back to article Google Chrome vows to carpet bomb meddling Windows antivirus tools

By mid-2018 Google Chrome will no longer allow outside applications – cough, cough, antivirus packages – to run code within the browser on Windows. This is according to a post today on the Chromium blog that laid out the July release of Chrome 68 for Windows as the target for new rules that will block all third-party apps from …

  1. Anonymous Coward
    Anonymous Coward

    My AV runs out of process on any changes to the file system. Yeah, it's a pain getting prompted all the time but a) I'm a control freak engineer, and b) I'd rather not have the browser (it's not Chrome) crash due to buggy code. What I'm worried about is accessability software. Hopefully screenreaders and such will be extension based. But given the oft dated nature of accessability software, this probably isn't going to be pretty.

    1. Anonymous Bullard

      AT is fine...

      "Microsoft-signed code, accessibility software, and IME software will not be affected."

  2. hitmouse

    Clicking the [X] in the top-right of the Chrome window will almost always generate a "Chrome closed unexpectedly" error when it is next run. So Google's ability to assess code issues is marginal at best.

    1. lglethal Silver badge
      Trollface

      For Google it IS an error. They expect you to NEVER close Chrome. I mean how else are they going to advertise to you?

    2. riking

      @hitmouse

      It sounds like you're one of the victims that Chrome is trying to protect with this change - Chrome crashing when you try to close it is not normal, and it's probably because of injected code.

      1. hitmouse

        Re: @hitmouse

        It's normal enough in that it happened on every computer I used, cutting across multiple Windows versions, from the very first time that Chrome is installed and run.

  3. Mark 85
    Black Helicopters

    So we have to trust Google? I'm guessing that they will, at some point, also shut down various ad blockers also since they "know what's best for us".

    1. Destroy All Monsters Silver badge
      Trollface

      WFS edition

      I will actually be happy if the Chrome browser immediately nukes code trying to run outside of the UEFI boot sequence.

      The Windows Final Solution will have been attained.

    2. Dan 55 Silver badge

      They already do pull them from the Play Store.

    3. Tree

      Trust??

      A better reason Gurgle products will stay away from my box. No Chrome for this boy.

  4. Sureo

    All that crashing, reloading and notifications, will make for a great user experience. Glad I use firefox.

    1. AMBxx Silver badge

      Latest release of FireFox is good enough to start tempting people to return from Chrome. It's more stable and faster than the mess that old FireFox was becoming.

      1. find users who cut cat tail

        The latest release of Firefox was the final nail in the coffin (currently trying Palemoon). If you want Chrome, but worse, there is no reason to use Firefox. Just use Chrome and wait -- Google is working on the ’worse‘ bit.

        1. Adrian 4

          I've been using palemoon for a while, but it's getting increasingly difficult. It shows up bugs in gmail and slack (I hear you .. no loss ..) making slack unusable and gmail lose data.

        2. Updraft102

          I'd suggest Waterfox.

          A lot of Firefox addons don't work in Pale Moon, including a significant number of the legacy addons as well as all of the Webextensions-based addons. PM is based on a much older FF build (pre-Australis), without e10s or any of the performance boosts Mozilla has made to Firefox in the last few releases leading up to FF 57. Not having Australis is a good thing (to many of us, at least), but it would be nice to have e10s and the other optimizations.

          Waterfox has the controversial Australis UI, but it also continues to support Classic Theme Restorer, so Australis is easily eliminated. Waterfox supports more Firefox addons than Pale Moon or the current Firefox (as did Firefox 56 too). It's essentially FF 56 ESR, if there was such a thing, with a few changes (pocket removed, telemetry removed, NPAPI plugins and unsigned themes still work if you want them to, stuff like that).

          I tested FF 57 and WF 56 on the same PC (i5-2500k desktop) with the same settings, with my full complement of addons. WF 56 had 23 addons enabled, while FF 57 only had about 8, since that was all of them that still worked or had Mozilla-suggested replacements at that moment. Even with three times the addons, nearly all of them of the supposedly performance-robbing legacy variety, WF 56 only scored 8.5% slower than FF 57 on the Speedometer 1.0 browser benchmark (Speedometer is the one Mozilla itself uses to tout how fast Quantum is supposed to be). I got essentially identical results in Windows 8.1 and Linux Mint 18.2.

