Protect & Chrome v103 - Highly suspicious persistence

JKingsnorth
Contributor

I have been getting large amounts of notifications regarding "LaunchDaemon created for persistence Highly suspicious persistence created". After doing some digging it appears that the issues comes up when the newest version of Chrome installs. Also seems like users are blocked from opening Chrome once its updated.

Is anyone else seeing this? The install appears to be coming from Jamf as the binary says  "/Applications/JamfAppInstallers/com.google.Chrome/finalize"

In protect the file is /Library/LaunchDaemons/com.google.Chrome.finalize.plist and the error is Error: code obiect is not signed at all (-67062), so is this an issue originating from Google or is it a custom installer that Jamf is pushing out?

 

 

Screen Shot 2022-06-22 at 8.49.24 AM.png

3 REPLIES 3

matteo_bolognin
New Contributor III
New Contributor III

@JKingsnorthwould you be able to post a sanitized JSON file of the Alert?

On a broader note, we've seen an influx of Alerts starting yesterday.
In this date, the Google Chrome package deployed via Jamf Pro App Installers has been modified to include a new LaunchDaemon called

com.google.Chrome.finalize.plist

Among other things, this new LaunchDaemon will help to better handle the application updates, making sure the app is not running before moving on.

 

Unfortunately, due to the name of this new LaunchDaemon starting with com.google this has been flagged by Protect. If we dig a little bit more on the JSON file of the Alerts that Protect has been firing up, if we notice those

"name": "ItemBinary",
"value": "/Applications/JamfAppInstallers/com.google.Chrome/finalize",
"valueType": "Binary"

and

path": "/Library/LaunchDaemons/com.google.Chrome.finalize.plist",

 

In those specific cases, we can assume those are false positive as those are triggered by the new Jamf App Installer process.
We've been evaluating this new deployment of App Installers and decided to move forward renaming the LaunchDaemon so it will not interfere with Jamf Protect detection.

This is the exact issue we are having but the problem is, even though it is a false positive, its restricting access to Chrome.

Protect itself wouldn't block Chrome execution.
Maybe Chrome is stuck in an update loop? If there's auto update turned on and App Installers trying to act?
Silly suggestion but, have you tried to kill Chrome app&processes?