Chrome On Demand Updater Blocked by NVT ERP

[AtlBo]

Anyone have any idea what might cause this? Here is the block information:

Hash: 7C80696A40AF823F7EF092AFBC69C485
Program: C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe
Publisher: Google Inc.
Parent: [944]C:\Windows\system32\svchost.exe
Command Line: "C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe" -Embedding

Blocked due to Invalid or revoked certificate? All of this looks normal to me, but check this out:

Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'ChromeSetup.exe'

This part at the top:

Analyzed on May 13th 2017 13:44:13 (CEST) running the Kernelmode monitor and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by VxStream Sandbox v6.50 © Payload Security

Reading on it makes 8 internet connections. What? Google get their certificate revoked for Chrome?

 

[SHvFl]

This seems fake. GoogleUpdateOnDemand(same version) is signed by Google Inc with an sha1 and sha256 certificate. From the hybrid analysis you linked the file you have has random certificate that are even expired.

 

[AtlBo]

@SHvFl That's what I thought might be the case. Looks like it was in the right place, but maybe the real updater is replaced. I'll check at Virus Total.

 

[SHvFl]

@SHvFl That's what I thought might be the case. Looks like it was in the right place, but maybe the real updater is replaced. I'll check at Virus Total.

It has to be replaced. I checked mine and has the certificates i told you.

 

[AtlBo]

I uploaded to virus total and the file is clean and using the same hash. I clicked on Chrome and got the immediate block. I guess the hubbub on that site spooked me a little bit, so I thought I would ask if I should be worried. I'll run for a while, and I assume Chrome has other ways to update so maybe it will update anyway and fix the certificate issue if there is one.

 

[SHvFl]

I checked virus total and the file is clean by the same hash. I clicked on Chrome and got the immediate block. I guess the hubbub on that site spooked me a little bit, so I thought I would ask if I should be worried. I'll run for a while, and I assume Chrome has other ways to update so maybe it will update anyway and fix the certificate issue if there is one.

When you right click the file does it have the google certificate or those the hybrid site mentions? If it has anything than Google you are infected.

Hash of the file is: sha256: AC8E6446D24CCF9115C46F719E2684F88234994720D470A2D122E5653D4A663A

 

[AtlBo]

Yes, here is the SHA256 from Virus Total: ac8e6446d24ccf9115c46f719e2684f88234994720d470a2d122e5653d4a663a

Here is the signature:

All the details are correct too.

Y

 

[AtlBo]

This file is not the same one at the link. I see that now. That site report was what spooked me, and I only had the MD5 hash from NVT ERP to work with. I haven't worked with hashes much. From now on I'll first head to Virus Total and start comparing hashes. Still not sure why ERP flagged it tho...

 

[darko999]

Click the certificate and click details so it will tell you if the certificate is correct.

 

[SHvFl]

Yeah. Hash is the same as mine so it's safe. No clue why you don't have sha1 and sha256 signed file but maybe you don't use windows 10 like me.

BUT are you sure that is the file and not something with the same name? Did you check NVT log to be sure of the blocked file path? Makes no sense that NVT would block it for invoked certificate.

If it's not NVT bug something is wrong dude.

 

[AtlBo]

BUT are you sure that is the file and not something with the same name? Did you check NVT log to be sure of the blocked file path? Makes no sense that NVT would block it for invoked certificate.

I did @SHvFl. The info in the first post is from the NVT log here:

Then here is the certificate. @darko999 thanks for pointing out that I can click on the details button for more. Think I had done it before but forgot about it:

I am on W7 Pro 64.

One mistake I made was Googling the md5 hash of the file for info. I think the link was the third page I looked at, and I saw the SHA and sort of assumed it was the same file even though it was the SHA256 hash there. The info on the page spooked me for sure. Don't want that file. Anyway, I had started to go to Virus Total but thought I would run it by you guys first to see if there was something about this file sometimes like with some certificates I have run across for the internet or whatever.

