Which AV products work without Internet? And which can be configured to do so?

Discussion in 'other anti-virus software' started by mirimir, Feb 16, 2017.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    There's a quandary for Windows users who want protection against viruses, but also have hardcore concerns about privacy. Given the current threat environment, it's become common for AV software to share user information with providers. That apparently includes URLs, executables, documents, and running processes.[0] At least some of that is arguably essential, and I don't mean to trigger debate.

    But let's say that a user wants AV protection, but also doesn't want to share anything with the provider. Which AV products can be configured for strict local operation? Based on the AV-Comparatives report, it seems that AhnLab V3 Internet Security transmits only file hashes to its servers. While that may be a defect, from the security perspective, it's good from the privacy perspective. And I wonder, can hash transmission be disabled?

    From the AV-Comparatives report, I get that users can opt out of transmitting files to the provider for most of the surveyed products: Avast, AVIRA, Emsisoft, eScan, ESET, Fortinet, F-Secure, G DATA, Kaspersky Lab, Microsoft, Panda, Sophos, Symantec and Vipre. But I wonder whether users can opt out of transmitting anything to the provider. Also, I wonder which of those AV products will work, as basic old-school signature and heuristics scanners, without any Internet connectivity.

    I'm going to ask on support forums. But if you can share likely possibilities, please do.

    I also get that users can't opt out of transmitting files for AVG, Bitdefender, BullGuard, McAfee, Trend Micro and Webroot products. If that's inaccurate, please share.

    0) https://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    The AV-C report referenced is almost 3 years old.

    Most AV products have options that can be set limiting data that can be send back to the vendor. Today cloud reputation scanning is a major protection feature. It can be optionally disabled but doing so greatly increased your risk of malware infection.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, I get that. But I haven't found anything newer. Also, I doubt that data exfiltration has become less prevalent ;)
    Yes, that's the information I seek :) Which ones have which options.
    Yes, I get that. Indeed, Sophos WebIntelligence apparently uploads and redownloads entire web streams![0]

    0) https://community.sophos.com/produc...on/7722/home-version-for-mac-sending-out-data
     
  4. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Easy solution is outbound firewalling the AV. Windows Firewall Control will do it. Firewall rules can be set manually too, the default is to block unsolicited inbound traffic but allow all outbound traffic but that can be changed. I don't think most AVs would like that these days because they are continually updating definitions but they would still work with the loss of the cloud functionality. If that involved communicating with a IP or domain that was stable, an exception could be made. Definitions can be updated manually.

    I don't depend on an AV for security in Windows. Locking down the system and limiting privilege is far more effective. AVs, by necessity, operate at a high privilege level which means that any exploitable flaws in them would be serious. And I've found most of them to be bloated and intrusive so I just use Windows Defender/MSE for scanning for well known malware and that mostly happens when dealing someone else's computer or hard drive.
     
  5. NWOAbschaum

    NWOAbschaum Registered Member

    Joined:
    Feb 9, 2014
    Posts:
    222
    Location:
    Germany
    Hm i think all avs nowdays need internet connection. If u a worried about privacy almost the only vendor left is emsisoft, where u can opt out almost anything.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    With Eset you can disable sending of samples and anonymous statistics and whole LiveGrid also (online reputation service). AV still needs to update to work correctly and it also checks licence information.
     
  7. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Do you necessarily need an AV? Have you thought about using any program like Sandboxie (http://www.sandboxie.com/), SSRP (http://iwrconsultancy.co.uk/ssrp/) etc? With the correct hadening of Windows (block unsigned elevation, set UAC to max, use SUA, use Chromium (use ungoogled chromium if you don't want Google BS...) it can be very hard to beat.

    Many people are already suspicious of the efficiency of AV against some types of malwares, without access to the internet makes it even harder for AV operating.
     
  8. guest

    guest Guest

    @mirimir don't use AV (because you need database updates or cloud) , don't use any licensed softwares (for obvious reasons).

    so what choices are left to you? Linux with Firejail ! :D

    Have a good day :)
     
  9. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    No AV vendor offers an absolute, complete opt-out for an installed product.

    Your only real option is to use a portable scanner, update it on a system that cannot be connected to you personally in any way, and then run it periodically on your system. Before doing that you would have to create the required block firewall rules for the portable scanner on your system.

    I would assume, since you are hardcore about privacy, that you know not to use a single Microsoft product - especially Windows - and that you've done a complete audit of any OEM hardware\firmware network activity via SYSTEM that can be connected to you personally. Not all network activity is exposed through the filtering platforms; there's stuff going-on below the radar.
     
