Since "the installation process is quite complicated so that they can bypass the chrome malware checks" (second paragraph), it probably can bypass blacklisting checks too.
The fact that the blacklist checks can be bypassed is troubling in and of itself; the fact that a security company would knowingly do so is even more troublesome. I just finished removing AVG from my mother's laptop yesterday, it's not very often you get a choice validated so quickly.
As Raymond Chen would say, the code is on the same side of the "airtight hatchway". There's nothing Chrome can do to protect itself against processes at the same privilege level, much less against processes at higher privilege levels. Any blacklist check Chrome does can be nothing more than a speed bump.
That makes sense, thank you for the explanation. That said, I suppose I'm still disappointed that a security vendor would manipulate extension installation to bypass checks on a platform, but I'm not particularly surprised that it's the kind of thing AVG would do.
Also, you probably don't want them to. I've got a huge problem with software that goes out of its way to prevent the user from doing something they explicitly want to do.
How is code supposed to determine user intent? The AVG developers would no doubt say the user intended to install their software and didn't want to have to learn all of the details, just like every other malware / adware vendor claims; the Chrome developers would say that users want to be secure but if you ask, millions of people will be insecure because they made a mistake or were encouraged to believe something was safer than it actually is.
There simply isn't a simple solution to this problem.
> I've got a huge problem with software that goes out of its way to prevent the user from doing something they explicitly want to do.
I guess you have a huge problem with Windows 7 or later or OS X 10.9 or later, which really go out of their way to prevent you from loading unsigned kernel-space device drivers.
Are you saying that it's impossible for Windows apps to provide a level of executable trust for "normal" applications? If Chrome (or any other app) can't protect its cert/trust store from external abuse, why should anyone ever trust any web browser?
