Jump to content
JeffreyIMDS

Chrome false positive detection [In progress]

Recommended Posts

Everywhere in my company I am getting alerts from users that the Chrome browser they love to use is deleted from their computers. After investigation in the matter I found out that the Auto Update functionality of Chrome which it installs by default when downloading the browser from the official website is being detected by Kaspersky Endpoint Security SP1 as a virus and will advise users to disinfect their machine when this Auto Update is running. After the disinfect of the computer and a reboot the user is unable to start Chrome anymore.

 

This does not only happen to the Auto Update function of Chrome but also the official installation file downloaded from Google.nl in my case is when run being detected as a virus. Only when disabling Kaspersky Endpoint Security SP1 on the client with our password am I able to install Chrome from the official website and then turning Kaspersky back on will work until the Auto Update function runs again.

 

I would love to know if this is something to do with my settings or with Kaspersky in general because I might have turned every rock in Security Center to fix the issue as I do not recommend manually reinstalling Chrome on every users computer every day it gets annoying quickly :). I also tried to send the quarantined files via Security Center but they were unable to reproduce the detection as far as I got notified.

 

I hope you guys can help :) and I thank you all greatly in advance.

Share this post


Link to post
Everywhere in my company I am getting alerts from users that the Chrome browser they love to use is deleted from their computers. After investigation in the matter I found out that the Auto Update functionality of Chrome which it installs by default when downloading the browser from the official website is being detected by Kaspersky Endpoint Security SP1 as a virus and will advise users to disinfect their machine when this Auto Update is running. After the disinfect of the computer and a reboot the user is unable to start Chrome anymore.

 

This does not only happen to the Auto Update function of Chrome but also the official installation file downloaded from Google.nl in my case is when run being detected as a virus. Only when disabling Kaspersky Endpoint Security SP1 on the client with our password am I able to install Chrome from the official website and then turning Kaspersky back on will work until the Auto Update function runs again.

 

I would love to know if this is something to do with my settings or with Kaspersky in general because I might have turned every rock in Security Center to fix the issue as I do not recommend manually reinstalling Chrome on every users computer every day it gets annoying quickly :). I also tried to send the quarantined files via Security Center but they were unable to reproduce the detection as far as I got notified.

 

I hope you guys can help :) and I thank you all greatly in advance.

 

Hello,

please attach AV scan report, where chrome was detected as malware.

Did you submit a request in CA?

Thank you..

Share this post


Link to post
Hello,

please attach AV scan report, where chrome was defined as malware.

Did you submit a request in CA?

Thank you..

 

I PM'ed you some files generated by Security Center.

Share this post


Link to post
I PM'ed you some files generated by Security Center.

 

Hi,

 

Please send the files to this account.

 

Thank You!

Share this post


Link to post
Thank you kindly and I PM'ed the files to that account as requested.

 

Hi,

 

We have received the files. If I understood correctly some files should be false detected. In this case it is required to send such files to newvirus@kaspersky.com for deep investigation in a password protected archive.

 

Thank You!

Share this post


Link to post
Hi,

 

We have received the files. If I understood correctly some files should be false detected. In this case it is required to send such files to newvirus@kaspersky.com for deep investigation in a password protected archive.

 

Thank You!

 

I will try this however I did send to your virus lab via an other link which is clickable in Security Center. I then got notified that they were unable to reproduce the virus detection. It happens instantly when running the official chrome setup that it detects something.

 

I will report back if I find anything or when I have a response from your viruslab. I hope that the issue will be fixed soon as managing so many users installations of Chrome is a extremely annoying thing to do. A user reported that the notification that they receive is from the System Watcher module in Kaspersky which might give a few hints.

Share this post


Link to post
I will try this however I did send to your virus lab via an other link which is clickable in Security Center. I then got notified that they were unable to reproduce the virus detection. It happens instantly when running the official chrome setup that it detects something.

 

I will report back if I find anything or when I have a response from your viruslab. I hope that the issue will be fixed soon as managing so many users installations of Chrome is a extremely annoying thing to do. A user reported that the notification that they receive is from the System Watcher module in Kaspersky which might give a few hints.

 

Please ask for some instructions to be provided to you from the Virus Lab for proper investigation if any additional information will be required. Please always state your KLAN number once it has been created for a particular issue after being sent to newvirus@kaspersky.com

 

Thank You!

Share this post


Link to post

We are running KES 10 also and are getting calls that Chrome is not working.

 

When we investigate on the client we find that Chrome is partially uninstalled, and Kaspersky is the reason. I've seen in the logs where Kaspersky detected a false positive.

 

Yesterday on a machine that had this problem I was reinstalling the Chrome enterprise edition and during the install it came up with a message to disinfect or don't run. I choose don't run and the installation finished window never came up but I was able to start Chrome and it seemed installed.

 

This never happened before roughly three months ago, not sure what changed but I'd like to know how to fix it.

 

Share this post


Link to post

Hi,

 

Could you kindly provide us a AV report with false positive on chrome files?

Where did you download this distributive? Could you provide it to us?

 

BR

Share this post


Link to post

My team found out that the update program under the Chrome setup is the problem. However I am running into the same issue that Joshua has. The interesting part is that is not every computer in the network that does this.

 

The issue still has not been resolved and even with our testing of the Vivaldi browser (One that is based on Chromium) is being detected with the installation of it as a virus.

