Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Google Chrome Security IT Technology

Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Change (bleepingcomputer.com) 69

secwatcher shares a report: Last week we reported that Chrome has started displaying alerts more often that suggest users remove programs that are considered incompatible applications with Chrome because they inject code into the browser's processes. These alerts are displayed by Chrome after the browser crashes and suggest the user remove the listed programs because "this application could prevent Chrome from working properly." One of the programs that a lot of users have seen listed in these alerts and is suggested to be removed is the Bitdefender antivirus program as shown above. Having a well known company like Google telling users to remove a security solution is a problem as these programs are important for many users to have installed on their computers in order to protect them from malware, unwanted programs, and malicious websites. Due to these alerts and their suggestion to remove the antivirus software, Bogdan Botezatu, a senior e-threat analyst for Bitdefender, has told Bleeping Computer that as of August 20th, Bitdefender is no longer monitoring Chrome 66 and later with their anti-exploit technology.
This discussion has been archived. No new comments can be posted.

Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Change

Comments Filter:
  • by Anonymous Coward
    This is actually good news. It means your antivirus is not MitM-ing all your web traffic and downgrading HTTPS connections.
  • by next_ghost ( 1868792 ) on Friday August 24, 2018 @11:18AM (#57186888)
    Good, the security solutions vendors will finally learn how to do their job without creating more security holes than they're trying to block.
  • by robkeeney ( 1061032 ) on Friday August 24, 2018 @11:18AM (#57186890)

    Using anti-virus like Bitdefender is rather like paying a rude thug to live in your house, eat all your food, and hog the TV just to ensure a burglar doesn't break in.

  • by Sebby ( 238625 ) on Friday August 24, 2018 @11:21AM (#57186910)
    From treating perfectly good encryption algorithms as 'not good enough and warn the user immediately even though it's still perfectly safe', even though Google's own keys use the same algorithm but don't trigger a warning, to trying to freak the user out about 'this totally static site that doesn't use HTTPS must be insecure even though you can't submit info to it because it's totally static', Chrome has become the worst browser to use by a company throwing its weight around like a bully to get everything done its way.
    • by hjf ( 703092 )

      On the contrary. I like google's approach. I'm tired of software developers going "but security is haaaaaaaaaaaaaaaaaaaaaaaard"

      • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Friday August 24, 2018 @01:32PM (#57187820) Homepage Journal

        Many routers, printers, and network attached storage (NAS) boxes for home use offer a web-based configuration interface. If someone buys one of these devices, where should he or she obtain a TLS certificate to use with said device in order to suppress "Not Secure" messages in web browsers?

        Let's Encrypt and other publicly trusted CAs won't issue a certificate for a private IP or a name in a made-up TLD, such as .internal or .test. It has to be a real domain. Nor do all dynamic DNS providers offer enough features to pass an ACME dns-01 challenge, namely being on the Public Suffix List and supporting TXT records.

        Or should it be the device manufacturer's responsibility to issue a name under the manufacturer's domain and resell a certificate from a known CA, the way Plex does? If so, watch the manufacturer set the certificate's expiry the same as that of the warranty on the device, so that the user has to re-buy hardware in order to renew the certificate. Nor do I see how that would apply to a home-built server made out of a Raspberry Pi or Intel NUC.

        • where should he or she obtain a TLS certificate to use with said device in order to suppress "Not Secure" messages in web browsers?

          You know they could just click okay and move on with their lives.

          • by tepples ( 727027 )

            You know they could just click okay and move on with their lives.

            Except a lot of them won't. Even with the warning for cleartext HTTP becoming scarier in recent versions of Chromium and Google Chrome, it's still not nearly as conspicuous/"scary" as the warning for a self-signed certificate.

    • to trying to freak the user out about 'this totally static site that doesn't use HTTPS must be insecure even though you can't submit info to it because it's totally static'

      The sentiment that Chrome is trying to get across in that case is "Chrome cannot guarantee that your Internet service provider has refrained from injecting malicious JavaScript code into the static site that you are viewing." Xfinity by Comcast, for example, has been caught doing this [privateint...access.com]. What would be a better way to express this in a manner short enough to fit in the location bar?

    • by roca ( 43122 )

      Non-TLS HTTP traffic can be redirected to carry out DDoS attacks and for other nefarious purposes. See https://en.wikipedia.org/wiki/... [wikipedia.org].

      Unfortunately the idea that there are public Web sites that "don't need" to use TLS is naive and obsolete.

  • Google is starting to sound like Microsoft. "We own your computer, not you, you should do as we say when we say to do it because we say so".
    • I've been working to remove google completely from my life. Search was easy, email was easy, storage was easy. Photo/video apps is a bit harder.

      • Store your data at home on your own hardware. USB flash drives come in gigantic capacities these days. So do SSDs. You don't need 'The Cloud' at all.
        • Store your data at home on your own hardware.

          That has a few drawbacks. First, it does nothing to protect the data from fire, flood, or another disaster that renders electronics in your home inoperable. Second, many home ISPs ban running a server at home or block incoming connections or both, as do their direct competitors in the same geographic market (if any even exist). Third, if your dynamic DNS provider isn't on the Public Suffix List or doesn't support TXT records, you still have to buy a domain and keep it renewed in order to qualify for a Let's

          • Why do you need 24/7/365 instant access to pictures or files from any device anywhere on the Internet anywhere in the world? Are you a professional photographer or some other profession that requires it? If not then why can't you just store your photos and whatnot on a flash drive or SDHC or some other device you own and have control of and just keep it on you? If it's so vitally important that you're going to kill yourself if it gets destroyed then keep a copy of it somewhere else. I believe 99% of everyon
            • by tepples ( 727027 )

              Why not just keep your own stuff for ZERO money per month

              How do you keep data safe from fire, flood, or other disasters that affect your home "for ZERO money per month"?

              • I already covered that: make more than one copy, keep them somewhere else. Also how often does your house burn to the ground, get destroyed by a flood, or blown away by a hurricane or tornado? If the answer is 'often' then I think you've got worse problems to worry about than whether you should use 'The Cloud' for storing pictures of your cat(s) or not. :-)
  • ... a senior e-threat analyst for Bitdefender ... [said that] ... Bitdefender is no longer monitoring Chrome 66 and later with their anti-exploit technology.

    I entirely understand their chagrin -- but this response might be a mistake. For an anti-virus/anti-malware package to blatantly state that they're not monitoring a browser, just because the makers of that browser are getting a bit paranoid about plugins (rightfully so, mind you) ... yeah, that's not going to sit well with a lot of people. Some people will blame Google, and some will blame Bitdefender... and both will lose face to some degree -- as well as lose users. Thing is, Google can afford to lose bo

    • by Mal-2 ( 675116 )

      I nuked Bitdefender because at seemingly random intervals, it regards gcc++ as a hacking tool and quarantines parts of it. Good riddance.

  • AV vendors inject DLLs into browser processes and monkeypatch browser machine code in crazy ways to monitor browser activity. Predictably, this has created all kinds of problems. It's common for browser updates to invalidate some assumption made by the AV developers, causing frequent browser crashes. It's also common for the AV hooks to have terrible performance properties. It's also common for the AV code to introduce security vulnerabilities.

    AV vendors know that when the browser crashes or is slow, users

Technology is dominated by those who manage what they do not understand.

Working...