AV-Comparatives - Data transmission in Internet security products

Discussion in 'other anti-virus software' started by Petrovic, Apr 29, 2014.

  1. Petrovic

    Petrovic Registered Member

    Joined:
    Mar 14, 2014
    Posts:
    62
    Location:
    Russia
    http://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf

    Management summary
    Many Internet users are concerned about who has access to their personal information and what is
    done with it. After revelations by Edward Snowden regarding the extent of eavesdropping by the US-
    American NSA, users have become increasingly aware of privacy issues. Computer security software has
    legitimate grounds for sending its makers some information about the system it’s running on; in
    particular, details of malware found on the machine have to be sent to the manufacturer in order to
    protect the user effectively. however, this does not mean that a program should have carte blanche to
    send any and all personal information found on a computer to the manufacturer (other than with the
    specific knowledge and agreement of the system’s owner). This report gives some insight into data-
    sending by popular security programs.
    Clearly, antivirus manufacturers have to comply with the laws of the countries in which they are
    established. In the event of e.g. a court order requiring the vendor to provide information about a
    customer, the company has no choice but to do this. However, this should be the only reason for
    providing user data to a third party. Some companies do not state that they will only pass on
    customer information in such circumstances.
    This report was initially requested and commissioned by PCgo and PC Magazin Germany.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,042
    Interesting. Thank you :thumb:
    A lot of "Not disclosed" from ESET :thumbd: I think that they should disclose this information.
    A user that is installing an AV should have some basic trust in AV vendor. Otherwise it's better not to install their software.
     
  3. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,558
    They list Trend Micro as an American company, but I thought they relocated to Japan.

    Also interesting that none of the Chinese companies were tested.
     
  4. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I am amused by McAfee's "all in" stance, would have been better PR to just "No Comment" everything.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,042
    There is a lot "red squares" with most USA based AVs (Fortinet is exception).
     
  6. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Interesting how Webroot transmits everything, including local IP address. They claim not to transmit any personally identifiable information.
     
  7. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    I am not really surprised about the results. However, I am not really sure about some of AVC's wishes though. For example:
    I agree that people should be able to opt out, and our products do allow you to do exactly that and even ask whether you are okay with it right during installation. However, it is impossible to maintain the same level of protection and usability if users decide against submitting data. That's just a fact and I am sure AVC is fully aware of that. Crystal ball cloud technology hasn't been invented yet, so unless you tell us which file you want information about, you can't possibly expect to get any useful information back. The alternative would be to just store the several hundred gigabytes large cloud database on the user's PC. But I am pretty sure nobody wants that. Not even AVC.
     
    Last edited: Apr 29, 2014
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    I am also concerned about this. When I had learned that Kaspersky and Norton both had vulnerable OpenSSL components in them and fixes were being worked on, I asked about it on the ESET forum. A user posted what they thought was the answer, but my request for a reply from the Staff to verify it went unanswered. I had the feeling it was more of an issue of it being ignored rather than overlooked. The results of this just reinforces that feeling. I hate to judge them harshly, but without answers I am left to make assumptions.

    It's disappointing to see the Fortinet, Symantec, and Vipre were the only USA based vendors that answered all of the questions.
     
  9. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    75
    "Are visited URLs (malicious and non-malicious URLs) transmitted?"

    Well that's frankly frightening. Every visited URL is sent to the vendor, not just the ones found to have malicious files? Excuse me while I uninstall my anti-virus.
     
  10. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    I think the question AVC posed is misleading/incomplete. Most AVs transmit hashes of urls, not urls in plaintext, and then compare the hash against the database. The way the question is asked, you can't draw your own conclusion what exactly is transmitted- hashes or plain urls.
     
  11. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,447
    Location:
    Mumbai
    The only AV which doesn't send any personal info is Emsisoft - interesting
     
  12. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Thanks for the sharing
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,042
    I wonder how much of these data transmission can be disabled by tweaking AV settings? I disabled Live Grid entirely and hope that this will prevent some data transmission.
     
