This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

software_reporter_tool

Hi

During the last couple of weeks I have noticed that Sophos Endpoint Protection is identifying Chrome's software_reporter_tool.exe as PUA.

User: HTLINCS\NogBadTheBad
Scan: On-access
Machine: NogBad

File "C:\Users\NogBadTheBad\AppData\Local\Google\Chrome\User
Data\SwReporter\32.166.201\software_reporter_tool.exe" of controlled
application 'Google Software Reporter Tool' (of type Security tool) has
been detected.

On-access scanner has denied access to location
"C:\Users\NogBadTheBad\AppData\Local\Google\Chrome\User
Data\SwReporter\32.166.201\software_reporter_tool.exe" for user
HTLINCS\NogBadTheBad

 

I can't find out very much about this but assume that because Sophos is blocking access to it, someone here must understand how this works. Is it simply that you don't want two scanners running at once? Or, is there some aspect of the software that is undesirable? The very little information I have been able to glean suggests the tool checks Chrome's plugins etc., and makes sure nothing malicious is running that might affect/compromise Chrome - which, as a dedicated scanner, is a good thing, yes? If not, let me know.

Thanks!



This thread was automatically locked due to age.
Parents
  • Hello Blood,

    The best way to determine if this is a false positive  or a real threat is to submit a sample to Sophos Lab so that they can review it.

    You can also check for current threats by visiting this site.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Thanks for responding.

    I was just hoping for an explanation of why the program, which is used as part of Google's Chrome Browser, is being restricted. Information about it is scant.

    I ask because I do not wish to compromise Chrome by restricting a tool that has been specifically designed by Google to check for malicious plugins etc. If Sophos Endpoint Security can provide exactly the same dedicated protection then that's fine, but if it cannot, I will remove the restriction. I want to ensure our endpoints are protected using the most appropriate means.

    I do not consider the file to be infected or malicious - but that is based on the little I have been able to discover. That is why I asked my question.

    I appreciate that sending a sample to Sophos will determine the nature of the file, but surely this must already have been done.

  • Hello Blood,

    Sometimes, if an application gets updated, or its behavior changes, it may trigger as a false positive, thus we require a sample be sent to Sophos Labs to ensure if the app itself has changed, or something has compromised it.

    Per the Threat Center, , Google Software Reporter Tool is part of the Application Control list. So you may want to ensure it is not blocked there either.
     
    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Hi, Barb

    Thanks again for replying and for the link.

    This is exactly my problem. I don't know why this application is being blocked. There is no information about it via the link you supplied. 

    If this was e.g. a driver update utility that was festooned with ads and undesirable additional content or any software of a similar ilk, I could understand why it has been blocked. However, this is a Google product. I cannot make a decision about it if Sophos does not provide information about why the application has been blocked. As per my first post: because Sophos has blocked it, someone at Sophos must have analysed it and determined it poses some sort of threat, whatever that may be. As a customer, we rely on Sophos to make intelligent decisions about these threats and overall we trust the company to do that. However, this is a situation where a well known company's product has been blocked. Why?

    That's all I wish to know.

    In the past information about threats used to be published. Now we see generic pages detailing a trojan etc. I understand that there are gazillions of threats out there and that it is not Sophos' responsibility to provide a public dictionary detailing these. However, when it comes to a product from a high-profile company, I think that requires a greater degree of responsibility to your customers. A degree of transparency is required if we are to continue to trust what has so far been an excellent product.

    If I upload a sample, what will Sophos report back to me? Will it be the same as the content on the link you provided? Or, will it detail why the product has been classified in this way?

Reply
  • Hi, Barb

    Thanks again for replying and for the link.

    This is exactly my problem. I don't know why this application is being blocked. There is no information about it via the link you supplied. 

