Avira watch - Eckzahn may be right IMHO

Discussion in 'other anti-virus software' started by NaClmind, Apr 10, 2010.

Thread Status:
Not open for further replies.
  1. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  2. NaClmind

    NaClmind Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    15
    i appreciate that ratwing. i should read some of Carvers threads.

    also: paranoia is a highly evolved survival mechanism. don't leave home without it :)

    i really don't want to bash Avira. i don't have to. they flog themselves pretty good. maybe i should reinstall AntiVir and share my firewall logs before trying the node32 demo.

    nite
     
    Last edited: Apr 11, 2010
  3. NaClmind

    NaClmind Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    15
    yikes. this should bug just about everyone but the truely blissfull.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @NaClmind

    Kaspersky AntiVirus Version 2010 reviews

    http://www.complaints.com/2010/february/9/Kaspersky_AntiVirus_Version_2010_reviews_227013.htm

    Crikey, what an eye opener :eek:


    @Espresso

    RE - google-analytics log

    Nice catch, and these are just the kind of FACTS we need :thumb: I've put google-analytics in my HOSTS now.

    Yeah "could be" geographical IP data to make sure we get the nearest servers, but who knows ? Other vendors have more suitable ways of closer IP location than using google-analytics, so if we can find out why Avira is doing this, so much the better.
     
  5. NaClmind

    NaClmind Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    15
    good reading eh?
     
  6. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Although 212.250.1.7 resolves to the questionably named dns-configuration.service.virginmedia.net , it appears to be an update server.

    Edit: Or maybe not... maybe it's just redirects. Dunno. What's the big deal anyhow? Is the assumption that this dns redirector is less secure than a nameserver with avira in the title?
     
    Last edited: Apr 11, 2010
  7. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    A lot of black helicopters in the air this morning. They come for me............and you.

    But I am smarter because a saw them first.
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Code:
    # dig avira-update.com
    
    ; <<>> DiG 9.6.2 <<>> avira-update.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18329
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;avira-update.com.              IN      A
    
    ;; AUTHORITY SECTION:
    avira-update.com.       263     IN      SOA     ns1.avira-ns.net. domains.avira.com. 2010032900 10800 3600 604800 1800
    
    ;; Query time: 126 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Apr 11 12:08:45 2010
    ;; MSG SIZE  rcvd: 100
    
    Now, personal.avira-update.com is CNAME for personal.avira-cdn.com which is a CNAME for de.personal.avira-update.com. Lets see where it goes:

    Code:
    # nslookup de.personal.avira-update.com. ns1.avira-ns.net
    ;; Warning: Message parser reports malformed message packet.
    ;; Truncated, retrying in TCP mode.
    Server:         ns1.avira-ns.net
    Address:        62.116.163.100#53
    
    Name:   de.personal.avira-update.com
    Address: 62.146.66.178
    Name:   de.personal.avira-update.com
    Address: 62.146.66.179
    Name:   de.personal.avira-update.com
    Address: 62.146.66.180
    Name:   de.personal.avira-update.com
    Address: 62.146.66.181
    Name:   de.personal.avira-update.com
    Address: 62.146.66.182
    Name:   de.personal.avira-update.com
    Address: 62.146.66.183
    Name:   de.personal.avira-update.com
    Address: 62.146.66.184
    Name:   de.personal.avira-update.com
    Address: 62.146.66.185
    Name:   de.personal.avira-update.com
    Address: 80.190.143.226
    Name:   de.personal.avira-update.com
    Address: 80.190.143.227
    Name:   de.personal.avira-update.com
    Address: 80.190.143.228
    Name:   de.personal.avira-update.com
    Address: 80.190.143.229
    Name:   de.personal.avira-update.com
    Address: 80.190.143.230
    Name:   de.personal.avira-update.com
    Address: 80.190.143.231
    Name:   de.personal.avira-update.com
    Address: 80.190.143.232
    Name:   de.personal.avira-update.com
    Address: 80.190.143.233
    Name:   de.personal.avira-update.com
    Address: 80.190.143.234
    Name:   de.personal.avira-update.com
    Address: 80.190.143.235
    Name:   de.personal.avira-update.com
    Address: 62.146.66.186
    Name:   de.personal.avira-update.com
    Address: 62.146.66.187
    Name:   de.personal.avira-update.com
    Address: 80.190.143.236
    Name:   de.personal.avira-update.com
    Address: 80.190.143.237
    Name:   de.personal.avira-update.com
    Address: 80.190.143.238
    Name:   de.personal.avira-update.com
    Address: 80.190.143.239
    Name:   de.personal.avira-update.com
    Address: 80.190.143.240
    Name:   de.personal.avira-update.com
    Address: 80.190.143.241
    Name:   de.personal.avira-update.com
    Address: 80.190.143.242
    Name:   de.personal.avira-update.com
    Address: 80.190.143.243
    Name:   de.personal.avira-update.com
    Address: 62.146.66.188
    Name:   de.personal.avira-update.com
    Address: 62.146.66.189
    
    So, the above is what the Avira free should be downloading updates from. I don't see 212.250.1.7 anywhere.
     