          Mozilla, clearly, did not need to eliminate the powerful "legacy" addon APIs to get a big speed boost from Firefox. That's the idea they're trying to pitch with their "twice as fast" ad campaign to try to justify removing Firefox's defining feature, but nearly all of that gain was from changes that were made prior to the release of FF Quantum. The powerful addons didn't have to die to make Firefox fast.

          By contrast, Pale Moon (same setup as in the other tests, with and without addons disabled) scored 40% slower than FF 57.

          The actual results were: FF 57, 88.0; WF 56, 81.0; PM 27.6.1, 53.07.

          1. find users who cut cat tail

            Thanks for the info -- BTW that is why I said ‘trying’ Palemoon not ‘switched to for good’. Things that can make me worry about such choice are NPAPI plugins, etc.. But performance? Hardly. It is just a web browser after all. I want it to display web pages, be reasonably secure (again, I can see the problem here) and have a sane GUI. It does not have to run Crysis...

  5. kain preacher

    Chrome will come with it's on AV. Now can we say antitrust.

    https://www.theverge.com/2017/10/16/16482802/google-chrome-windows-extensions-default-reset-anti-virus

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Antitrust??

      How now, brown cow?

  6. Anonymous Coward
    Mushroom

    Meanwhile, Chrome is still silently installing itself alongside compliant 3rd parties, and making itself the default browser.

    Just had this tonight with my parents; for 2 weeks they have been unable to get active elements in emails to work. Went over, found the email program was trying to pass on to a browser and failing and asked the question.

    Yes, Chrome installed itself without permission, so we immediately uninstalled it.

    A lot of smaller AV/AM programs now tag Chrome as a PUP; when will the big boys start biting the hand that feed it???

    1. TheVogon

      "A lot of smaller AV/AM programs now tag Chrome as a PUP"

      Like what? Must switch to one of those!

  7. Anonymous Coward
    Anonymous Coward

    I don't blame them

    What's the first suggestion (after "reboot") you make when something fucks up?

    Disable AV.

    1. lglethal Silver badge
      Go

      Re: I don't blame them

      Really? My first Action is always to run my AV and look for Malware.

      Cant remember the last time I had a f%&k up caused by AV. Sometime back in the 90's i think... but then again I dont use Chrome or Symantec so maybe that makes me less prone to these failures...

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't blame them

        Well, people who are adept don't count, like you.

        Most people use AV that's:

        - Bundled/sold with their computer.

        - Currently on offer at PC World.

        - got every single option ticked

        - or, enforced by their company.

        A common resolution (or at least something to try) is disabling AV.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't blame them

          Irritatingly some company mandated AV cannot be disabled, modified (need sysadmin to do that), so solution was, to get decent performance on PC, was - a newer, better specced PC!

    2. Anonymous Coward
      Anonymous Coward

      Re: I don't blame them

      What's the first suggestion (after "reboot") you make when something fucks up?

      Disable AV.

      I thought it was turn off Windows Update...

  8. bigtimehustler

    Makes sense

    I don't blame them personally, as a company developing software when the software crashes it is you who gets blamed, not some side loaded code interfering that caused the crash. Why on earth would any company want to allow their software to crash more than it should because corporate IT departments install AV that is shit.

    1. Anonymous Coward
      Anonymous Coward

      @bigtimehustler

      Have to disagree with you on that one.

      Although you're absolutely right that Chrome can easily take the blame for something it didn't initiate itself, it was still Chrome's API model which allowed for it to happen. Surely it should be doable to set up an API which can ensure that if a plugin goes bonkers then it won't take down the rest of the system with it?

      I can't help wonder if this is simply caused by not adding a good API structure and now paying the price for it. And instead of fixing things they'd rather take the easy way out by removing the thing alltogether.

      1. Charles 9

        Re: @bigtimehustler

        Some things can't help but be potentially harmful. It just comes with the territory. Like a gun or a car capable of moving.

