Better and worse AVs for privacy ?

Privacy pretty much defined as what data/information the vendor collects and what it does with that information.

To keep it simple, let's assume you don't use the cloud option.

Personally, my focus is on the suites, not standalone AVs.

A few years ago I studied this issue myself, but as I stated that was a few years ago.

Obviously there is a difference between written policy and practice.

I remember McAfee being on of the worst, selling and redistributing anonymous and not so anonymous data to third parties.
I suspect that Symantec isn't that great either, given the fact that it's a major US company and it relies to a great extent on reputation scores.

This isn't intended to be an A vs. B thread, just systemic or anecdotal information/reports.

Some examples of AVs/suites of interest are Eset, Kaspersky, Bitdefender, GDATA, Avira.
Avira isn't what it used to be ...
I've wondered about the privacy implications of Kaspersky, and that has nothing to do with me being anti-Russian, which I'm not.
Since I'm in the EU I suspect that American AVs are more risky for various reasons, but perhaps these days the European AVs may be equally bad.

Privacy has many aspects, like data (what data?) being sent to state actors, data being shared with a few companies the vendor coorporates with, vendors that sell or share the data with many parties (McAfee?).

Once you buy an AV/suite online from the vendor you're probably waiving any privacy you had.

Personally I don't need an AV for daily use, but there are situations in which use of an AV is useful or warranted.

Thoughts ?

 

Picking a specific AV would be pretty difficult I think. Picking specific technologies however, that enables a bit more discussion. Whether you register a freebie AV or a paid one, you might as well count on personal data being kept and shared to partners. Email addresses, general personal data, it's all going to go out to someone else. Web-scanning modules are going to have to know what sites you visit and so on to work properly, and I'd have very high doubts that that data stays local, especially when a link/page is flagged. Cloud AVs open up a lot more possibility of data being sent elsewhere. Even if the data is "randomized", there is still enough there to eventually start building general profiles if someone really wanted to.

I'm 99.99% sure that the days of avoiding 3rd parties and promises of not collecting, selling and using user data for marketing and cash flow are over.

 

What can/will you accept WRT information being sent off the machine? Someone that has investigated the subject before will have a fair to hopefully good idea of the types of information that may be sent, how they may be sent, etc. They, too, as user/admin would know the context in which the machine will be used. What are the MUST NOTs and SHOULD NOTs?

It is almost always the case that privacy policies, TOS, etc documents don't fully answer the questions that a knowledgeable privacy oriented person would have. Plus, it is essentially impossible to verify how the information is really handled at any one moment in time let alone all moments in time. Such policies may change, and may change in ways that have retroactive consequences. Etc. If your requirements are such that you will be exposing information to them, you need to figure out some way to weigh their representations and factor that into your decision making process. Others may provide some information which serves as input, but ultimately no one can tell you how to do this. It is a highly subjective call. If, on the other hand, your requirements are such that you know you won't allow cloud features, metrics features, etc to phone home information then you really don't have to worry about how the company handles that type of information.

 

Mman79,

You raise a few good points.

Discussing technologies is a good starting point. However, you can't fully separate technology and product/vendor.
For example, the HIPS in KIS (Kaspersky Internet Security) works in a certain way. If I recall correctly, some degree of customization is possible. Even assuming that no particular vendors/certificates are trusted, it analyses the (new) program in question. How does it do that, and what data are sent to Kaspersky ? I have used KIS, but I don't remember the particulars.

The same goes for web-scanning modules.

Back to products/vendors. There is a huge variation.

It is difficult to impossible to get a full and accurate picture.
But perhaps something could be said about the various products/vendors.
Some are blatantly bad (McAfee), some possibly more benign (Eset (?), Kaspersky (?), older versions of Avira.

I agree that it's hard to impossible to get complete, precise and reliable information about a certain product.

Nevertheless, perhaps some members have some insight or experience ?
Up to a point, it is possible to analyze what data an 'AV' sends home.
But that's beyond my capabilites. (Wireshark ?)

Knowledge about business associations and practices is another issue.

I agree, when is 'anonymous' data truly anonymous ?

'I'm 99.99% sure that the days of avoiding 3rd parties and promises of not collecting, selling and using user data for marketing and cash flow are over.'

That's true for most products, although I suspect that Kaspersky shares/sells very little of any data it gathers.

TheWindBringeth,

What is WRT information ?

I mostly agree with what you state in your second paragraph.
I would not use cloud features, avoid metrics (?) information to the extent it's possible, the same goes for phone home information to the extent it is possible and feasible.

'If, on the other hand, your requirements are such that you know you won't allow cloud features, metrics features, etc to phone home information then you really don't have to worry about how the company handles that type of information.'

Is it truly possible to disable that functionality ? Some 'phone home' activity seems unavoidable.