  9. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    OK - but please make sure that the target of your attention is the right one.

    This thread is directed at Avira. Your comments then broadened out to security vendors as a group.

    Now, from current events, it's clear that a number of unethical groups out there try to separate you and you hard won money by playing on your fears regarding malware. These are genuinely fraudulent efforts. They don't have ulterior motives. Their motive is clear and it's theft.

    As for the references that you provided,

    1. http://www.gnu.org/philosophy/can-you-trust.html - Stallman comments regarding "trusted computing" and, more generically, the use of proprietary software (versus open source).

    2. http://www.computerworlduk.com/management/security/standards-law/news/index.cfm?newsId=19203 - commentary regarding cloud computing, privacy, and unpatched vulnerabilities.

    3. http://www.pcpro.co.uk/news/securit...r-admits-customers-still-dont-trust-the-cloud - Trust and cloud computing. Obviously, move your data outside of your possession and you lose a measure of control regarding it's possible use and dissemination.

    4. http://www.eweekeurope.co.uk/news/dont-trust-cloud-says-government-security-adviser-6061 - Another example of cloud computing and how sloppiness that you're not directly responsible for can compromise your confidential data

    5. http://www.v3.co.uk/vnunet/news/2191749/avg-kaspersky-fail-virus - Report on the failure of some AV products to make VB100 certification on a 2007 round of tests.

    6. http://www.v3.co.uk/v3/news/2258822/rsa-2010-encryption-anti-virus - Comment regarding potential shortcomings of classical (i.e. blacklist) AV technology as well as vulnerabilities of encrypted network based communications to certain types of attack

    7. http://remove-malware.com/antimalwa...ernet-security-2010-and-rogue-antivirus-fail/ - Example of NIS 2010 falling victim to a rogue malware application

    8. http://www.complaints.com/2010/february/9/Kaspersky_AntiVirus_Version_2010_reviews_227013.htm - Something of a rant regarding a "safe list" of providers mantained by KL

    9. http://www.itworld.com/security/100320/security-industry-faces-attacks-it-cannot-stop - Commentary regarding inability of AV products to deal with a specific exploit. Seems there is some question of the test methodology employed from the AV vendor side.

    10. http://lastwatchdog.com/antivirus-suites-fail/ - somewhat general comment regarding AV blacklist technology and zero-day malware.

    These references cover a wide and divergent group of topics.

    The Stallman reference is the only one that is conceivably focused on the question of the generic intentions of a vendor/provider, but even here the focus largely devolves to the philosophical question of open source vs. proprietary code bases. Cogent arguments can actually be made on either side of that argument.

    The issues regarding "cloud computing" are less related to possible intentions than sloppiness. My own opinion of cloud based security offerings is that most don't fundamentally change the playing field. There's somewhat of a change in the distribution of information in both directions, but this is really only a change in the distribution mechanism, not the end result. That doesn't mean it's not useful - there is a potential benefit in getting an earlier view of emergent threats. However, but there's a cost to that benefit in that users provide a vendor a constant stream of information. As far as I know, vendors strive to eliminate any user connected data, but it's a potential issue from the privacy angle.

    With respect to cloud platforms for data retention, it's once again a good-bad scenario. The good - the cloud provides instant access from any networked device. The bad - that level of access is not always a good idea. A measure of control is lost and you rely on the diligence of others. For some things that's fine, but not for others.

    I'd hope that everyone on this site has a good appreciation of some of the fundamental issues of blacklist technology employed by the majority of AV products. Their efficacy is time dependent. That's a reality. In an environment in which communications are slow and malware does not evolve that's not much of an issue. However, instantaneous networked communication coupled with mutating threats yield a fundamental mismatch. My own view is that unless one restricts downloads from validated and curated sites, blacklist technology remains a needed tool. However, it's a tool with limitations that need to be appreciated.

    Overall, none of these examples address the insinuations that were painted so broadly above.

    If you're going to make a specific accusation, and this thread is specifically about Avira, you should back it up with facts not fluff. If you want to pursue a more general philosophical discussion, that's fine as well and is actually what your references suggest, just try to appreciate the difference.

