UPDATE, 1:40 PM PDT: Microsoft has identified the problem as being caused by a faulty definition file. This text has been added to the relevant page at the company's Malware Protection Center:
Information about incorrect detection of Google Chrome as PWS:Win32Zbot
On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed. Within a few hours, Microsoft released an update that addresses the issue. Signature versions 1.113.672.0 and higher include this update. Affected customers should manually update Microsoft Security Essentials (MSE) with the latest signatures. After updating the definitions, reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.
To get the latest definitions, simply launch MSE, go to the update tab and click the Update button. The definitions can be updated manually by visiting the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/971606
PWS:Win32/Zbot is a password-stealing trojan that monitors for visits to certain websites. It allows limited backdoor access and control and may terminate certain security-related processes.
UPDATE 2, 11:15 AM PDT: A Microsoft spokesperson provides the following response via e-mail:
On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs. We have already fixed the issue - we released an updated signature (1.113.672.0) at 9:57 am PDT - but approximately 3,000 customers were impacted. Affected customers should manually update Microsoft Security Essentials (MSE) with the latest signatures. To do this, simply launch MSE, go to the update tab and click the Update button, and then reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.
The response does not provide any guidance for Forefront customers who have been affected by this issue. I've also asked for clarification on the "approximately 3,000 customers" figure. If a Forefront installation covering hundreds or thousands of users is counted as a single customer, the actual number of affected PCs could be considerably higher.
A support thread on the Google Chrome Help forum includes a growing number of complaints from Chrome users who complain that Microsoft Security Essentials is identifying the program as a password-stealing Trojan and removing it. The first report was time-stamped at 8:02 AM, from a user named chasd harris:
I have been using Chrome on my office PC for over a year. This morning, after I started up the PC, a Windows Security box popped up and said I had a Security Problem that needed to be removed. I clicked the Details button and saw that it was "PWS:Win32/Zbot". I clicked the Remove button and restarted my PC. Now I do not have Chrome. It has been removed or uninstalled. The Chrome.exe file is gone. Was there really a problem, or is this just a way for Microsoft to stick it to Google? If I reinstall Chome, will it have my bookmarks and other settings? Not sure what to do about this, but I much prefer Chrome to Explorer.
Six minutes later, the same user reported:
I just tried to reinstall Chrome, and Windows Security stopped it. Again citing a "severe" threat, "PWS:Win32/Zbot". What is going on here?
That report was followed by another 20 or so confirmations within a half-hour. At least two respondents reported encountering the same issue with Microsoft's enterprise Forefront security software, which uses the same definition files.
Since that initial report the forum post has had hundreds of additional reports, and after roughly two hours the thread is up to four pages.
I noted the version numbers for the software and its definitions as reported by one user. On a test system here, running the exact same revisions, I was unable to reproduce these reported symptoms. I was able to download, install, run, uninstall, and reinstall the current stable version of Chrome without a squawk from Microsoft Security Essentials.
It's possible (although unlikely) that these reports are related to either a compromised version of Chrome or a Microsoft Security Essentials. It's more likely that the errors are the result of some interaction with a separate program or process.
I've alerted Microsoft to the incident and asked for a comment. I will update this post with details when I hear back.
Update: This certainly isn't the first time a defective antivirus signature has created some havoc among Windows users. Remember the episode from April 2010 involving a McAfee definition that erased a key Windows system file and bricked many thousands of enterprise systems worldwide?
My colleague Ryan Naraine is also on the story.