Staying in control of your browser: New detection changes


This week we made some important changes to how we detect browser modifiers and adware. These changes are designed to better protect your browsing experience.

We have already blogged about the changes to the behaviors we detect as adware. I will explain the changes to our browser modifier detections below.

Our objective criteria has all the details about how and why we detect unwanted software.

Unacceptable behaviors

There are two new browser modifier behaviors that we detect:

  1. Bypassing consent dialogs from browsers that ask you if you want to install browser toolbars/extensions/add-ons.
  2. Preventing you from viewing or modifying browser features or settings.

We care about your experience in all the major web browsers and as such we will detect these behaviors in all browsers. The next two sections go into detail about what these rules mean and what some of the abuses we’ve been seeing in the wild look like.

Browser consent dialogs

Most of the leading web browsers have a disabled-by-default model for newly-installed extensions with the goal of keeping you in control. When a new extension is added into Internet Explorer, it is disabled until the next time the browser starts and asks you to make a decision:

IE prompts you to enable a new extension

Figure 1: New extensions are disabled in Internet Explorer

Other major browsers such as Firefox and Chrome have similar models for newly installed extensions. These are great features to keep you in control of your browsers, however, we’ve observed a trend where software developers are side-stepping these dialogs, and this is not acceptable.

Some of the technical methods behind the bypasses we’ve been seeing include Group Policy settings, registry changes, and preferences file modification. For example, using Group Policy settings to sidestep your consent to install an extension is not acceptable – these features are designed only for use by organizations to deploy an extension. The bottom line is when installing an extension into the browser, barring a few exception cases (such as Internet Explorer’s ActiveX PreApproved List), the browser consent dialog should be prompted. Failure to do so can result in the application being detected as a browser modifier by our security products.

User control over browser settings and features

We’ve seen applications and extensions prevent you from viewing or modifying your browser settings, or change the settings back after you make a modification to them. This is not allowed. One prevalent example is browser extensions that don’t let you to disable or remove them. In this case, within the manage add-ons interface of Internet Explorer, you cannot disable or remove the extension as shown below:
An extension with a blocked 'disable' option

Behaviors such as these qualify for detection as a browser modifier by our security products.

We will continue to monitor and reevaluate our criteria to better protect your experience. Meanwhile, you can read more about how and why we detect unwanted software on our objective criteria page.

Geoff McDonald
MMPC


Comments (7)

  1. Meitzi says:

    Finally

  2. adwbust says:

    Does MSE guard monitor addon (plugin, extensions) behavior, specifically on installation? You should note what dropped or installed the addon. Source/origin may be a smart downloader, a site or a redirect. Knowing the origin, will help prevent installation
    in the first place. Source may be from a Google and Bing search result – download sites that use smart dowloader (aka softonic, etc) or search results for warez, porn or free watch tv series web site. Google and Bing should sanitize their search results. Source
    may also be from social media, forum, blog, email or comments platform (ie: disqus) spam.

    MSE should have behavior signature that would generically detect, report and block addons that utilize the various bypass highlighted in this blog entry.

    Thank you and a job well done for keeping up with the landscape MMPC. Hope you continue listening. 🙂

  3. Indianacarnie says:

    Kudos! Much appreciated and long awaited.

  4. wellness says:

    Great….sick of these near- malaware programs that track what we do without us knowing they have installed these programs in our browsers.

  5. Rachel Ann Barry - 847-888-7838 says:

    I have malicious/malware on my computer & have run numerous full scans (which take 10 hrs) but it's still there. PLEASE send me a phone # for a customer service rep that can takeover my computer to erase this malware & viruses.

  6. JDintheOC says:

    Sounds like a good idea…however it takes away my right of Freedom of Choice. I'm a lot more tech savvy than most, but for those who aren't, it's a good move.

  7. InfoSec Taylor Swift says:

    JDintheOC, please stop working for Conduit. They are a bad company.