Looks like the file is clean, so I have no idea why NVT blocked it as a bad sig. I guess if it happens again I will look into it more. I know NVT will block it if the hash is wrong so.

 

[shmu26]

Edit the command line by replacing "1.3.33.5" with *
NVT ERP is not "smart" about reading command lines. If it doesn't match exactly, it will be blocked.
That's why you need to use lots of asterisks...

 

[AtlBo]

Edit the command line by replacing "1.3.33.5" with *
NVT ERP is not "smart" about reading command lines. If it doesn't match exactly, it will be blocked.
That's why you need to use lots of asterisks...

Thanks @shmu26. I got the asterisks part. I think Google is running something funny with Chrome. When I started it a second time maybe 30 minutes after the block, a new command line appeared, which was super long and looked to me like Google is testing some kind of on demand optmization with video acceleration. I've seen many cmd lines working w/PF and NVT, but not yet seen one like this. I have no idea why the googleupdateondemand.exe file was blocked, especially being blocked by hash. It's almost like it was replaced and then replaced again. Anyway, it didn't run when it was blocked. The command line alert I got I let run once.

Here is the command line:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1208 --primordial-pipe-token=991CBE1CDDA913425D1356A06E1F3D08 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFetchForDocWrittenScriptsInMainFrameOnSlowConnections=false --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --service-request-channel-token=991CBE1CDDA913425D1356A06E1F3D08 --renderer-client-id=81 --mojo-platform-channel-handle=9480 /prefetch:1

Anyone have an idea what this is? I allowed it quite reluctantly. Not interested in whitelisting this one. Maybe someone who knows Chrome and command line can interpret.

 

[AtlBo]

Went back over the log. Turns out this is a recurring script. Again no idea why the alert...this time for a whitelisted vendor command line. The sig one was a straight block and no options. This was a normal alert. Why now, considrering this command line has run many times before and also it's trusted. I'm not too worried about this, but it is weird.

The part that interests me if the FetchForDocWrittenScripts. OK, so disable is set to false. Sounds like that is looking for scripts in docs but idk. Again, this has run many times before.

 

[shmu26]

Do you have Google in your trusted vendors list?

 

[AtlBo]

Yes. I put it in there for the updates to work silently actually. Now that I think about it. that may have been partly because of the length of the scripts that were running and then because I didn't want to have to hassle with the updates of Google.

EDIT: Just realized what this is like. It's almost like NVT reset its settings with Google Chrome. First the straight block and then a new prompt for a command line that has run unimpeded many times. This can't be the case, considering Google is trusted and in the list It just looks that way almost.

 

[shmu26]

Yes. I put it in there for the updates to work silently actually. Now that I think about it. that may have been partly because of the length of the scripts that were running and then because I didn't want to have to hassle with the updates of Google.

EDIT: Just realized what this is like. It's almost like NVT reset its settings with Google Chrome. First the straight block and then a new prompt for a command line that has run unimpeded many times. This can't be the case, considering Google is trusted and in the list It just looks that way almost.

Maybe make a post on the thread on the other site?

 

[shmu26]

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1208 --primordial-pipe-token=991CBE1CDDA913425D1356A06E1F3D08 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFetchForDocWrittenScriptsInMainFrameOnSlowConnections=false --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --service-request-channel-token=991CBE1CDDA913425D1356A06E1F3D08 --renderer-client-id=81 --mojo-platform-channel-handle=9480 /prefetch:1

The only thing I can think of is that this command line is too long for ERP to deal with.
You probably thought of that already. I think I am only telling you things you already know...

 

[SHvFl]

File seems fine from the md5 i can see in the image you posted because it's the same as mine. It's probably NVT issue. Remember NVT is an old software that hasn't been updated for a while.

 

[AtlBo]

Yep thanks. Not too worried. 99% sure its some stupid little thing.