Avira watch - Eckzahn may be right IMHO

Sooo... Avira appears to include its own DNS resolver, only using the OS one as a fallback. Best explained by this post. This opens yet another can of worms for me at least.

 

i appreciate that ratwing. i should read some of Carvers threads.

also: paranoia is a highly evolved survival mechanism. don't leave home without it

i really don't want to bash Avira. i don't have to. they flog themselves pretty good. maybe i should reinstall AntiVir and share my firewall logs before trying the node32 demo.

nite

 

yikes. this should bug just about everyone but the truely blissfull.

 

@NaClmind

Kaspersky AntiVirus Version 2010 reviews

http://www.complaints.com/2010/february/9/Kaspersky_AntiVirus_Version_2010_reviews_227013.htm

Crikey, what an eye opener


@Espresso

RE - google-analytics log

Nice catch, and these are just the kind of FACTS we need I've put google-analytics in my HOSTS now.

Yeah "could be" geographical IP data to make sure we get the nearest servers, but who knows ? Other vendors have more suitable ways of closer IP location than using google-analytics, so if we can find out why Avira is doing this, so much the better.

 

good reading eh?

 

Although 212.250.1.7 resolves to the questionably named dns-configuration.service.virginmedia.net , it appears to be an update server.

Edit: Or maybe not... maybe it's just redirects. Dunno. What's the big deal anyhow? Is the assumption that this dns redirector is less secure than a nameserver with avira in the title?

 

A lot of black helicopters in the air this morning. They come for me............and you.

But I am smarter because a saw them first.

 

Code:

# dig avira-update.com

; <<>> DiG 9.6.2 <<>> avira-update.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;avira-update.com.              IN      A

;; AUTHORITY SECTION:
avira-update.com.       263     IN      SOA     ns1.avira-ns.net. domains.avira.com. 2010032900 10800 3600 604800 1800

;; Query time: 126 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 11 12:08:45 2010
;; MSG SIZE  rcvd: 100

Now, personal.avira-update.com is CNAME for personal.avira-cdn.com which is a CNAME for de.personal.avira-update.com. Lets see where it goes:

Code:

# nslookup de.personal.avira-update.com. ns1.avira-ns.net
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
Server:         ns1.avira-ns.net
Address:        62.116.163.100#53

Name:   de.personal.avira-update.com
Address: 62.146.66.178
Name:   de.personal.avira-update.com
Address: 62.146.66.179
Name:   de.personal.avira-update.com
Address: 62.146.66.180
Name:   de.personal.avira-update.com
Address: 62.146.66.181
Name:   de.personal.avira-update.com
Address: 62.146.66.182
Name:   de.personal.avira-update.com
Address: 62.146.66.183
Name:   de.personal.avira-update.com
Address: 62.146.66.184
Name:   de.personal.avira-update.com
Address: 62.146.66.185
Name:   de.personal.avira-update.com
Address: 80.190.143.226
Name:   de.personal.avira-update.com
Address: 80.190.143.227
Name:   de.personal.avira-update.com
Address: 80.190.143.228
Name:   de.personal.avira-update.com
Address: 80.190.143.229
Name:   de.personal.avira-update.com
Address: 80.190.143.230
Name:   de.personal.avira-update.com
Address: 80.190.143.231
Name:   de.personal.avira-update.com
Address: 80.190.143.232
Name:   de.personal.avira-update.com
Address: 80.190.143.233
Name:   de.personal.avira-update.com
Address: 80.190.143.234
Name:   de.personal.avira-update.com
Address: 80.190.143.235
Name:   de.personal.avira-update.com
Address: 62.146.66.186
Name:   de.personal.avira-update.com
Address: 62.146.66.187
Name:   de.personal.avira-update.com
Address: 80.190.143.236
Name:   de.personal.avira-update.com
Address: 80.190.143.237
Name:   de.personal.avira-update.com
Address: 80.190.143.238
Name:   de.personal.avira-update.com
Address: 80.190.143.239
Name:   de.personal.avira-update.com
Address: 80.190.143.240
Name:   de.personal.avira-update.com
Address: 80.190.143.241
Name:   de.personal.avira-update.com
Address: 80.190.143.242
Name:   de.personal.avira-update.com
Address: 80.190.143.243
Name:   de.personal.avira-update.com
Address: 62.146.66.188
Name:   de.personal.avira-update.com
Address: 62.146.66.189

So, the above is what the Avira free should be downloading updates from. I don't see 212.250.1.7 anywhere.

