Microsoft anti-virus update identified Google Chrome as a trojan

Users of Microsoft Security Essentials and Google Chrome have been reporting a very unusual issue with their anti-virus program of choice. According to a thread originating on the official Google Chrome support forum, the browser is being identified as a trojan. The first post about the issue was made at 8:02AM, with the following being a direct quote from the thread:

I have been using Chrome on my office PC for over a year.  This morning, after I started up the PC, a Windows Security box popped up and said I had a Security Problem that needed to be removed.  I clicked the Details button and saw that it was "PWS:Win32/Zbot".  I clicked the Remove button and restarted my PC.  Now I do not have Chrome.  It has been removed or uninstalled.  The Chrome.exe file is gone.  Was there really a problem, or is this just a way for Microsoft to stick it to Google?  If I reinstall Chome, will it have my bookmarks and other settings?  Not sure what to do about this, but I much prefer Chrome to Explorer.

Less than 10 minutes after this, the thread creator responded, confirming the issue. When attempting to reinstall the browser, Microsoft Security Essentials deleted the "chrome.exe" installer, citing it as PWS:Win32/Zbot, which is classified as a severe threat by MSE. It is possible that the issue comes from a a compromise with Microsoft Security Essentials or Chrome, but it seems more likely that it stemmed from a conflict between some code.

Microsoft were quick to confirm the issue, and also to try and fix it. They released a new virus definition, and added the following information to the Malware Protection Center page:

On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified. On September 30th, 2011, Microsoft released an update that addresses the issue. Signature versions 1.113.672.0 and higher include this update.

PWS:Win32/Zbot is a password-stealing trojan that monitors for visits to certain Web sites. It allows limited backdoor access and control and may terminate certain security-related processes.

Just over an hour later, a Microsoft employee responded to ZDNet's Ed Bott about the issue via email. He said the following:

On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs. We have already fixed the issue - we released an updated signature (1.113.672.0) at 9:57 am PDT - but approximately 3,000 customers were impacted. Affected customers should manually update Microsoft Security Essentials (MSE) with the latest signatures. To do this, simply launch MSE, go to the update tab and click the Update button, and then reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.

Report a problem with article
Previous Story

Rumor: Amazon to acquire Palm-webOS?

Next Story

Company sues Facebook over Timeline feature

71 Comments

Commenting is disabled on this article.

I'm sure it was an honest mistake, I just think it's funny that it came when Microsoft and Google have been publicly bitching about each other good job I don't tend to believe in conspiracies

I know how to legally kill Chrome. MS just should release a security update that will forbid an ability to launch any application from within AppData. As this is folder for app's data, just like /data/data on android, not for executables they would be right.

FalsePositive said,
It's a good thing I don't run AV.

This statement alone removes any credibility you have, if your asinine anti-Windows 7 posts didn't do the job already.

Google is releasing an update for this in next 24 hours which automatically repairs Chrome for affected users.

EmbraceNext said,
If it looks like a duck... walks like a duck.... Yeah, I see Chrome as a Trojan too.
Google's search engine is a trojan - keeps telling me to upgrade to Chrome. Shame there's no way to block that stupid message in FF or IE

Well at least it didn't affect Chrome 15 beta (15.0.875.54) for me, as using it right now. lol

MSE in use:
Security Essentials Version: 2.1.1116.0
Antimalware Client Version: 3.0.8402.0
Engine Version: 1.1.7702.0
Antivirus definition: 1.113.681.0
Antispyware definition: 1.113.681.0
Network Inspection System Engine Version: 2.0.5854.0
Network Inspection System Definition Version: 9.315.0.0

I had a similar problem with Norton AV 2011. It flagged the Google Chrome Canary build as the same and blocked the installer from updating the program. It of course has since been corrected.

I certainly wouldn't want Google Chrome on my computer, but it looks like it was an honest mistake. They fixed it now.

KingCrimson said,
LOL... MSFT trying dirty tricks to defeat Google!

It's called a mistake, smart one. Technology works that way, sometimes. Stop trying to lower Microsoft down so that you can feel better about your lowly Apple.

Obviously Chrome isn't the trojan. There's usually not really anything that AV makers can do before collisions like this happen. The Chrome build must have had some combination of bytes in it that happened to match the trojan's signature. They just have to put an exception for that file's hash in the database.

bitflusher said,
Only now MSE can measure up with the real guy's,

What? How isn't MSE "real" already? I'm amazed some people think MSE isn't up to other AV. They clearly have no clue or are just fanboys.

