What is Google Chrome Doing ?!

Discussion in 'other security issues & news' started by Brandonn2010, Aug 10, 2012.

Thread Status:
Not open for further replies.
  1. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I reinstalled Chrome yesterday to get rid of the m after my version number (I'm ocd). After reinstalling it still had it, but I noticed troubling alerts from AppGuard:


    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Task Scheduler Engine>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <KeePass Password Safe 1.23>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Host application>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Monitoring program>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <AppGuard GUI Application>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <avast! Antivirus>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Windows Explorer>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Desktop Window Manager>.
    08/10/12 18:05:01 Prevented <Google Installer> from reading memory of <Host Process for Windows Tasks>.

    Why is/does Chrome need to access my other running programs? :mad:
     
  2. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I have to ask, Brandonn, what is the significance of the 'm', and why do you want to get rid of it?
    As for the rest of your post, I look on with interest as well. :)
     
  3. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Having the 'm' I believe means there are multiple versions of Chrome, yet I only have 1. Of course even after uninstalling Chrome, deleting the Chrome and now obsolete Chromium folder, and deleting all registry keys, it still has the 'm' after reinstalling, lol.

    However, I'm more concerned now by Chrome's behavior. Maybe it is trying to see what programs I have installed? I never read the privacy statements of programs.
     
  4. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Just caught it trying to access more programs :mad:


    08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Apple Push>.
    08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <iTunes>.
    08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Steam>.
    08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Console Window Host>.

    And for some reason

    08/10/12 23:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.
     
  5. carat

    carat Guest

    Hehe so if you install Google Chrome install a HIPS as well to watch your browser! :D
     
  6. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    LOL. Right. ;)
     
  7. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    HIPS is a double edged sword against the bad guys. But you must really know the inner workings of windows to appreciate what is dangerous and not. Therefore can a look at the logs be scary sometimes :)
    I am by no means an expert but the things you report seems to me legit queries. I would guess that Chrome checks if it needs to use, and how, any of the stuff that it is looking for. I can imagine that for example the query for KeePass is logical since I believe that it has a form filling tool. Chrome looks for iTunes to see if it is the default media player and so on.
    I hope a more knowledgeable person will correct me if I am wrong in my way of thinking here.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Could be a lot of things. The updater's open source though so I doubt it's outright malicious.

    If you've opted to provide anonymous data it could be that.

    The installer may check other running programs to see if another instance of the installer is running. It may check for known conflicting programs.

    It could be Google spying on you.

    HIPS tell you what's happening, not why.
     
  9. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Also note this never happened before Chrome 21. It happened again this morning after I logged in.

    I don't have the expertise to look into this, so I'm hoping one of you can.
     
  10. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    I installed chrome since I have read that it has a stronger sandbox than IE's protected mode, and everyone said it was way more secure than FF.

    After installtion I used it for a few days. I noticed in process monitor that googleupdaterservice.exe was using disk i/o and accessing my system nearly 100% of the time. I have tested chrome on other systems and the way it hooks into your system is excessive, and I don't want a stupid browser service accessing my system when I'm not even online or using a browser, I could be typing in MS word and open procmon and you will see google crap loading all over in the background for no good reason. See for yourself.

    IE or FF don't do that. Google has privacy concerns and at worst Chrome is spyware, at best it very inefficient. Regardless I consider it the most overrated software program ever and it won't be used on any of my systems.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    KeePass is a standalone password manager. It doesn't integrate with the browser and the browser doesn't have to know of its existence. However, the user could install a KeePass plugin that manipulates the browser or install something in the browser that manipulates KeePass [plugins]. I'd be interested to know if the OP installed such a thing.

    Can the OP correlate such messages with something they were doing? For example, do they see the message in response to launching Keepass or when using autotype or ___?

    Edit: Given that it is happening with multiple apps around the same moment I think it not triggered by use of one particular one.
     
    Last edited: Aug 11, 2012
  12. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Nothing special. And if you notice the times, it decided to access everything at once. Also, I believe before I reinstalled it, I disabled Google Update from starting with Windows with CCleaner. Perhaps that's why I'm noticing it doing this now, but I still see no reason for it to try and read the memory of so many other programs.