 

OK - but please make sure that the target of your attention is the right one.

This thread is directed at Avira. Your comments then broadened out to security vendors as a group.

Now, from current events, it's clear that a number of unethical groups out there try to separate you and you hard won money by playing on your fears regarding malware. These are genuinely fraudulent efforts. They don't have ulterior motives. Their motive is clear and it's theft.

As for the references that you provided,

1. http://www.gnu.org/philosophy/can-you-trust.html - Stallman comments regarding "trusted computing" and, more generically, the use of proprietary software (versus open source).

2. http://www.computerworlduk.com/management/security/standards-law/news/index.cfm?newsId=19203 - commentary regarding cloud computing, privacy, and unpatched vulnerabilities.

3. http://www.pcpro.co.uk/news/securit...r-admits-customers-still-dont-trust-the-cloud - Trust and cloud computing. Obviously, move your data outside of your possession and you lose a measure of control regarding it's possible use and dissemination.

4. http://www.eweekeurope.co.uk/news/dont-trust-cloud-says-government-security-adviser-6061 - Another example of cloud computing and how sloppiness that you're not directly responsible for can compromise your confidential data

5. http://www.v3.co.uk/vnunet/news/2191749/avg-kaspersky-fail-virus - Report on the failure of some AV products to make VB100 certification on a 2007 round of tests.

6. http://www.v3.co.uk/v3/news/2258822/rsa-2010-encryption-anti-virus - Comment regarding potential shortcomings of classical (i.e. blacklist) AV technology as well as vulnerabilities of encrypted network based communications to certain types of attack

7. http://remove-malware.com/antimalwa...ernet-security-2010-and-rogue-antivirus-fail/ - Example of NIS 2010 falling victim to a rogue malware application

8. http://www.complaints.com/2010/february/9/Kaspersky_AntiVirus_Version_2010_reviews_227013.htm - Something of a rant regarding a "safe list" of providers mantained by KL

9. http://www.itworld.com/security/100320/security-industry-faces-attacks-it-cannot-stop - Commentary regarding inability of AV products to deal with a specific exploit. Seems there is some question of the test methodology employed from the AV vendor side.

10. http://lastwatchdog.com/antivirus-suites-fail/ - somewhat general comment regarding AV blacklist technology and zero-day malware.

These references cover a wide and divergent group of topics.

The Stallman reference is the only one that is conceivably focused on the question of the generic intentions of a vendor/provider, but even here the focus largely devolves to the philosophical question of open source vs. proprietary code bases. Cogent arguments can actually be made on either side of that argument.

The issues regarding "cloud computing" are less related to possible intentions than sloppiness. My own opinion of cloud based security offerings is that most don't fundamentally change the playing field. There's somewhat of a change in the distribution of information in both directions, but this is really only a change in the distribution mechanism, not the end result. That doesn't mean it's not useful - there is a potential benefit in getting an earlier view of emergent threats. However, but there's a cost to that benefit in that users provide a vendor a constant stream of information. As far as I know, vendors strive to eliminate any user connected data, but it's a potential issue from the privacy angle.

With respect to cloud platforms for data retention, it's once again a good-bad scenario. The good - the cloud provides instant access from any networked device. The bad - that level of access is not always a good idea. A measure of control is lost and you rely on the diligence of others. For some things that's fine, but not for others.

I'd hope that everyone on this site has a good appreciation of some of the fundamental issues of blacklist technology employed by the majority of AV products. Their efficacy is time dependent. That's a reality. In an environment in which communications are slow and malware does not evolve that's not much of an issue. However, instantaneous networked communication coupled with mutating threats yield a fundamental mismatch. My own view is that unless one restricts downloads from validated and curated sites, blacklist technology remains a needed tool. However, it's a tool with limitations that need to be appreciated.

Overall, none of these examples address the insinuations that were painted so broadly above.