      2. Anonymous Coward
        Anonymous Coward

        Re: @bigtimehustler

        According to the article, they've already got an API for it.

        It's the AV that hooks into the process via (potentially) undocumented methods that's the problem. By preventing this, it's not just the shitty AV they're protecting against, it's also rogue processes.

        Microsoft and AT are allowed, everything else goes through the plug-in API.

  9. cb7

    Chrome meddling

    Pot calling the kettle...

    I use Chrome to manage my Android phone contacts while on my Windows PC. Especially given neither MS nor Google are interested in allowing MS-Outlook to sync to the Android phone book.

    Anyhow, Windows Chrome insists on opening gmail every time I click an email address in Google contacts even though the system default email client and mailto: protocol handler is set to MS-Outlook.

    Anyone know how I can fix it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Chrome meddling

      Anyhow, Windows Chrome insists on opening gmail every time I click an email address in Google contacts even though the system default email client and mailto: protocol handler is set to MS-Outlook.

      Anyone know how I can fix it?

      It would be nice if you could explain a bit more what you meant. I guess what you meant is

      -you wanted to manage android contacts with MS-Office Outlook

      -you use web gmail on Chrome for windows

      -you set Chrome system email client to MS-Office Outlook

      -clicking on Google contacts didn't open MS-Office Outlook

      -it somehow worked before

      If that's the case, here are your options:

      1) Try resetting the system settings back to default and try again

      2) Uninstalling and reinstalling chrome

      3) Try another browser like firefox

      4) Build your own chromium with the fix

      5) Put gmail inside MS Outlook (seriously this feels like the solution)

      6) Highlight and copy the email instead of clicking on the mailto link

      7) Export all your contact to a list and use that list instead

      8) Install outlook app on the android phone, get outlook mail, give app permission to contacts and try syncing the contacts

      1. Tree

        Re: Chrome meddling

        Do not use outlook, because it is BLOATware. Use Eudora.

    2. Anonymous Coward
      Anonymous Coward

      Re: Chrome meddling

      "Anyone know how I can fix it?"

      Switching to MS Edge worked for me.

    3. Japhy Ryder

      Re: Chrome meddling

      I'd suggest you give these steps a try to set your mailto link to see if they help:

      1. Open Gmail in Chrome and click the Protocol Handler icon in your browser's address bar.

      2. When prompted to "Allow Gmail to open all email links?", select "Deny" or "Ignore" and click "Done." Then you're done! Skip steps 3-5.

      3. If you were unable to see the Protocol Handler icon overlapping-diamonds, click the Chrome menu icon chrome-menu-1 in the top right corner of your browser, and choose "Settings."

      4. Click the "Show Advanced Settings" link at the bottom of the screen. Then click the "Content Settings" button under the "Privacy" header.

      5. In the pop-up window, scroll down to the "Handlers" section and click the "Manage Handlers" button. Then select Gmail from the mailto dropdown, click "Done," and, well, you're done!

      Adapted from: https://productforums.google.com/forum/#!topic/chrome/oxPLcXhbt9w

  10. guybrush45

    Joke!!

    And this why "Chrome" will never be my default browser....Moron are missing the point by a mile!!

  11. Mephistro
    Trollface

    "Microsoft-signed code [...] will not be affected."

    Why???

    1. Paul J Turner

      Re: "Microsoft-signed code [...] will not be affected."

      Because Microsoft don't make an Ad' Blocker.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Microsoft-signed code [...] will not be affected."

        "Because Microsoft don't make an Ad' Blocker."

        And because the add ins in question are for things like Skype that would mean people would ditch Chrome and switch to Edge if they stopped working!.

  12. John Savard

    Confusing

    If my web browser stops my antivirus program from protecting me from malicious web sites or infected web sites... I think I will use another web browser. This may not really be what is happening here, but I think that many computer users will understand it that way - and Chrome's market share as a browser would be expected to plummet.

    Not that a lot of people read tech news, and Chrome is very popular. But they seem to be taking an awful chance here, as web sites that get hacked and inject viruses are such a major problem these days.

