Kaspersky
Question

Not enough privacy protection in Application Control component, legit software scanning user’s Chrome history.

  • 17 January 2021
  • 8 replies
  • 147 views

Recently, there has been reports about some legit software scanning user’s Chrome history (or any browser installed) and save it to their own SQLite database for query.

 

I have been an Anti-Virus user for years but due to the event, I decided to upgrade to Internet Security to see if the Application Control could help me fight this kind of breach in my privacy. I tried to put the application in Low Restricted group, it did not detect the behavior, for High Restricted group, the application cannot connect to the Internet, making it unusable.

 

I also tried to set up custom rules in Application Control, but I find no option to do so.

 

Here is the Process Monitor log for the said privacy breach behavior from a legit software (with valid certificate and millions of users): * username is censored

 

20:19:50.9845654    TIM.exe    5036    QuerySecurityFile    C:\Users\_\AppData\Local\Google\Chrome\User Data\Default\History    SUCCESS    Information: Attribute
20:19:50.9853745    TIM.exe    5036    ReadFile    C:\Users\_\AppData\Local\Google\Chrome\User Data\Default\History    SUCCESS    Offset: 0, Length: 1,048,576
20:19:50.9864900    TIM.exe    5036    ReadFile    C:\Users\_\AppData\Local\Google\Chrome\User Data\Default\History    SUCCESS    Offset: 1,048,576, Length: 1,048,576
...
20:19:51.0030329    TIM.exe    5036    ReadFile    C:\Users\_\AppData\Local\Google\Chrome\User Data\Default\History    SUCCESS    Offset: 25,165,824, Length: 196,608
20:19:51.0034535    TIM.exe    5036    CloseFile    C:\Users\_\AppData\Local\Google\Chrome\User Data\Default\History    SUCCESS    
 


8 replies

Userlevel 7
Badge +4

Hi @Elasticrouter , 

Please submit a ticket to technical support via my.kaspersky.com, include traces with reproduction of the Chrome folder scan: how to collect traces

  • enable traces
  • restart PC
  • reproduce the Chrome folder scan
  • stop traces

 

Hi @Elasticrouter , 

Please submit a ticket to technical support via my.kaspersky.com, include traces with reproduction of the Chrome folder scan: how to collect traces

  • enable traces
  • restart PC
  • reproduce the Chrome folder scan
  • stop traces

 

Hi @Igor Kurzin,

 

I have attached my traces with reproduction to a technical request, do I need to provide you with the request ID?

 

Thanks.

Userlevel 7
Badge +4

Hi @Elasticrouter , yes, please. Thank you. 

Hi @Elasticrouter , yes, please. Thank you. 

Hi Igor,

 

Here is the request ID - INC000012350967, thanks.

Userlevel 7
Badge +4

Hello @Elasticrouter 

Do you set a right application rule for tim.exe? I use notepad as a target process to check the behavior of application control. It is normal.

Regards.

Userlevel 7
Badge +4

Hi @Elasticrouter , 

Do you have any confirmation that the applicvation

save it to their own SQLite database for query

?

Userlevel 7
Badge +4

Hi @Elasticrouter , 

Do you have any confirmation that the applicvation

save it to their own SQLite database for query

?


Hello,

I think this question is related to this news in China. Not using own sqlite database. just query urls.

https://tech.ifeng.com/c/837vdMTxmIq

https://bbs.pediy.com/thread-265359.htm

Hi @Wesly.Zhang 

 

Thank you for your follow-up, as I stated in my post,

 

I also tried to set up custom rules in Application Control, but I find no option to do so.

 

that’s why my intend is to propose Chrome history to be protected by Kaspersky by default, in Low Restricted group possibly. (Not that I have set up custom rule, but Kaspersky weren’t doing its job, sorry for the confusion)

After studying your screenshots, I have found the ‘Add’ button on my settings (as it is only shown after I click on any resources), and will be setting up my own rule forward.

 

For @Igor Kurzin ‘s SQLite issue, it is like what @Wesly.Zhang had said, I saw that on some report that other person posted, and I only tested the file query part using Process Monitor. Sorry for the misleading information.

Reply / Ответить