If you're going to make a specific accusation, and this thread is specifically about Avira, you should back it up with facts not fluff. If you want to pursue a more general philosophical discussion, that's fine as well and is actually what your references suggest, just try to appreciate the difference.

Blue

 

If I look in Process Hacker Ive got AVWebgrd.exe connecting out to eBay, Google, and random IP addresses.

 

Well... that's the web proxy IIRC, so... doesn't it go anywhere you are browsing ATM?

 

Can anyone elaborate on the China issue mentioned on the Avira forum and Wilders ?

 

If I close FF which is my default browser and only browser that gets used it still connects out. If I actually went to eBay when it was connecting out that would be great, I wouldnt have an issue with that, but I was never on eBay when it connected out to eBay.

 

Well... FF is not the only thing that uses port 80 to connect out on your computer. So, you need to make sure absolutely nothing else is connecting out via HTTP.

 

So Avira (Free) is spyware too? Selling our personal data to Google etc.

 

Have any of these accusations been proven? Or is this more about a few people speculating what is going on. Either way is good by me, just curious. I have no dog in this fight, I used Avira for the last several years but recently switched due to other issues I had with ver. 10 on my computer.

 

From my vantage point (as a simple observer, I don't use the product now and haven't in the past either), nothing has been proven and it's idle/unsupported speculation using arguably disconnected and/or misunderstood bits of isolated information thus far.

Blue

 

Well, the avnotify.* Google issue is easily confirmed, as shown here, plus even with very simple tools like KPF 2.1.5 or whatever that tracks connections.

For the resolver, I'd bet their bundled junky resolver is behind most of the "does not update" issues out there, which flood the Avira forum since their latest release.

Wrt the webshield, I did not try and have no intention of installing this thing somewhere to confirm. As I noted, you need a firewall that blocks all outbound HTTP traffic except for the traffic originated by Avira stuff to confirm.

 

Field day for Avira haters, specially users of other inferior products who regularly get their behinds kicked by Avira , quite understandable , if this is truly an issue, Secunia, av-comparatives and others would be on it, so far all I see here is unsubstantial claims and nothing more. People keep talking about update issues, out here I have Avira free on two machines, one with a slow 1mbps connection, one with an horrid 144kbps wireless connection and am yet to face any update issues.

 

Chinese hacker 'systems' are monitoring just about all communications on the web. It's at least doubled traffic load on all major server nets. I'll try and find a good SEO comment link for you. To paraphrase several sources: China is a repressive nation & rogue outfits of all kinds want what we have. They need to 'get in' on the action but their gov is clamping down so the spy-bots and vulnerability scanners are rampant. Subversion tactics are the norm. The google lock-down is causing a lot of people, private and official, to hire the services of hackers to do what we take for granted on the internet. The search engines are full of this stuff now. Not hard to get good info.

 

Well, I could say that there is a "movement" against Avira lately. None of my business really, but I believe both sides are wrong here.

The anti-Avira "movement" may be right or wrong but there is the fact that seems to be a research behind and somehow accurate and methodical hits.

On the other side Avira did not manage to protect sufficiently its operations and produce good answers.

The sure thing is that all this will pass soon and really there is no fear when there is a valid product that somehow stands there and "erases" some bad tactics, misunderstandings or bad decisions.

 

I'll use the search engines later.

So, have 'the Chinese' hacked Avira in some way ?

 

did they respond already?...goota be good to hear from them...
at least the complaints are there.in their own forum too.

 

Nah... Well, a moderator responded with bunch of absolutely meaningless replies - screenshots here and here. One more "explanation" wrt the registry key here. Wrt the Google traffic... complete silence, at least I haven't managed to find anything on their forums.

 

I don't see any point of your posts anymore. You have started a Thread for Avira, but till now we haven't seen anything about that (From You).

I must say that i'm curious about AV's (and other security software) about where they send data (let's say using an Chinese Av is safe or not, and it does it sends something home that shouldn't)
But again you spoke about one specific AV and not generally.

Aren't they all doing that ?

http://www.pcworld.com/article/191312/tech_secrets_21_things_they_dont_want_you_to_know.html


Now, just relax.