How do you investigate "Safe Browsing detected browser Google Chrome has been compromised"

Hi Kyle Parrish, 

Thanks for reaching out to Sophos Community, and apologies for the delay. Did you receive any other notification for Safe Browsing after the first one? I'd recommend acknowledging the alert on Sophos Central, rebooting the device, starting a full scan, and observe if you see any further detection. 

Good morning!

Well, we have received many of these over different devices across separate tenants. Typically, that is what is done. Ack the alert, scan the device, etc. Nothing is yet to come of it. Curious what exactly triggers this alert and what the best process for investigating is.

Hi Kyle,

We have this internally and were advised that the best course of action when getting this alert was to create a case and submit a sample. You can also uninstall the application and manually clear the user's data.

Hi Kyle,

We have this internally and were advised that the best course of action when getting this alert was to create a case and submit a sample. You can also uninstall the application and manually clear the user's data.

GlennSen, are you saying submit a sample...being Google Chrome? C:\Program Files\Google\Chrome\Application\Chrome.exe? 

Hi Kyle, 

Most probably, it wasn’t Chrome that triggered the detection. Maybe you added an extension or visited a website when this occurred? 

This makes sense but this is occurring for our customers. We are not aware when extensions are added or what websites were viewed. It would be ideal if there was some indication what triggers this.

I understand, so this needs to be investigated on a case-by-case basis as the reason for this detection being triggered could be different every time. So for in-depth analysis, it's best to open a support ticket to get this investigated. 

Okay, I will submit a ticket next time we receive one of these events.

Thank you.