Recently, a user of Tao Presentations informed us that Google Chrome displayed a dire warning after he downloaded our software: “Tao Presentations may be malicious software”. Uh oh, for the average Joe, that’s a big no-no.

Google locks out “unapproved” programs

It’s not just us. Recently, I tried to download some of the amazing demos created by Iñigo Quilez. Same thing. Seriously, a 4K exe that manages to display a complete mountain? And Google Chrome would have me believe that there’s room in there for “malicious software”? Get real.

Now, it took me quite a while to find a solution to this problem. Apparently, you just need to record your site in Google’s Webmaster tools, and after scanning your site and ensuring (I assume) that there’s no known virus signature in the files, things should improve.

I still find this really annoying that a browser vendor would, by default, tag unknown files as “malicious”. Who are they to make this judgment call?

Why didn’t Google implement a real solution?

Shouldn’t they instead have something a little more sophisticated, that actually detects malicious signatures? You know, like a real anti-virus? Don’t tell me that Google doesn’t have smart enough engineers to write an in-browser anti-virus that doesn’t completely suck.

Nah, instead they went the easy route: anything that we don’t know is malicious. And we tell your users so.

I used to be a big fan of Chrome. Not anymore. Because of this single issue. I think this demonstrate an incredibly stupid arrogance and lack of technical diligence on Google’s part.

Google overstepped its authority and took advantage of their weight. Let’s not get used to it.


11 thoughts on “When Google oversteps its authority

  1. Q: Why didn’t Google implement a real solution?
    A: The “real” solution is use behavioural based observation of the suspect file. This involves spawning a virtual machine that simulates the host environment (the Operating System, but you may be able to get away with just the browser) and then executing and observing the suspect file.

    The signature based scheme you suggest is just not scalable. Global malware production is happening at such a rate that signature based solutions don’t keep up, and all the “proper” AV solutions are giving both false positives AND false negatives.

    1. @jamesh: I agree that this is a tough problem. Your solution is not perfect either, because there’s no way for software to detect a legitimate network request from a DDOS (which is often just the same network request done by thousands of bots). My point was more that Google didn’t even attempt to solve the problem, but still tell their users they did by incorrectly flagging any unknown file as malicious.

      Unfortunately, this seems to be a general trend here. Apple did the same thing with their inane GateKeeper, which not only blocks unknown software, but gives special treatment to developers who paid Apple for the privilege. Or with the whole UEFI and trusted computing idea, based on the idea that computer owners are not to be trusted, but that big software vendors are.

      I really don’t like the direction this is going. Boiled frog syndrome here.

  2. Incorporating mcafee in my web browser? What a terrible idea – no thanks. If I want a virus scanner I’ll install one, that is how unices work i.e. not one massive bloatfest. Please don’t assume everyone is on windows. Also it doesn’t prevent you from downloading it does it? I have never seen this message but a gentle reminder to Windows users to excercise internet safe-sex is greatly appreciated imho – we have enough spam botnets in the world already thanks.

  3. Let’s be serious here, it’s not “any unknown file”…. I’ve downloaded a LOT of files, both mainstream known files and less so, and I’ve never come across that warning. More likely this is similar to their youtube copyright detection; if it matches their criteria of “suspicious files”, mark it accordingly.

  4. Is the implementation facile? Yes. Google-centric? Yes, but it is their browser after all.

    I’m sure to get flamed for this, but as a security engineer supporting a company of >60K users, I applaud this behavior. You’re a technical user, you know what you’re doing. Google is not targeting you with this protective behavior. Google is targeting your mother and grandmother, your HR people and executive assistants, the security guard at the front desk of your office building. They’re trying to protect the great unwashed masses that mostly use the Internet to read CNN and TMZ and post to Twitter and Facebook.

    Go talk to your helpdesk and security folks and find out about all the stupid ways that *regular users* get 0wned and you’ll gain a new appreciation for this feature.

    1. @John, I am used to Google providing higher quality solutions. This is one of them. Think of Safe Search. It’s hard to implement. Can you imagine if every single new web page Google never crawled before was labelled as “This may be a porn site” by Google Search?

  5. I tried downloading the mountain “evalated” intro like you said, and the very first mirror had malware attached to the zip file, says my anti-virus software Kingsoft. Then, the 13 kb image pack below that demo also had malware. So… I think google chrome is being honest for sure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s