 

Result: Detected

User: IMDSRODEN\admin_mbaas (Active user)

Object: c:\users\admin_mbaas\appdata\local\temp\cr_5da85.tmp\setup.exe

 

 

Here is the mail that the system has send to me when one of my admins was trying the official chrome setup on his workstation. I have tried looking into possible differences between for example my computer and his however they are image based the same without the user configuration a side.

 

We have now mostly just uninstalled Chrome in our network with multiple users however we are of course not happy that a software which is used so much is being deleted from the computer. As Joshua stated as well Kaspersky cleans maybe 60% of the Chrome installation after the advise is to reboot the computer. After this you are unable to install or update Chrome because the same will happen again which is a question of time.

 

I would like to give my users the option to browse with Chrome however I cannot guarantee now that Kaspersky will leave Chrome allow. It is hard to trace because we have not yet found a pattern in its detection. We all can agree however that whenever the Task in the Task Scheduler to Auto-Update Chrome will start that the message above will happen.

 

EDIT: Screenshot of the Quarantine in Kaspersky Security Center. You can see here our test of installing Chrome and also our attempt to install a Chromium based browser Vivaldi. Both detected:

 

OGzKSh.png

 

EDIT: We always used the official download

 

https://www.google.com/chrome/browser/desktop/index.html for Chrome

https://vivaldi.com for Vivaldi

Edited by JeffreyIMDS

Share this post


Link to post
We are running KES 10 also and are getting calls that Chrome is not working.

 

When we investigate on the client we find that Chrome is partially uninstalled, and Kaspersky is the reason. I've seen in the logs where Kaspersky detected a false positive.

 

Yesterday on a machine that had this problem I was reinstalling the Chrome enterprise edition and during the install it came up with a message to disinfect or don't run. I choose don't run and the installation finished window never came up but I was able to start Chrome and it seemed installed.

 

This never happened before roughly three months ago, not sure what changed but I'd like to know how to fix it.

 

Hello,

provide us with the exact build of KES10.

Thank you.

Share this post


Link to post
Hello,

provide us with the exact build of KES10.

Thank you.

 

Here are the build numbers found one of the clients, Is this enough information?:

 

5PdKxy.png

 

tacp45.png

Edited by JeffreyIMDS

Share this post


Link to post
We are running KES 10 also and are getting calls that Chrome is not working.

 

When we investigate on the client we find that Chrome is partially uninstalled, and Kaspersky is the reason. I've seen in the logs where Kaspersky detected a false positive.

 

Yesterday on a machine that had this problem I was reinstalling the Chrome enterprise edition and during the install it came up with a message to disinfect or don't run. I choose don't run and the installation finished window never came up but I was able to start Chrome and it seemed installed.

 

This never happened before roughly three months ago, not sure what changed but I'd like to know how to fix it.

 

Hi,

 

Please clarify did you provide the detected false positive to the Virus Lab for investigation? If yes, could you please tell us the KLAN number?

 

Thank You!

Share this post


Link to post

Might this be what you are looking for? My team did most of the investigation in the first place however I am now taking over.

 

INC000005102643

 

Also we received multiple "virus" alerts as well which is predictable with the new Chrome update of yesterday:

 

COMPUTER 1:

Result: Detected

Object: c:\windows\temp\cr_3b43e.tmp\setup.exe

 

COMPUTER 2:

Result: Detected

User: -------------

Object: c:\windows\temp\cr_2eb1e.tmp\setup.exe

 

COMPUTER 3:

Result: Detected

User: -------------

Object: c:\program files (x86)\google\update\install\{4fd1a86b-c658-42af-a050-006b4833f541}\46.0.2490.86_chrome_installer.exe

 

COMPUTER 4:

Result: Detected

Object: c:\windows\temp\cr_61f5e.tmp\setup.exe

Edited by JeffreyIMDS

Share this post


Link to post

Hi,

 

If you're sure that it is not a virus, then create another request with this information and ask to take indepth investigation of this files.

Please archive these files with the password "virus".

Also provide us a new request number.

 

BR

Share this post


Link to post

I have send the files over to Kaspersky. I got this back: KLAN-3338576138 and KLAN-3338533572

 

I have checked the computers for viruses with multiple programs (Kaspersky, MalwareBytes and HitmanPro in safemode) and can confirm they are clean (so far we know of course). This always happens using the official download and install of Google Chrome or any Chromium based browsers but I understand that you are cautious.

Share this post


Link to post

Hi. We have the same problem with google chrome. Kaspersky endpoint security 10 for Windows 10.2.2.10535 (mr1) kills chrome.exe and setup.exe after running chrome auto update process.

h_1449216377_3976422_755ba30a5d.jpg

 

PS: Здесь на русском можно писать?

Edited by aproject

Share this post


Link to post
Hi. We have the same problem with google chrome. Kaspersky endpoint security 10 for Windows 10.2.2.10535 (mr1) kills chrome.exe and setup.exe after running chrome auto update process.

h_1449216377_3976422_755ba30a5d.jpg

 

PS: Здесь на русском можно писать?

 

Hi,

 

I was unable to reproduce the issue with the same version of KES and Google Chrome. Could you please describe the exact reproduction steps in your situation?

 

Please use this forum part for posting in Russian.

 

Thank You!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.