Jump to content

Anti-Malware doesn't automatically block/remove malicious Chrome extensions

Recommended Posts

Dear Malwarebytes,

We have employees that have malicious Chrome extensions in their Google account. Whenever they logged into their account the malicious extensions would get installed on the computer.
Anti-Malware doesn't detect nor block the extensions. The only time we noticed and removed was when we initiated a manual scan from the Console. After it was removed, all they have to do is re-log back in again to get the malicious extensions re-installed again. The process kept on going.

Is this normal or something is wrong here?


Link to post
Share on other sites


Thanks for the post, yes this is something that we commonly see.

Malwarebytes is successfully removing the software entirely, but the browser is backed up with cloud setting that will automatically reinstall the software.

Even with a large number of detections these usually are able to be resolved automatically, if we see a machine that continues to repeat detections we recommend going to the machine and removing the browser extension or toolbar in question from the user profile in chrome or other browsers. Check out these articles for more info and let us know if you have any questions.





Link to post
Share on other sites


How come Anti-Malware auto protect doesn't pick this up and block/remove it the moment it gets installed/re-installed?
We tried testing it by leaving it alone for weeks and it still doesn't pick it up on it's own.
What is the point of Auto Protect when it doesn't pick up something that came in and installed on the system?


Link to post
Share on other sites

  • 2 weeks later...

Hi @REGITDept. The extension is likely not doing anything to generate malicious behavior, and so only shows when the user's machine is scanned versus being picked up by the realtime engines. The process of installation itself is not malicious. We're not watching what you install, it's more like how it installs. Unless it is a situation where there is a dropper attempting to execute something other than what the user or allowed application had intended within the installer, there shouldn't be any provocation of the realtime to trigger. Chrome's user profile, bookmark and extension syncing process is not malicious on its own, it would not trigger our realtime under this normal syncing behavior, no matter what it happens to be pulling from your user's home machine(s) and installing to their workstation. But the moment whatever was installed runs, and attempts to maliciously hook in memory or run payload, that is when Malwarebytes' realtime engines will engage.

An extra tip here is that malicious browser extensions tend to be items which attempt to poison or doctor search results and land you on a bad link (most just serve up ads though), if that link or ad has a malicious server on the other end, the connection will be dropped as Malwarebytes' web blocker engine would engage. This is a typical case as many of the programmatic functions of extensions aren't doing anything malicious enough to trigger the file, exploit or ransomware engines. The web portion is the likely the block you'll see until a scan cleans out the items.

More options around this for consideration; disabling Chrome's autosync ability via GPO, sparing your environment the stuff on your user's home machines. Google's team has posted how to do this in Chrome support thread. Another one may be leveraging Windows Applocker, which can provide an extra dimension of control over what ends up on machines where users may have perms enough to install software. This is especially useful if you have exec's that insist on "being admins" on their machines, but regularly get themselves in trouble with the crap they install on their computer.

Link to post
Share on other sites

Google's policy towards 3rd party protection will have to change before that can happen. The best approach for now is to leverage your scanner schedules as you have been doing, and malicious connections to internet addresses will be blocked by the web portion.


Chrome removed from Anti-Exploit list of Protected Apps in Malwarebytes

The Google Chrome team announced in a blog post dated November 2017, it will not allow 3rd-party vendors to inject into the Chrome browser for Windows beginning in September 2018. Refer to Reducing Chrome crashes caused by third-party software for details - https://blog.chromium.org/2017/11/reducing-chrome-crashes-caused-by-third.html - "In September 2018, Chrome 69 will begin blocking third-party software from injecting into Chrome processes."

Google believes this approach makes Chrome more secure and less prone to crashes, which they identify as the main source of stability issues with their browser. Security solutions such as Malwarebytes for Windows' Anti-Exploit functionality uses this injection into Chrome to provide an additional filter. The filter checks to see if the web pages rendered contain exploits and blocks it accordingly.

In response to Google's decision, and to minimize the inconvenience to users seeing these incompatibility messages from Chrome, Malwarebytes has removed Chrome from the Anti-Exploit list of protected apps in the following products:

Malwarebytes for Windows – Component Package version: 1.0.441 and above
Malwarebytes Endpoint Protection
Malwarebytes Endpoint Security

While we find a way to restore protection for Google Chrome, Malwarebytes believes our other layers of protection such as web blocking, malware blocking, anomaly detection, anti-ransomware, plus the other protection applications in anti-exploit will continue to protect users from malware and other forms of threats.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.