Considering that Chrome does the same thing that the Trojan does,learn tour passwords,fill in forms and self update in the background its amazing it wasn't heuristically flaged earlier by

Einlander said,
Considering that Chrome does the same thing that the Trojan does,learn tour passwords,fill in forms and self update in the background its amazing it wasn't heuristically flaged earlier by

other ac products.

Einlander said,
Considering that Chrome does the same thing that the Trojan does,learn tour passwords,fill in forms and self update in the background its amazing it wasn't heuristically flaged earlier by

all modern browser do that...

rajputwarrior said,

all modern browser do that...


Mine haven't worked in Firefox or Chrome for some time on the entire site, unless I open the edit window in a new tab

Einlander said,
Considering that Chrome does the same thing that the Trojan does,learn tour passwords,fill in forms and self update in the background its amazing it wasn't heuristically flaged earlier by
I don't think that is how AV detects virus.

garychencool said,
wow, lol essentias sucks anyways

You're joking, right? Lol, Essentials is the only antivirus software that works effectively these days without being a botnet or spyware.

PlogCF said,

You're joking, right? Lol, Essentials is the only antivirus software that works effectively these days without being a botnet or spyware.

MSE is the worse ever anti-virus app. Came 17 out of 20 in AV-TEST with horrible results. Keep away.

alexalex said,

MSE is the worse ever anti-virus app. Came 17 out of 20 in AV-TEST with horrible results. Keep away.

Hey, go outside and play with your friends instead of making yourself ridiculous by spewing around bull**** on every article that contains "Microsoft".. Friends? Oh wait..

alexalex said,

MSE is the worse ever anti-virus app. Came 17 out of 20 in AV-TEST with horrible results. Keep away.

You clearly have no idea what you're talking about.

excalpius said,

You clearly have no idea what you're talking about.

It's actually true. Well, it's placement atleast, not it being the worst ever (though it is far behind the pack)

garychencool said,
wow, lol essentias sucks anyways

I disagree, it by far one of the better antivirus programs. In fact I have had no problems with it whatsoever, unlike other antivirus software that likes to bog the computer down.

~Johnny said,

It's actually true. Well, it's placement atleast, not it being the worst ever (though it is far behind the pack)


Thats BS.

yeah because its the first time an AV has false positives... oh way. no, alot of AVs have deleted even my mmorpg launchers. besides some files.

and i dont see tat man articles about how an AV has a false positive. even when you send its a false positive still months and months and sending the same "its false positive" you still get its a virus and you have to obviously allow it.

but of course if its not Microsoft and google in the same sentence, the article isn't worth it yeah i get it.

Awesome.
Although it shows the weakness of pattern matching and heuristics in all these anti/crap supposed to be solutions. False positives all around, yet infections still happen.

cralias said,
Awesome.
Although it shows the weakness of pattern matching and heuristics in all these anti/crap supposed to be solutions. False positives all around, yet infections still happen.

I'd rather it have a false positive than miss something legit. It's not real hard to reinstall a browser, but it's sometimes a PITA to remove some malware.

Obviously you haven't been around long enough to remember the famous Microsoft's mantra of "DOS ain't done till Lotus won't run".

Nothing changed, except now in the politically correct world of 2011, the mantra from Microsoft is "Oh a million apologies Google, Human error, Don't know how that happened!, We'll fix it right away"

TechDudeGeorge said,
This is something I'd expect from Apple more than Microsoft.

Microsoft just read the report of Chrome passing Firefox by the end-of-year and going after IE. Microsoft probably though that not many users will re-install Chrome after it is been removed by MSE.

It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"

daz411 said,
It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"
Huh... it deleted my Chrome, then defaulted to Firefox with a picture of a lolcat saying "miss u."

[quote=daz411 said,]It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"[/quote!!!]

Holy **** that had me laughing out loud

daz411 said,
It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"

Made my night

daz411 said,
It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"

LMAO!!!

daz411 said,
It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"

You da man LOL!

daz411 said,
It deleted my Chrome too then defaulted me back to IE with BING as the search engine. Then a picture of Steve Ballmer appeared with a caption that said "Now you got it right son"

LOL.. epic!