  14. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    We do submit the name you gave your machine which may be considered personal information. The name is mostly for usability reasons to make it easier for the user to figure out which of his licenses is assigned to which of his devices:

    bJqAtol.png

    Personally I don't see it as a big deal, but if a lot of people disagree, we may be able to change the system so you can assign your own names to those licenses and not use the PC name by default.
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    Since you don't know what they are transmitting now because they did not answer the questions, there is no way to know what disabling Live Grid would change.
     
  16. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hmm yeah ESET is usually quite open about how their software works in discussions. Personally I wouldn't use an AV (or any other product) if I don't trust the developer/company behind it, so I will not disable anything like Live Grid as it's an quite important layer in the product. I rather use a fully functional AV than strip it down by disabling features and end up with a less effective solution.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,042
    Here is what they say about Live Grid in their help file:
     
  18. crapbag

    crapbag Registered Member

    Joined:
    Mar 14, 2011
    Posts:
    144
    This is interesting. Webroot sure do collect a lot. I get that AV's need to take proactive measures but do companies really need all this info to protect you? F-Secure pretty much make it a selling point that they won't give anything to anyone unless they come to Finland and steal their gear. I was using Antiy AV for my smartphone until I read in the privacy policy that they would collect personally identifiable information. I also wanted to try Ikarus AV but it says the same on their e-store. This could all be down to translation mind you. Makes you wonder. Thanks for sharing.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Brilliant idea for a report, so a BIG Thanx to AVC for doing it. I don't know why they didn't do a local MITM to decode the uploaded SSL data ? Next time they should, & it "might" be very revealing !

    Any vendor that refuses to disclose whether "Special" updates are delivered to users with specific IDs, should be treated with the Utmost suspicion that they have/do/will collaborate with, you know who !
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,042
    There is not only a question what they will give to authorities. They can also suffer security breach, just like any other company. IMO security-wise, companies shouldn't be collecting user information that is not absolutely needed.
     
    Last edited: Apr 30, 2014
  21. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
  22. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    In response to the recent report “Data Transmission by Internet Security Products” published by AV-Comparatives we would like to clarify our approach to user privacy and data collected.

    First of all, we want to set the record straight: we did not answer any question in the AV-Comparatives questionnaire. Obviously we receive some of these questions quite regularly and have responded to queries from many of our customers and partners to clarify any worries they might have. We received the AV-Comparatives questionnaire, however the naïveté with which parts of the bulky document asked for information, part of which is subject to our Non-Disclosure Agreement policy, led us to take a decision not to respond at all rather than cherry-picking which questions to answer. Thus AV-Comparatives did not receive any answers from ESET.

    The AV-Comparatives report based its conclusions mostly on their own interpretation of our EULA and limited analysis of encrypted network traffic. Not surprisingly, this can provide hardly any reasonable data, as the report rightfully confirms, and AV-Comparatives specifies that it takes no responsibility over correctness of the information provided.

    ESET has nothing to hide when it comes to user privacy. We are a vendor with our own proprietary technology and are in full control of the data we collect. We are based out of Slovakia, subject only to Slovak and EU legislation and we are not under pressure from any particular government.

    We operate under strict EU privacy laws. However, we sell worldwide to more than 180 countries, and are obliged to respect the privacy of all of our customers, many of whom are concerned about the collecting of personally identifiable information.

    Pioneering the cloud internet security technology, we started utilizing statistical data and collecting suspicious samples back in 2005, launching ESET ThreatSense.NET® - now called ESET LiveGrid®. The user decides during installation of our products if he/she wants to participate in ESET LiveGrid®. The reason we introduced this feedback system was to get an early warning of fresh heuristically detected threats and new strains of malware, and at the same time to enable us to response quickly in case of problematic detection which causes false positives. Telemetry collected from our users helps us prioritize and focus in a timely fashion on the most important and significant security issues. The technical data that we collect is anonymized and does not contain any personally identifiable information.
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,042
    @mrtwolman Thank you for clarification!

    Nice to hear :thumb:
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    Good to know and thanks for posting.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Nice report, thought it would be more interesting if connection security was also looked at.
    Does it use SSL/TLS for both data transmission and updating? What protocol version and cipher was used? Does it check for revocation? Does it check authenticity of update files? Are they digitally signed?

    Dr. Web for example updates via HTTP, uses CRC32 for hashing o_O, and files are not signed.
     
Loading...