PUAs can run in those folders without issue. Sophos will scan them but will discard the result because you have told us to. You can also exclude by hash. 
 If you are seeing real malware in those folders (open the Endpoint Self Help tool and go to the file information pane and drop the file there to get scan data (this is the scanner result without exclusions included): 
 
 This will let you see the exact results the scanner is getting for those specific files. 
 There can be different results from different products. So our scanner might not be detecting these. If you see that and you feel it is a False Negative, then please submit a sample to our Labs department and they will take another look. I hope this helps give you the information you need to protect your network. 
 Sincerely, 
 Richard