Google is touting its Content-Agnostic Malware Protection feature in its Chrome browser. Could you explain what the feature does and whether it actually makes Chrome users more secure than those of other Web browsers?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
Content-Agnostic Malware Protection (CAMP) is the latest security feature that Google Inc. has added to its Chrome browser. Meant to combat the dynamic nature of modern malware, CAMP for Chrome aims to prevent users from downloading malicious files by evaluating the likelihood that a file is malicious. It's a reputation-based method of detecting potentially malicious code, which Google is hoping will bridge the gap between whitelist and blacklist detection systems.
Blacklisting, a common feature of most antimalware suites, involves a constant battle to keep signature and URL lists up to date, as hackers constantly change hosting domains and mutate their malware binaries until AV software can no longer detect them. Users are exposed during the update interval of blacklists, particularly as there's an abundance of dynamic DNS providers that allow attackers to frequently rotate domains. Whitelisting, where only known and allowed software is allowed to run, is a more secure approach, but it isn't the most practical given the huge number of programs used within an enterprise, all being updated and patched on a regular basis.
CAMP consists of a client component built into Google Chrome and a server component. CAMP uses Google's Safe Browsing API to check downloads against both a local blacklist and whitelist of trusted domains and trusted binary signers. If no match is found, certain information about the binary is sent to the CAMP server, which computes a reputation decision. The download is deemed benign, malicious or unknown; the latter two designations generate a warning about the download and an offer to delete the downloaded file. According to Google, the unknown reputation is apparently a good predictor for malicious downloads.
Although CAMP only contacts the CAMP service for about 30% of binary downloads, sending data to the cloud for analysis can have privacy implications, so only features computed from the binary, not the binary itself, are sent. The use of the client component instead of a remote server for some tasks is a key difference between CAMP and Microsoft's SmartScreen technology. The latter is used in Windows 8 and Internet Explorer to protect the user and system from malicious downloads and links.
CAMP for Chrome is built to target user-initiated downloads, not those installed via browser exploits in drive-by download attacks where malware is installed in the background without the user's knowledge. The logic behind this approach is that automated browser exploits have become more difficult to execute, with attackers currently focusing more of their attention on using social engineering techniques to trick users into downloading malware themselves. As a result, enterprises need other measures beyond CAMP to catch malware that exploits vulnerabilities within the browser or delivers them via malware-infected attachments.
Are Content-Agnostic Malware Protection detection rates better, and has Chrome security passed other Web browsers? It depends very much on which report you read. Google claims that CAMP successfully detects 99% of malware, and states that its combined local-client and server-side protection system gives better results than four leading antivirus products. However, a recent report by NSS Labs says Internet Explorer 10 users are far less likely to suffer malware infections while Web browsing compared to users of Chrome, Safari, Firefox and Opera.
The main conclusion to take away from all these reports is that browser vendors are taking user security very seriously, which can only make Web surfing safer.
This was first published in September 2013