Chrome/Edge Extensions triggering EDR blocks for command line execution

Question

After an extension update a few days ago, the 1Password chrome and Edge extensions keep triggering my company Fortinet EDR. It is being listed as a malicious "generic.commandline.default" script execution. Every time I change webpages it is triggered. Currently, the only fix so far is to uninstall the 1Password extension from both Edge and Chrome. I have tried removing the extension and reinstalling it.

It is trying to execute the following according to EDR report. (I removed my username) It is also showing as an invalid signature.

cmd.exe /d /s /c ""C:\Users\USERNAME\AppData\Local\1Password\app\8\1Password-BrowserSupport.exe" chrome-extension://dppgmdbiimibapkepcbdbmkaabgiofem/ --parent-window=0" < \\.\pipe\chrome.nativeMessaging.in.251c39119f136db6 > \\.\pipe\chrome.nativeMessaging.out.251c39119f136db6

cwestgor · Answer

Extension version 8.10.76.34

1p_dave · Answer

Hello cwestgor​! 👋
I'm sorry that you're running into an issue with 1Password and your security solution. I see that you're already discussing the situation with our support team over email, please continue the conversation there if you're still seeing issues.
-Dave

Forum Discussion

Chrome/Edge Extensions triggering EDR blocks for command line execution

2 Replies

Recent Discussions

Linux desktop client crashes on startup

Edge browser update fails

Can I Delete 1Password Account Export Files?

Support for Zen browser

Native Password AutoFill Extension macOS