  13. LiarLiarLiar
    Thumb Down

    Most if not all people who have chrome have no idea how it got there

    They did not go looking for it, it got installed by some crappy freeware garbage. The average user has no idea that there are different browsers out there, they just use whatever is the default browser. I hate chrome and its report everything back to google spying.

  14. Anonymous Coward
    Anonymous Coward

    Anti virus software is a relic from last century.

    The browser should be the first line of defence against malicious websites. For virus scanning, it can be done online these days.

    For casual home users, you really don't need always-on monitoring, something constantly running in the background that eats up your resources.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anti virus software is a relic from last century.

      "The browser should be the first line of defence against malicious websites. "

      No, your proxy / DNS filter list should be the first line of defence!

      1. Anonymous Coward
        Anonymous Coward

        Re: Anti virus software is a relic from last century.

        No, your proxy / DNS filter list should be the first line of defence!

        No! Common sense is.

        Oh, wait.. nevermind.

  15. The Original Steve

    Overkill?

    I went off Chrome a couple of years ago. The core project I still love, but I'm really falling out of love with Google for all sorts of reasons (many listed by other commentards).

    Doesn't this seem rather heavy handed? According to the article, this is all about making it less "likely" that 15% of the 2/3rd's of Chrome users on Windows may have a crash.

    "Roughly two-thirds of Windows Chrome users have other applications on their machines that interact with Chrome..."

    "..., users with software that injects code into Windows Chrome are 15 per cent more likely to experience crashes."

    Seems a tad overkill to me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Overkill?

      "Seems a tad overkill to me."

      Edge is faster and more stable than Chrome with lower resource use and less cruft. Google are trying to remain competitive!

  16. steelpillow Silver badge
    Thumb Up

    Good thing too

    APIs and extensions are a much cleaner way to do this sort of thing. Plenty of warning, support for accessibility stuff, all very civilised. Good for Google, I say (and I don't say that very often any more).

  17. Anonymous Coward
    Anonymous Coward

    And this is why I use Opera

    Opera is a browser build upon the Chromium engine and has a lot of its own specific features and quirks. I tried it and immediately took a liking to it. You can clearly notice all the things it provides because of the Chromium engine but even though it may share some resemblances it's definitely not Chrome, and hat shows.

    A lot of things are done in much different ways, and some features (like a build-in VPN) are simply Opera-only features.

    I really don't see Opera disabling or disallowing plugins any time soon because that would surely kill their market. There's a whole extensions website and from what I can tell it's pretty popular.

    So maybe now could be a good time to look around for "Chromium based browsers" as an alternative for Chrome itself.

    1. Not That Andrew

      Re: And this is why I use Opera

      Opera these days is a better Chrome, that is true. What it isn't is a modern version of Opera. The closest thing to that is Vivaldi with the bonus of being a better Chrome than modern Opera.

  18. david 12 Silver badge

    15 per cent more likely to experience crashes

    So if Chrome never crashes, this will make no difference at all.

    On the other hand, this will make a significant difference if Chrome is crashing all the time.

    Are they telling us something about how unstable Chrome is?

    (I've been using Pale Moon. Recent builds of that have been crashing /every day/ on all my various computers and OS)

  19. Hans 1

    This is according to a post today on the Chromium blog that laid out the July release of Chrome 68 for Windows as the target for new rules that will block all third-party apps from injecting scripts into browser sessions.

    I cannot wait for them to do it ... no, I do not use Chrome, but having third parties littering Chome's JavaScript is, of course, F'd up, how could they allow that in the first place. AV or not AV ... of course, I think extensions are treated differently ...

  20. HmmmYes

    Google v. Microsoft.

    My web browsing is beginning to feel like a small, non-aligned south american country during the cold war.

  21. RyokuMas
    Facepalm

    So Google are going to block third party code in Chrome "to cut down on stability issues"... in other words, the usual "we're doing this for your benefit" bullshit we have come to associate with Google.

    ... meantime, you have black-hatters <a href="https://www.theregister.co.uk/2017/11/22/cryptojackers_google_tag_manager_coin_hive/>using Google tag manager to mine crypto-currency</a>.

