Protect Chrome Extensions from Tampering

Browser extensions have powerful access to web browsing activity, credentials, and user data. Malware frequently attempts to install malicious extensions or modify existing ones to steal credentials, inject ads, or monitor browsing activity.

Chrome stores extensions in user-specific directories under Library/Application Support/Google/Chrome/*/Extensions/. Each profile has its own extensions directory, and malware can target any of them.

This file access rule prevents unauthorized reads and writes to Chrome extension directories, allowing only Chrome itself and necessary system processes (Spotlight indexing, XProtect scanning) to access these files. This stops malware from:

• Installing new malicious extensions
• Modifying existing extensions to add backdoors
• Exfiltrating extension data or settings
• Reading extension source code for vulnerability hunting

You can configure whether to allow read access depending on your security requirements. Blocking read access provides stronger protection but may interfere with legitimate security scanning tools.

This rule blocks write access to Chrome extension directories by default. The rule config shown allows Chrome and system processes to access extensions, while blocking everything else.

You can adjust the AllowReadAccess option:

• Set to true: Allows any process to read extension files (less secure, more compatible)
• Set to false: Blocks reads except by allowed processes (more secure, may impact security tools)

The rule covers all Chrome profiles by using the wildcard pattern in the path.

Consider adding exceptions for:

• Enterprise management tools that deploy extensions
• Security scanning tools that analyze extensions
• Backup software that needs to read extension data

Legitimate software that may need access to Chrome extensions:

• Enterprise Chrome extension deployment tools
• Security software that scans extensions for malware
• Backup and sync software
• Development tools when building Chrome extensions

If using enterprise Chrome extension management, add the management tool's signing ID to the allowlist.

1. Try to manually copy an extension: cp -r /path/to/extension /Users/*/Library/Application Support/Google/Chrome/Default/Extensions/ (should be blocked)
2. Install extension through Chrome Web Store (should work)
3. Verify existing extensions load properly (should work)
4. Check that Chrome can update extensions (should work)

Monitor FAA events for:

• Unauthorized attempts to write to Extensions/ directories
• Processes other than Chrome trying to modify extensions
• Repeated blocks from the same process (may indicate malware)

Legitimate installation triggers:

• Chrome Web Store installs go through Chrome itself (allowed)
• Enterprise-pushed extensions should use proper Chrome management (may need exception)