    Here is from today:


    08/11/12 12:05:02 Prevented process <googleupdate.exe - c:\users\brandon\appdata\local\google\update\install\{f7a09661-955a-40c2-94b9-0ca5e6a21e10}\googleupdatesetup.exe> from launching from <c:\users\brandon\appdata\local\temp\gum9bb3.tmp>.
    08/11/12 12:05:01 Prevented process <GoogleUpdateSetup.exe> from writing to <c:\program files (x86)\gum9bb2.tmp>.
    08/11/12 12:05:01 Prevented <Google Installer> from writing to <\registry\machine\software\wow6432node\microsoft\windows\currentversion\internet settings\zonemap>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Google Installer>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Task Scheduler Engine>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Microsoft Windows Search Protocol Host>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <KeePass Password Safe 1.23>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Google Chrome>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Host application>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Catalyst Control Center: Monitoring program>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <AppGuard GUI Application>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <avast! Antivirus>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Windows Explorer>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Desktop Window Manager>.
    08/11/12 12:05:01 Prevented <Google Installer> from reading memory of <Host Process for Windows Tasks>.
    08/11/12 12:01:30 Prevented <Google Chrome> from writing to <\registry\machine\software\classes\wow6432node\interface\{618736e0-3c3d-11cf-810c-00aa00389b71}>.
     
  13. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    It just happened again, except this time I was copying my Wilders username and password from KeePass to Chrome.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    @Brandonn,

    if you are concerned about privacy issues, and you want to determine if Google really is broadcasting private information or otherwise, you could check your firewall logs if you run an application firewall that logs outbound comms, or install Wireshark and check the packets relating to Google processes. You would have to ensure WinpCap is included as part of the install. You may not be able to see for sure what type of info is being broadcast, especially in rudimentary firewall logs (Wireshark will display more detail), but at least you'll know from the time/date stamps exactly when the comms occurred, and whether they occurred when you were browsing or not.
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    In addition to the blocked "from reading memory of" operations notice the other four blocked operations. Is there a Google log you can enable/view? Maybe it will add to the picture.
     
  16. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    What is the significance of someone washing their hands for 10 minutes or checking to make sure their door is locked 20 times?

    None. And even while the people that do so may internally know it is pointless, they cannot stop themselves from repeatedly performing the compulsion to provide relief from the fear or obsession. Hence, Obsessive Compulsive Disorder.

    I have it. I understand. I would probably have done the same thing, along with verifying the URL I downloaded it from by staring at it for at least 1 minute, then scanning with my AVs at least twice each and spending a few minutes re-reading "No Threats Found" just to prove to myself my eyes aren't deceiving me. :thumb:

    I know it sounds so stupid but I can't stop.
     
  17. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Is anyone else with AppGuard and Chrome installed to AppData able to replicate this? Also my exclusion for Chrome is in User Space, and the Chrome folder in AppData is excluded.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    The Alternative installer Chrome, open and left idle at Google.ca over a period of ~ 1 hr, does not seem to broadcast anything out of the ordinary. At startup the Googleupdate.exe does some checks, and after that a small handful of comms from chrome.exe can be seen to remote ports 80 & 443 to Google ip's (eg: 74.125.225.136 & 173.194.39.130). Similar comms can be seen with IE9 left idle at Google.ca. Maybe tone down AppGuard's settings to act as less of a "nanny state" and focus it more as an anti-executable? Just a thought.
     
  19. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Another new bit of info: I noticed it did it again today, and noticed that it always does it 5 minutes after the hour, meaning it has some kind of schedule.
     
  20. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    In case you haven't seen my post in the AppGuard thread, I reinstalled Chrome today, but used the Chrome installer from Google, not one downloaded from Softpedia. The activity has yet to happen since reinstalling. I don't know why it would be any different. The installers were the same size, and Softpedia's was totally clean on VT. Weird.
     
  21. arsenaloyal

    arsenaloyal Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    507
    To be honest i have never trusted google chrome,and i have never installed it on any of my machines.

    Personally I would recommend you to try SRWare Iron or Comodo Dragon than using google,if you are opting for a chromium based browser.
     
  22. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Damn it did it again :mad:

    And arsenloyal I like the original Chrome because of the built-in Flash and PDF viewer, and its sandbox.

    I'm sure its activities are harmless, I just want to know why it's doing it.
     
Loading...
Thread Status:
Not open for further replies.