    Last edited: Feb 17, 2017
  10. guest

    guest Guest

    Exact, a privacy paranoid using Windows is a paradox :)
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, I should have said that this is for an article that I'm writing :) I only use Windows VMs for testing stuff.

    @MisterB -- Yes, I'm going to recommend firewalling, in addition to disabling exfiltration.
    @NWOAbschaum & @Minimalist -- Thanks, I'll check out Emisoft and Eset.
    @ExtremeGamerBR -- This is for an article, and most of the audience probably uses Windows with AV.
    @guest -- Well, I use Linux, and for sure I'll recommend that instead of Windows or OSX with AV.
    @Lockdown -- That's good advice, but probably too much for my audience. But I'll recommend some of it.
     
  12. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @mirimir - another article for IVPN ?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Maybe so ;)
     
  14. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I read your stuff there.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Cool :)

    I like writing for them, but I've gone so far off the edge that it's hard to imagine what might be of general interest :rolleyes:

    What would you like to see?
     
  16. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I use IVPN. Not for privacy or anonymity, but for reliable encryption, up-time and speed. Oh sure, I could get that from SecurityKISS or similar, but IVPN secures their servers better than average.

    You might want to write about server security. It's not something users consider at all when selecting a VPN\proxy service. If I can get my dirty little paws on a server via direct or indirect access, it doesn't matter - everybody's encrypted\obfuscated traffic is pwned.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Thanks :) That was one aspect of https://www.ivpn.net/privacy-guides/18-questions-to-ask-your-vpn-service-provider and I had thought of including answers from various providers. But there was just too much ambiguity. Some answers obviously came from clueless support staff. Others clearly came from technical staff. And there's no way for users to verify. We can test their client software for leaks. And we can test for messed-up port forwarding. But it's not workable for IVPN to publish about pentesting competitors' servers ;) So anyway, I'm not sure what else to say about the issue.
     
  18. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    I see your point. What I really meant was to cover it IVPN-centric. You're absolutely right - what can be found for most of the others is apt not to be accurate or simple, out-right disinformation. Ask most VPN\proxy services about their server security and you will get the runaround or the deer-in-the-headlights answer.

    If you're working on a comparative analysis it isn't a good topic. I agree. "Smoke-and-Mirrors."
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, I've looked at some EULAs and privacy policies. And it seems impossible to tell which AVs will let users opt out of which sort(s) of exfiltration. So I've decided to install and test several.

    AhnLab was AV-Comaratives recommendation for privacy freaks,[0] but it's not even included in the 2016 Summary Report.[1] Not so good, then? Emisoft and ESET have been recommended by @NWOAbschaum and @Minimalist respectively, and they are both top-rated products. That's three, so far.

    But that leaves 12 more that, according to AV-Comaratives, permit opting out of at least some exfiltration: Avast, AVIRA, eScan, Fortinet, F-Secure, G DATA, Kaspersky Lab, Microsoft, Panda, Sophos, Symantec and Vipre.

    And that's too many! I'll include Microsoft, because it's arguably a "default". Plus AVIRA Anti-Virus Pro, Kaspersky Internet Security and ThreatTrack VIPRE, based on AV-Comaratives 2016 Summary Report.[1] But not Bitdefender Internet Security, because one can apparently not opt out of exfiltration. That makes six total to test.

    Anyone have an argument for two of these: Avast, eScan, Fortinet, F-Secure, G DATA, Panda, Sophos or Symantec?

    0) https://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf
    1) https://www.av-comparatives.org/wp-content/uploads/2017/02/avc_sum_201612_en.pdf
     
  20. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @mirimir

    Ikarus - a basic scanner

    Their privacy and data protection declaration - you have to read carefully because not all items apply to the PC; some apply to Enterprise (cloud) or mobile device.

    I've used Ikarus. You get personal, focused attention via support - something that a user can get from few vendors. Ikarus is about as good as Avira. It's a simple scanner - a lot like Windows Defender with a few additional features.

    https://www.ikarussecurity.com/solu...tection/ikarus-mobilesecurity/privacy-policy/

    https://www.ikarussecurity.com/solu...s-mobilesecurity/data-protection-declaration/
     
  21. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    AV products doesn't really work without internet nowadays.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Thanks :) But damn, I have enough to test already :eek: I doubt that I'll add one that AV-Comparitives hasn't rated.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, I appreciate that they can't work as well. But there's a trade-off re security vs privacy. I'm just reporting about it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.