Didn't quite know where to post it, but just to get the helping hand out. If anyone else has problems with Avast reporting BV:Crossrider-B [PUP] on files like CrossriderAPI.js, monitor.js, events.js etc... being found when opening Google Chrome on macOS, then at least for my case, there was the culprit in the /private/var/tmp folder, the file was referenced from
~/Library/Application Support/Google/Chrome/External Extensions/bknocbldidknmbnfgofcmkjdohancana.json
{
"external_crx": "/private/var/tmp/photozoom.crx",
"external_version": "1.26.22"
}
Which in turn was written into
~/Library/Application Support/Google/Chrome/Profile 1/Secure Settings
{
"protection": {
"macs": {
"extensions": {
"settings": {
"bknocbldidknmbnfgofcmkjdohancana": "4C805531E47980DBC7CE0E878D425CD7D9E2EEA98BDC585E5A2843D26F899503"
}
}
}
}
"extensions": {
"settings": {
"bknocbldidknmbnfgofcmkjdohancana": {
"active_permissions": {
"api": ["contextMenus", "cookies", "notifications", "proxy", "storage", "tabs", "unlimitedStorage", "webNavigation", "webRequest", "webRequestBlocking"],
"explicit_host": ["http://*/*", "https://*/*"],
"manifest_permissions": [],
"scriptable_host": ["http://*/*", "https://*/*"]
},
"commands": {},
"content_settings": [],
"creation_flags": 1,
"events": [],
"extension_can_script_all_urls": true,
"from_bookmark": false,
"from_webstore": false,
"incognito_content_settings": [],
"incognito_preferences": {},
"initial_keybindings_set": true,
"install_time": "13091882323313056",
"location": 2,
"manifest": {
"background": {
"page": "background.html"
},
"content_scripts": [{
"all_frames": true,
"js": ["js/312f101f5066b6f1ef0bb7faff696773.js", "js/lib/a8704f994c151db1c1640244c9fb7679.js", "js/lib/54d05a9a405c8a537efa33aa04977775.js", "js/lib/114ee707ad4e3c272bd0d6187527f3c7.js", "js/lib/dde536c20dd8b25085f3607a8256a94f.js", "js/api/d0d5d35797aa340e6993119a0d70d808.js", "js/api/2045e0266af452bc84cebe0e0c456aba.js", "js/api/pageAction.js", "js/lib/installer.js", "js/lib/app_api.js"],
"matches": ["http://*/*", "https://*/*"],
"run_at": "document_start"
}],
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
"description": "Images Zoom Extension",
"icons": {
"128": "icons/icon128.png",
"16": "icons/icon16.png",
"48": "icons/icon48.png"
},
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUtrVjxeg6ueYU9gLhAY017tvCxUHO6kpWoHdA2FlbQn+xpmE7xS66i8037guqVaXGtGU0/0IzM+9hfaNL4leTXJYn1mFnB31is9OwRKGQ/u2Ip2zZ5kXIgvb8zPHrkyE/HWUYqJyAX/a6fWEDVFTwMuMEntWUQMpuUJo5NYaAdwIDAQAB",
"manifest_version": 2,
"name": "Photozoom V9.0",
"permissions": ["http://*/*", "https://*/*", "tabs", "cookies", "notifications", "contextMenus", "webNavigation", "webRequest", "webRequestBlocking", "unlimitedStorage", "storage", "proxy"],
"update_url": "https://w9u6a2p6.ssl.hwcdn.net/plugin/chrome/update/60792.xml",
"version": "1.26.97",
"web_accessible_resources": ["Settings.json"]
},
"path": "bknocbldidknmbnfgofcmkjdohancana/1.26.97_0",
"preferences": {},
"regular_only_preferences": {},
"state": 2,
"was_installed_by_default": false,
"was_installed_by_oem": false
}
}
}
}
Reported the photozoom.crx (which is RAR-archived chrome package if anyone is interested) to Avast, not giving it here
The way I tracked the culprit down was
Quit Google Chrome
then in terminal
sudo opensnoop
then open Google Chrome
and after the Avast has detected the error CTRL+C the trace -> happy hunting
First thing is to get rid of the file and ofcourse the settings fields, that refer to it
Finding the references to the extension was doable with
cd ~/Library/Application Support/Google
grep -lr "photozoom" *
Hope it helps someone