Chrome Saying It’s Managed by Your Organization May Indicate Malware | #firefox | #chrome | #microsoftedge

Recently users have noticed that Google Chrome has started stating that it is “Managed by your organization” when they open the browser’s menu, which is a confusing for home users who are not part of any organization. It turns out that with the release of Chrome 73, the browser will now display this message whenever a group policy is configured for the browser.

Google allows administrators to create policies that control how Chrome operates on a computer. These policies are designed to make it easier for admins to manage the Chrome settings for all users in their organization.

Chrome menu showing Managed by your organization
Chrome menu showing Managed by your organization

For example, the following Chrome policy, DefaultImagesSetting, will allow us to configure the browser so that it does not load any images when visiting a site.

Example Google Chrome policy
Example Google Chrome policy

Starting with Chrome 73, when the browser detects a policy configured in the Registry, it will now display the “Managed by your organization” message.

Starting in Chrome 73, when one or more policies are set in Chrome Browser, some users will see a new item on the More More menu that indicates that Chrome is being managed. If a user clicks Managed by your organization, they are directed to details about Chrome Browser management.

This explains why the message is being displayed, but it does not explain why so many home users are seeing it.

Chrome policies are not only configured by administrators, but can also be configured by software installed on your computer. Therefore, it is possible a program installed by a non-enterprise user adds a Google Chrome policy, which causes the message to be displayed.

Unfortunately, Chrome policies are also created by malware to force install malicious extensions or perform some other malicious behavior. Therefore, if you see the message, you should always check what policies are being created and make sure it not being used for malicious purposes.

Some malware configure Chrome policies

As previously stated, malware can use Chrome policies to force install a malicious extension, disable Safe Browsing, or configure other unwanted behavior.

For example, a malware sample that I installed as a test will install a malicious extension by creating a Chrome policy. It does this by configuring the ExtensionInstallForcelist and adding a list of extension IDs and the location they should be installed from.

Chrome policy to force install an extension
Chrome policy to force install an extension

Once this policy is created, the next time Chrome is started it will automatically load the extension from the listed location. 

When an extension is installed via a policy, Chrome will indicate this by displaying a “managed” symbol as shown by the blue arrow below. The problem, though, is that since Chrome thinks this extension was installed by your admin, it will not let you disable or remove the extension.

Force Installed Extension
Force Installed Extension

If a malicious extension was installed in this manner, you can use this guide to remove them.

As Chrome policies can be abused, if your browser suddenly starts displaying the “Managed by your organization” message, you should not automatically disregard it. Instead, open the Registry and examine the Chrome policies that were created to make sure they are not being used for unwanted purposes.

How to check what Chrome policies are configured

If Chrome is saying it is “Managed by your organization”, you should go to the chrome://policy page to see what policies are configured on your computer.

At this page, Chrome will display all configured policies, which when clicked on, go to a support page that explains what that policy does.

chrome://policy screen
chrome://policy screen

If you find that the policy is being used for malicious purposes or you do not need it, you can go to the following Registry keys and look for the associated policy.

HKEY_CURRENT_USERSoftwarePoliciesGoogleChrome
HKEY_LOCAL_MACHINESoftwarePoliciesGoogleChrome

The correct key to go to will depend on the “Applies to” field shown in the above image. If it states “Machine”, you would go to the HKEY_LOCAL_MACHINE key and if it states “Current user”, you would go to the HKEY_CURRENT_USER key.

Once you have found the policy you wish to remove, you can right-click on it and select Delete. Just be sure to only delete the policy you are concerned about and noting else as it could cause problems with the proper functionality of Chrome or Windows.

If you have any questons regarding this process, please feel ree to ask in the comments.

H/T: Techdows.com



Original Source by [author_name]

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 54 = sixty