 

WRT = With respect to

You could ask the company and/or in product specific forums. You could read up on how the software works and look for signs that there are sufficient controls for that. At the end of the day though, you'd be wise to take it for a spin on a test machine and make longer term observations on whether or not the phoning home (at least those subtypes that you won't tolerate) occurs. Enabling and reviewing log files might help, but you'd also want to look at actual traffic. Are you productive with Wireshark or something similar? It is possible you might see encrypted traffic and not know what is within. Maybe that can be MITMed through certificates with something like Fiddler or Mitmproxy or whatever. Maybe not. Have you ever tried to inspect SSL traffic that way?

Another approach would be to try to zero in on products which you have good reason to believe can be used in an offline context. This would require manual definition updates but that might be OK with you. Then you could try using a software firewall to simply block the AV software from using the network for anything.

You could also look for older less cloudy versions which are still receiving definition updates.

 

How would you feel about something like webroot? Which is ostensibly phoning home the whole time it's running. I'm ambivalent towards this sort of technology. I'd much rather just rely on local signatures, but try to find a product that doesn't phone home in some way...

A lot of the features kind of weird me out. Verifying DNS resoliton, identity protection features, scanning all the search results (all of which can be disabled). Couple this with the fact that it's a cloud protection system, I'm not certain how I feel about this information potentially leaking out, even if it's a security vendor. Then again, browsers do some same things with phishing protection, so who really knows...

 

People need to start differentiating "personal data" with "aggregated statistical data". The difference?

Personal data is when a lets say data stealer malware steals a specific piece of data (game CD KEY's, game login informations, bank login information etc).
The person on the other end is collecting that specific data for exploitation or very bad intentions and they usually review every entry.

Aggregated statistical data is what most AV's do. It's a global mass data collection that is usually of lesser importance but may capture personal data under which profile username captured in a path of a malware detected on desktop already belongs into this zone. The companies have insight on the data but they are interested in other things, mostly trends related to malware, phising, how malware is distributed and what it is doing on user systems.
The main question here is, why would they specifically lookup for usernames captured in file paths? What benefit would that be to them in relation to that specific user?

AV's are also a lot different than lets say social networks. AV's don't give random 3rd party users ability to view the data, however you can exploit Facebook pretty well in order to gather quite a lot of very personal information from a specific user and use that in real life for either good or very bad intentions.

Personally i think that smaller companies are a bit better in this regard as they all know what everyone does and they are more focused on doing their job. Where in massive corporations, often its not even known who does what and they tend to get stupid ideas just for the sake of making themselves even bigger. Just my opinion, though they still need to follow some basic ethics code. It just depends on how much...

 

If this would be so, then why the need to collect such data in the first place (usernames, for instance)?

 

Who says they are doing it intentionally? Maybe this example will explain it to you...

MALWARE DETECTED!
Win32:Evo-Gen [Susp]
C:\Users\RejZoR\Desktop\1.exe

The username is right there in the detected file pathname...

 

I understood this from your first post, but the issue was why would an AV company want to know more than the filename? Even better, I think that it is trivial to remove the sensitive "user" part from the path, if they would really want...

The issue here is the way an application is coded. I'm a programmer, and I know it's tempting to just take the path+filename and just send it to server. But if you really care about privacy when developing an application, then extra steps might be needed when processing that information.

 

It's a statistical data they are gathering. What kind of malware, to what folders it got downloaded and executed, what it does etc... the reason why AV's got such incredible jump in performance compared to few years ago. Both ends evolved but currently security is gaining some ground with cloud systems that are sometimes just too unpredictable for the malware writers.

 

I think a better description would be: it is detailed information they are gathering, from which they are likely generating some statistics. One thing to bear in mind is that full pathnames are probably being sent in queries too. Even before there is a (positive) determination that there is some malware on the machine and even if there is never any malware on the machine.

The query scenario is an interesting one. IF the location of a file WERE important to making decisions about the file, and the pathname would contain a user-created-account named folder such as RejZoR, the RejZoR portion would have to be stripped out/generalized anyway in order for a user-independent comparison to be made. IOW, if 1.exe would be considered malware in part due to it being on the desktop, the query would need to return the same positive answer for both:

C:\Users\RejZoR\Desktop\1.exe
C:\Users\TheWindBringeth\Desktop\1.exe

Fortunately, Microsoft has created special folder IDs to help deal with such user/OS dependent differences. So instead of sending those full pathname strings that reveal an account name which in some cases would be a real name, the software could instead send the string <FOLDERID_Desktop>\1.exe. The cloud database would be using FOLDERID_Desktop too, so things would line up nicely.

We could continue to explore opportunities to cut down on the sending of potentially sensitive information but I suspect such coding discussions may not be what Fly had in mind when creating this thread. I noticed that Avast wasn't explicitly mentioned, so perhaps this is your chance RejZoR. How is Avast 8 better than other cloud-AV software in terms of operating *without* phone-home features or providing options that *reduce* what gets phoned home?

 

Well, i gave the desktop as the most obvious example.

