The browser you likely use to read this article scans practically all files on your Windows computer. And you probably had no idea until you read this. Don’t worry, you’re not the only one.



Last year, Google announced some upgrades to Chrome, by far the world’s most used browser—and the one security pros often recommend. The company promised to make internet surfing on Windows computers even “cleaner” and “safer ” adding what The Verge called “basic antivirus features.” What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.

In practice, Chome on Windows looks through your computer in search of malware that targets the Chrome browser itself using ESET’s antivirus engine. If it finds some suspected malware, it sends metadata of the file where the malware is stored, and some system information, to Google. Then, it asks you to for permission to remove the suspected malicious file. (You can opt-out of sending information to Google by deselecting the “Report details to Google” checkbox.)





I was wondering why my Canarytoken (a file folder) was triggering & discovered the culprit was chrome.exe. Turns out @googlechrome quietly began performing AV scans on Windows devices last fall. Wtf m8? This isn’t a system dir, either, it’s in Documents pic.twitter.com/IQZPSVpkz7 — Kelly Shortridge (@swagitda_) March 29, 2018

I’m also now wondering if this is why my box is crashing so often 🤔 when I googled the errors before, advice was to uninstall third party AV & until now I didn’t think I had any.... ffs — Kelly Shortridge (@swagitda_) March 29, 2018

Update: another thread by @justinschuh from Chrome’s team to read (read before DMing him!): https://t.co/Jzgg7qPeAQ — Kelly Shortridge (@swagitda_) April 1, 2018

Just to be very clear, this is all local scans with a local signature engine—so no data from the scans should leave the system (i.e. it's absolutely not "cloud" AV). It's also a vastly narrower and less invasive scan than conventional AV/AM. — Justin Schuh 😑 (@justinschuh) March 30, 2018

A correction: There is currently no enterprise policy to disable it (because enterprise policies have been abused in the past to hijack consumer systems) but I'm having the team investigate solutions to better address enterprise concerns. — Justin Schuh 😑 (@justinschuh) March 30, 2018

The problem with consumer opt-outs is that they're the first switch that gets toggled during a hijack—so they end up being immediately self defeating. It's just a very hard set of concerns to balance. — Justin Schuh 😑 (@justinschuh) March 30, 2018