    Blue
     
  10. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    If I look in Process Hacker Ive got AVWebgrd.exe connecting out to eBay, Google, and random IP addresses.
     
  11. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well... that's the web proxy IIRC, so... doesn't it go anywhere you are browsing ATM?
     
  12. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    Can anyone elaborate on the China issue mentioned on the Avira forum and Wilders ?
     
  13. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    If I close FF which is my default browser and only browser that gets used it still connects out. If I actually went to eBay when it was connecting out that would be great, I wouldnt have an issue with that, but I was never on eBay when it connected out to eBay.
     
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well... FF is not the only thing that uses port 80 to connect out on your computer. So, you need to make sure absolutely nothing else is connecting out via HTTP.
     
  15. Technic

    Technic Registered Member

    Joined:
    Aug 31, 2005
    Posts:
    430
    So Avira (Free) is spyware too? Selling our personal data to Google etc. :shifty:
     
  16. pasha101

    pasha101 Registered Member

    Joined:
    Nov 28, 2009
    Posts:
    34
    Have any of these accusations been proven? Or is this more about a few people speculating what is going on. Either way is good by me, just curious. I have no dog in this fight, I used Avira for the last several years but recently switched due to other issues I had with ver. 10 on my computer.
     
  17. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    From my vantage point (as a simple observer, I don't use the product now and haven't in the past either), nothing has been proven and it's idle/unsupported speculation using arguably disconnected and/or misunderstood bits of isolated information thus far.

    Blue
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, the avnotify.* Google issue is easily confirmed, as shown here, plus even with very simple tools like KPF 2.1.5 or whatever that tracks connections.

    For the resolver, I'd bet their bundled junky resolver is behind most of the "does not update" issues out there, which flood the Avira forum since their latest release.

    Wrt the webshield, I did not try and have no intention of installing this thing somewhere to confirm. As I noted, you need a firewall that blocks all outbound HTTP traffic except for the traffic originated by Avira stuff to confirm.
     
  19. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,137
    Field day for Avira haters, specially users of other inferior products who regularly get their behinds kicked by Avira ;), quite understandable :), if this is truly an issue, Secunia, av-comparatives and others would be on it, so far all I see here is unsubstantial claims and nothing more. People keep talking about update issues, out here I have Avira free on two machines, one with a slow 1mbps connection, one with an horrid 144kbps wireless connection and am yet to face any update issues.
     
  20. NaClmind

    NaClmind Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    15
    Chinese hacker 'systems' are monitoring just about all communications on the web. It's at least doubled traffic load on all major server nets. I'll try and find a good SEO comment link for you. To paraphrase several sources: China is a repressive nation & rogue outfits of all kinds want what we have. They need to 'get in' on the action but their gov is clamping down so the spy-bots and vulnerability scanners are rampant. Subversion tactics are the norm. The google lock-down is causing a lot of people, private and official, to hire the services of hackers to do what we take for granted on the internet. The search engines are full of this stuff now. Not hard to get good info. ;)
     
  21. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Well, I could say that there is a "movement" against Avira lately. None of my business really, but I believe both sides are wrong here.

    The anti-Avira "movement" may be right or wrong but there is the fact that seems to be a research behind and somehow accurate and methodical hits.

    On the other side Avira did not manage to protect sufficiently its operations and produce good answers.

    The sure thing is that all this will pass soon and really there is no fear when there is a valid product that somehow stands there and "erases" some bad tactics, misunderstandings or bad decisions.
     
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    I'll use the search engines later. :p

    So, have 'the Chinese' hacked Avira in some way ?
     
  23. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    did they respond already?...goota be good to hear from them...
    at least the complaints are there.in their own forum too.
     
  24. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Nah... Well, a moderator responded with bunch of absolutely meaningless replies - screenshots here and here. One more "explanation" wrt the registry key here. Wrt the Google traffic... complete silence, at least I haven't managed to find anything on their forums.
     
  25. renegade08

    renegade08 Registered Member

    Joined:
    Aug 26, 2008
    Posts:
    432
    I don't see any point of your posts anymore. You have started a Thread for Avira, but till now we haven't seen anything about that (From You).

    I must say that i'm curious about AV's (and other security software) about where they send data (let's say using an Chinese Av is safe or not, and it does it sends something home that shouldn't)
    But again you spoke about one specific AV and not generally.

    Aren't they all doing that ? :ninja: :eek:

    http://www.pcworld.com/article/191312/tech_secrets_21_things_they_dont_want_you_to_know.html


    Now, just relax. :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.