Add threat type to malware deep scanning events

I missed one reporting field in the malware deep scanning events (the SB threat type). This CL populates that field. This field should also be populated in the dangerous download event, but those events aren't working as expected (see https://crbug.com/1002976), and work adding threat types to the current events would be thrown away. Bug: 1002977 Change-Id: Ife0a449a8b46ad18766516f9c570739606825d5f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1799742Reviewed-by: Roger Tawa <rogerta@chromium.org> Commit-Queue: Daniel Rubery <drubery@chromium.org> Cr-Commit-Position: refs/heads/master@{#696048}

Add threat type to malware deep scanning events
I missed one reporting field in the malware deep scanning events (the SB threat type). This CL populates that field. This field should also be populated in the dangerous download event, but those events aren't working as expected (see https://crbug.com/1002976), and work adding threat types to the current events would be thrown away. Bug: 1002977 Change-Id: Ife0a449a8b46ad18766516f9c570739606825d5f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1799742Reviewed-by: Roger Tawa <rogerta@chromium.org> Commit-Queue: Daniel Rubery <drubery@chromium.org> Cr-Commit-Position: refs/heads/master@{#696048}
f75fce00 · Daniel Rubery · Commit Bot · 0b52fc47 · f75fce00 · f75fce00
Commit f75fce00 authored Sep 12, 2019 by Daniel Rubery Committed by Commit Bot Sep 12, 2019
3 changed files
--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
@@ -51,6 +51,7 @@ const char SafeBrowsingPrivateEventRouter::kKeyClickedThrough[] =
    "clickedThrough";
 const char SafeBrowsingPrivateEventRouter::kKeyTriggeredRules[] =
    "triggeredRules";
+const char SafeBrowsingPrivateEventRouter::kKeyThreatType[] = "threatType";

 const char SafeBrowsingPrivateEventRouter::kKeyPasswordReuseEvent[] =
    "passwordReuseEvent";
@@ -241,7 +242,8 @@ void SafeBrowsingPrivateEventRouter::OnSecurityInterstitialProceeded(
 void SafeBrowsingPrivateEventRouter::OnDangerousDeepScanningResult(
    const GURL& url,
    const std::string& file_name,
-    const std::string& download_digest_sha256) {
+    const std::string& download_digest_sha256,
+    const std::string& threat_type) {
  if (client_) {
    // Create a real-time event dictionary from the arguments and report it.
    base::Value event(base::Value::Type::DICTIONARY);
@@ -249,6 +251,7 @@ void SafeBrowsingPrivateEventRouter::OnDangerousDeepScanningResult(
    event.SetStringKey(kKeyFileName, file_name);
    event.SetStringKey(kKeyDownloadDigestSha256, download_digest_sha256);
    event.SetStringKey(kKeyProfileUserName, GetProfileUserName());
+    event.SetStringKey(kKeyThreatType, threat_type);
    ReportRealtimeEvent(kKeyDangerousDownloadEvent, std::move(event));
  }
 }

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.h
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.h
@@ -57,6 +57,7 @@ class SafeBrowsingPrivateEventRouter : public KeyedService {
  static const char kKeyNetErrorCode[];
  static const char kKeyClickedThrough[];
  static const char kKeyTriggeredRules[];
+  static const char kKeyThreatType[];

  static const char kKeyPasswordReuseEvent[];
  static const char kKeyPasswordChangedEvent[];
@@ -96,7 +97,8 @@ class SafeBrowsingPrivateEventRouter : public KeyedService {
  // Notifies listeners that deep scanning detected a dangerous download.
  void OnDangerousDeepScanningResult(const GURL& url,
                                     const std::string& file_name,
-                                     const std::string& download_digest_sha256);
+                                     const std::string& download_digest_sha256,
+                                     const std::string& threat_type);

  // Notifies listeners that scanning for sensitive data detected a violation.
  void OnSensitiveDataEvent(

--- a/chrome/browser/safe_browsing/download_protection/check_client_download_request.cc
+++ b/chrome/browser/safe_browsing/download_protection/check_client_download_request.cc
@@ -31,6 +31,7 @@
 #include "components/safe_browsing/common/utils.h"
 #include "components/safe_browsing/features.h"
 #include "components/safe_browsing/proto/csd.pb.h"
+#include "components/safe_browsing/proto/webprotect.pb.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/download_item_utils.h"

@@ -40,6 +41,23 @@ using content::BrowserThread;

 namespace {

+// TODO(drubery): This function would be simpler if the ClientDownloadResponse
+// and MalwareDeepScanningVerdict used the same enum.
+std::string MalwareVerdictToThreatType(
+    MalwareDeepScanningVerdict::Verdict verdict) {
+  switch (verdict) {
+    case MalwareDeepScanningVerdict::CLEAN:
+      return "SAFE";
+    case MalwareDeepScanningVerdict::UWS:
+      return "POTENTIALLY_UNWANTED";
+    case MalwareDeepScanningVerdict::MALWARE:
+      return "DANGEROUS";
+    case MalwareDeepScanningVerdict::VERDICT_UNSPECIFIED:
+    default:
+      return "UNKNOWN";
+  }
+}
+
 void MaybeReportDownloadDeepScanningVerdict(
    Profile* profile,
    const GURL& url,
@@ -64,7 +82,10 @@ void MaybeReportDownloadDeepScanningVerdict(
      response.malware_scan_verdict().verdict() ==
          MalwareDeepScanningVerdict::MALWARE) {
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(profile)
-        ->OnDangerousDeepScanningResult(url, file_name, download_digest_sha256);
+        ->OnDangerousDeepScanningResult(
+            url, file_name, download_digest_sha256,
+            MalwareVerdictToThreatType(
+                response.malware_scan_verdict().verdict()));
  }

  if (response.dlp_scan_verdict().status() == DlpDeepScanningVerdict::SUCCESS) {