    Hence the use of the word "bullshit", above. It's so obvious that all Google care about these days is their bottom line that even their cheerleaders on here seem more and more reluctant to defend them - lots of downvotes, sure, but no attempts at a counter-argument (save for the odd AC attempt).

    I can only hope that once the dust settles from the anti-trust cases (which cannot come soon enough), that people, and especially anyone in the IT arena learns from this and we do not get another repeat of what has happened over the past 20 or so years between Google and Microsoft...

    1. ArrZarr Silver badge
      Windows

      GTM is a tag manager. Users write (or paste in) their own code which then runs on the pages.

      The black hats are probably using GTM as it's the easiest to use as many other companies offer similar tag management systems (to be fair, these usually cost money to run as well).

      There is no effective way for Google to police this.

      So yes. They care about their bottom line because they are a company and as a "cheerleader" I will happily explain why this argument fails for the same reason that the various Govt. attempts to force Google, FB et al. to police extremist content and fake news aren't currently possible.

  22. Duncan Macdonald

    Sanity ?

    As NoScript, AdblockPlus, Spybot S&D and a good AV package are requirements for sane browing these days, any browser that does not allow these to run is unfit for use.

    (For bad sites that need crap, I use a VM running a Linux live CD ISO - any downloaded crap is discarded when the VM is shut down.)

    1. Anonymous Coward
      Anonymous Coward

      NoScript

      The new version of NoScript for Firefox 57 is an abortion, only usable by residents of Nerdland. Brilliant programming has replaced one click usage with a dozen inexplicable choices, many of which fail to work. A once great program has become history overnight.

      1. Duncan Macdonald

        Re: NoScript

        Agreed. At the moment I am using an older version of Firefox so that I can have a usable NoScript. A working NoScript and an older Firefox is safer than a new Firefox without a working NoScript

        1. GX5000
          Angel

          Re: NoScript

          Try same with Opera...much more stable and fast.

        2. Updraft102

          Re: NoScript

          "A working NoScript and an older Firefox is safer than a new Firefox without a working NoScript"

          Yes, and a working NoScript and an up-to-date Waterfox is safer than both of them.

          Waterfox 56 still runs all the old addons, and it has all of the security updates from FF 57 backported. It's Firefox if the Mozilla devs hadn't lost the plot, and their minds.

      2. jasper pepper

        Re: NoScript

        I replaced NoScript with No-Script Suite Lite. Not as rich as NoScript but it is easy to understand.

  23. PickledAardvark

    No accessibility software?

    No third party screen enlargers? No text to speech readers and navigators? Unless Google provide these features, a lot of organisations will walk away from Chrome.

  24. Anonymous Coward
    Linux

    Anti-virus?? Random crashes??

    That's a blast from the past!

  25. Aodhhan

    Yet other risky apps still run

    The browser will still run Java, Flash, anything Oracle.

    Thanks Google for being stupid, yet again.

  26. Milo Tsukroff
    Holmes

    Chrome runs 110% of CPU, can't stand the competition

    On my PC's, Chrome tries to take 110% of CPU utilization. Seeing that AV software often takes 50% or more CPU, Chrome can't stand the competition and now wants to freeze them out ... sounds like a p***ing contest to me. Wait ... maybe someday AV software will detect malware called, "Chrome Browser"!

    1. Updraft102

      Re: Chrome runs 110% of CPU, can't stand the competition

      I've seen people write this before, but how can anything take more than 100% of the CPU time?

      1. Not That Andrew

        Re: Chrome runs 110% of CPU, can't stand the competition

        8 cores = 800% maybe? In which case using 50% or 100% isn't that big a deal.

        But seeing as windows doesn't measure CPU usage that way (at least in task manager) probably exaggeration.

  27. Howard Hanek
    Childcatcher

    Only Google 'Meddling' Permitted

    Google, could you turn around? Your arrogant side is meddling with my disposition.

  28. Anonymous Coward
    Anonymous Coward

    ChromeDrones

    Who in his right mind uses MalwareChromeSpy?

    Might as well use a Mac.

    Seriously.

    (The stupid is pushing me to consider retirement)

  29. Rathkennamike

    Another reason not to use Chrome, good, the more reasons they give not to use it the better :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like