Google has been tweaking how it scans files using the Chrome browser to detect malware before downloading. By automating the process as much as is possible, Google is looking to protect users from malicious downloads while reducing any impact on usability. A newly released report from the Google Chrome team reveals how such deep scans can now flush out attackers who hide their criminal intent within password-protected and encrypted archives.
Redesigning The Google Chrome Download Experience For Improved Security
A newly published report, Building security into the redesigned Chrome downloads experience, from Google Chrome Security Team members Jasika Bawa, Lily Chen, and Daniel Rubery, explains how they have been able to provide more context when protecting users from potentially dangerous downloads. By adding context and consistency to in-browser download warnings, the team has taken advantage of the increased space that the redesigned downloads user interface allows for warning messages.
These warnings now come in a distinct two-tier taxonomy that is firmly established around Google Safe Browsing malware analysis powered by AI. Suspicious files are those that come with a lower confidence in the conclusion and pose an unknown risk of user harm, while dangerous files require a high level of confidence verdict along with a high risk of harm.
Google said the changes have “resulted in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and, overall, better protection from malicious downloads.”
Opting Into Enhanced Protection Mode Guards Against Encrypted Malware
Although the automation of deep scans is at the heart of Google’s changes to Chrome download protection, not all scanning can be automated. Those users who have opted-in to Safe Browsing’s Enhanced Protection mode are already prompted to send suspicious file contents for deep scanning. The contents of these files are “only scanned for security purposes and are deleted shortly after a verdict is returned,” Google said.
However, not all deep scans can be automated successfully. Take malware included within an encrypted archive, for example, and protected by a password. This kind of evasive technique can hide malware from standard scanning protections. Now, the users of Chrome’s Enhanced Protection scheme can gain additional insight into such hidden packages. “Downloads of suspicious encrypted archives will now prompt the user to enter the file’s password,” Google said, “and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed.”
As with unencrypted files sent for scanning, these will also be deleted, along with the password used, after a short time, and the data will only be used to provide better protection of downloads using Safe Browsing, Google said.
Standard Protection users don’t miss out on the new scanning mode, but unlike Enhanced Protection users, the file and associated password stay on the local device with just the archive contents metadata analyzed. Which means that protection will be in place only if Safe Browsing “had previously seen and categorized the malware,” Google explained.