    If this was e.g. a driver update utility that was festooned with ads and undesirable additional content or any software of a similar ilk, I could understand why it has been blocked. However, this is a Google product. I cannot make a decision about it if Sophos does not provide information about why the application has been blocked. As per my first post: because Sophos has blocked it, someone at Sophos must have analysed it and determined it poses some sort of threat, whatever that may be. As a customer, we rely on Sophos to make intelligent decisions about these threats and overall we trust the company to do that. However, this is a situation where a well known company's product has been blocked. Why?

    That's all I wish to know.

    In the past information about threats used to be published. Now we see generic pages detailing a trojan etc. I understand that there are gazillions of threats out there and that it is not Sophos' responsibility to provide a public dictionary detailing these. However, when it comes to a product from a high-profile company, I think that requires a greater degree of responsibility to your customers. A degree of transparency is required if we are to continue to trust what has so far been an excellent product.

    If I upload a sample, what will Sophos report back to me? Will it be the same as the content on the link you provided? Or, will it detail why the product has been classified in this way?

Children
  • Hello Blood,

    we see generic pages
    let me comment on this first although IMO it doesn't really pertain to your initial question. Nowadays the majority of "malicious items" does not perform the "final act" but is a precursor. What some piece of potential malware does or doesn't do and the next step it takes might depend on various environmental factors, this applies to subsequent stages as well. An exact description would be quite complex and a description of just one (randomly selected) potential execution path wouldn't be actually  informative and thus won't have much practical use. Admittedly unsatisfactory. A degree of transparency is required if we are to continue to trust - so a detailed analysis you could nevertheless never verify and reproduce would indeed inspire you with trust?

    To your question:
    of controlled application 'Google Software Reporter Tool' (of type Security tool)
    as it says, it's talking about a Controlled Application not a PUA or even a proper threat. The detection is due to Application Control being enabled and set to block, applications of type Security Tool with likely All added by Sophos in the future on the Block list. As said, this is not a detection of a (potential) threat, not even a PUA, but just a certain application that someone might want to block for whatever reason. It's up to you to permit it in the policy (please note that applications aren't blocked by default).

    Christian     

  • Hi, Christian

    Thanks very much for responding. I obviously did not fully understand what was happening and appreciate you taking the time to explain the procedure.

    I understand that a full technical teardown of each threat is impractical and, for all intents and purposes only useful to technical staff. However, a brief explanation of why a program has been flagged would allow us to make an informed decision whether to allow/block it. I turned to the Sophos forums for an explanation because I could not discover a definitive explanation of what Chrome's SRT application does. As I have said above, because it appears on the block list, it must have been analysed, and that analysis must have led the analyst to conclude that it posed a threat of some sort, however that threat may be defined. Now, as I also said above, if this was a third party utility I could understand why it has been blocked because invariably the reason is obvious (e.g. certain elements of the SysInternals Suite). But, this is a Google product, and is shipped as part of one of the most popular browsers on the planet. To see it being blocked naturally stirs my curiosity. Am I alone in this?

    I find it odd that an element of such popular software is categorised in this way without explanation.

  • Hello Blood,

    a threat of some sort
    no threat, not at all. Application Control enables a customer to block specific applications (and in some cases application versions) for whatever reason. Many of these applications are on the list because customers have submitted a request. As you can read in the article, none these applications or application types are blocked by default. If you submit a request (I have done so once or twice) Sophos doesn't ask for details of your motivation.
    Application Control is just a by-product of AV scanning, perhaps a finger exercise for detection writers, disabled by default, and if you think you have use for it it's up to you to enable it (or just use it for monitoring/assessment).  Sophos is impartial here.

    Christian

  • Ah, OK.

    Thanks a lot, Christian, I appreciate the distinction.

  • Update:

    I allowed this to run and understood why a request to block it had been submitted. My PC - a reasonably high-spec'd Dell Precision suddenly slowed to a crawl. I checked CPU usage and SRT was hogging a lot of it. Back to the block list with it.

    Thanks again to both of you for your patience and helping me understand this properly.