It's also possible that you get path like this at which point you can't predict sensitive info:

D:\Images\John Doe\naked.jpg.exe

A malware that sneaked into the images folder beyond system folders.

 

There was an earlier thread which may be of interest: https://www.wilderssecurity.com/showthread.php?t=333380

 

Nobody is absurd to require an algorithm that can sanitize all personal data that might be send to the AV's servers. What users like me would like is to send this data only when absolutely needed and for the AV product to connect home as seldom as possible.

 

I'm well aware of such possibilities (https://www.wilderssecurity.com/showpost.php?p=2028617&postcount=92 from just over a year ago). The point was that it is appropriate and arguably essential to review designs for instances where sensitive information could get caught up in a queries/reports and take advantage of opportunities for eliminating that. Your latest example for instance. What is actually important about the above full pathname? Is it the user-created folder names in that path or the "naked" portion of the filename? No, it is the .jpg.exe portion of the filename which in some configurations would cause the user not to see that it has an EXE extension rather than a JPG extension, plus whatever other malware like characteristics that PE file has, plus perhaps the true/false condition that the PE exists in "user defined directory structure" space and thus outside the common locations for PEs. The flip side would be, what if the user just goofed up somehow when naming the file and it actually is just a JPG of "John Doe" naked. It would be Really Good if the client side software tried to check for that condition before submitting the file to the cloud as a suspicious file.

A cloud-AV developer that adopts a "lets collect anything that might possibly be useful for detections and lets also collect anything that might possibly be useful for secondary research purposes" mentality would likely gravitate towards a design that sends but doesn't sanitize full pathnames, full URLs for file downloads, full URLs requested during other web browsing (http and possibly even https), etc, etc... would send all queries/submissions to the cloud with a per-user and/or per-machine GUID... and not only would those GUIDs be linked to any personal information within the data that is sent to the cloud as above, those GUIDs would likely be linked or easily linkable to any personal information submitted when purchasing, creating accounts for online registration, etc. Imagine the possibilities to search and extract information from that database!!!!!!! You could dump download histories and/or web surfing histories which match specific names and other search criteria. You could identify names and other information for those who download (or even upload!) specific things or visit specific sites. So on.

So the possibilities that are created when things aren't (reliably) sanitized can certainly be beyond that which a reasonable person is willing to expose their information to. Some would say NOPE to the sending of any info. Others would want a "send that which is highly unlikely to contain personal info or which can be sanitized with a high degree of probability... and don't send that which can't" type options. Note that this is somewhat different from entirely excluding certain folders from scanning. For example, one might keep all their important data files on J: and not want any pathnames (even filenames) submitted to the cloud but still want basic checks performed such as comparing file hashes to know malware hashes. Those familiar with scoring systems (for antispam purposes or whatever) where various things are assigned weights and the system can still score things even when certain bits of information aren't present) might realize the possibilities here.

 

Well, there are 2 types of submissions...

One which only involves statistical data and not the actual file.

The second one is submission of the actual file which got detected inside for example avast!'s Auto Sandbox or the one involving heuristic detection.
In which case files are checked for the filetype. *.doc, *.xls etc files will be automatically excluded unless it's a macro detection in which case i'm unsure. But they aren't as common these days so it doesn't matter much if they aren't submitted...

 

The cloud queries send... "submit"... information to the cloud as well but may not be called "submissions". What is the first "submission" you speak of? What is the "statistical data"?

 

I think a lot depends on where you reside. While Russian users on this forum might prefer to use Kaspersky, I certainly wouldn't since I have little recourse in case Kaspersky misuses my info. Same reason why I wouldn't use a Chinese or a Romanian product. Also, not living in those locations I dont understand their laws nor do I trust them to uphold those laws especially if corruption is an issue.

 

hi
I am afraid there is no answer to this question...
Yes some AVs should be avoided for privacy concerns, by their design (cloud) or historical reputation.
US based AV are known for their collaboration with security agencies (a popular example with FBI magic lantern (http://en.wikipedia.org/wiki/Magic_Lantern_(software)) ), one popular av is associated with the Scientology, another one is suspected to serve the Kremlin ( https://www.wilderssecurity.com/showthread.php?t=328889 ), the made in China Rising has demonstrated that for growing quickly everything is permitted (https://www.wilderssecurity.com/showthread.php?t=234542 ), and a recent editor is not clear and perhaps not so clean (http://krebsonsecurity.com/2012/11/infamous-hacker-heading-chinese-antivirus-firm/ )...

Personally i still have some respect for Dr Web, who does not participate in AV tests, and has been certified by the FSB after a long process which includes an analysis of the source code (denied by Kaspersky)
http://company.drweb.com/licenses_and_certificates/?lng=en

For those who are a little bit patient, just wait a few month for the release of Davfi, the first European Open Source antivirus
http://www.davfi.fr/index.html

Here s come the technology, and Fly the privacy

Edited links

Rgds