The creation of viruses goes way back in computer history, but the commercial explosion of virus remediating software began in earnest in 1987. Several virus removal programs were released in that year, including McAfee Company’s VirusScan software, and Ross Greenberg’s Flushot Plus. Viruses have proliferated and grown in complexity since then, and in the 1990s an industry sprung up to counter this trend.
In this post we’re going to address commercial AntiVirus software aimed at the consumer market in terms of efficacy, security and privacy. Businesses have different needs, have different networks to protect and use different sorts of endpoint security solutions.
Antivirus software has long been considered dangerous on security grounds, because it requires a high level of privilege to monitor all system files, and to take action to isolate suspicious files or code in execution. This level of trust means the user must give complete control to the antivirus software and hope it does not abuse its unique and powerful position on the system.
Antivirus programs have long had a dubious reputation for security problems. Some of the less reputable vendors have long been suspected of creating viruses to bolster their sales, and there is always the risk that an antivirus program will introduce critical new security issues. This is due to a combination of things including the fact that they run in kernel (privileged) mode, they can be counted on to react aggressively in certain situations, and they are a prime attack target. Traditional vulnerabilities have been found in a long list of vendors’ products over the years; it seems inevitable.
A famous example of an antivirus program being compromised was the attack on Norton Antivirus programs discovered in 2012, affecting all enterprise and most consumer products. They had been compromised back in 2006 but not discovered until Google found it six years later. According to the parent company, Symantec, “An attacker could potentially run arbitrary code by sending a specially crafted file to a user.”
Google’s Project Zero researchers in 2016 found 25 high-severity bugs in Norton security products. In recent years those same researchers found similar vulnerabilities in many of the antivirus products on the market, including Kaspersky, Trend Micro, McAfee, and Comodo.
So why is antivirus software a privacy concern? Aside from the obvious fact that if malicious code runs on your machine, it can find and steal things like files and passwords, there are some troubling privacy issues with antivirus software.
One privacy issue involves protecting you from malicious URLs. How to flag the millions of constantly changing known dangerous URLs? Antivirus vendors accomplish this by sending each URL you interact with to a central server where it can be checked against a database of bad URLs. The downside to this approach is that the antivirus vendor can easily keep track of every site you visit!
Many URLs these days use HTTPS, which means an encrypted communications channel is created between your computer and the server, and all data sent back and forth is not viewable to anyone else. Antivirus programs, however, must intercept the request and decrypt it in order to check the safety of that URL.
They do this by using a proxy, that interacts with your web browser using a certificate from the antivirus vendor instead of from the target website – which has serious consequences that go well beyond simply eavesdropping on your interactions with websites. According to a 2017 study done by academics and people who work at Google, Cloudflare, and Mozilla, these antivirus solutions that proxy your secure connections “drastically reduce your connection security.”
This drastic reduction in connection security arises from the fact that the antivirus software is now in charge of checking the safety and validity of server certificates and in charge of encryption protocol negotiation. Browser vendors put a lot of effort into getting this right, and many Antivirus vendors do not have comparable resources or motivation.
The way most vendors identify dangerous files is similar. They keep massive databases of known bad files spotted in the wild, and use these to diagnose troublesome programs. This is commonly done by uploading and comparing a hash (cryptographic fingerprint) of the file to the fingerprints of all the known bad files. Sometimes the entire files are uploaded for analysis if they are suspicious.
That’s problematic because executable code can exist in some of your “data files” likespreadsheets and word processor files. Your private documents will sometimes be uploaded if you are using antivirus software from Avast, Kaspersky, Symantec, Fortinet, and probably also from McAfee, Microsoft, Trend Micro, ESET, Webroot and others.
Many of these products will not allow users to opt out of uploading non-executable files. This caused at least one US national security breach in 2017. when files from a federal contractor were uploaded to Kaspersky Labs. If the files are sent unencrypted then anyone on the network, or between you and the server can read those documents – that you thought were private.
You might wonder what other information gets uploaded as well, and you would be right to wonder. Antivirus vendors want to optimize for your specific hardware and operating system, and sometimes might need to know details like which Windows service packs you have installed to avoid conflicts. You won’t need to worry about any such conflicts if you use Microsoft’s Defender software, but there have been issues with other vendors’ products.
They also may want to send and check more specific details so they can verify the license key, and avoid supporting pirated copies of their software. About half the companies surveyed by AntiVirus Comparatives sent Windows usernames, along with country and language settings. As if sending all this metadata wasn’t bad enough, many antivirus programs will change the settings for certain things on your machine as well, e.g. browser homepage, default search engines, etc.
One annoying, risky and privacy unfriendly behavior noted in some antivirus software is the installation of third party software on your machine. Many, if not most of the free antivirus programs install various software on your system and change settings. Browser toolbars, web utilities and adware seem to be the favorites but in theory you could be getting any sort of malware or adware too.
Cooperation with governments has long been a concern regarding antivirus software for the privacy and security conscious. These programs operate with the highest privileges in order to be able to inspect and take action in response to any file or process on the system. For that reason they are choice targets for state actors who wish to get persistence on computers.
Kaspersky antivirus software routes its data through servers in Russia, and according to the Washington Post, sometimes uses a technique that “detects computer viruses but can also be employed to identify information and other data not related to malware.”
The FBI has warned major US companies about using Kaspersky software, and the National Intelligence Council concluded that Russian Intelligence had probable access to customer data. The US government and potentially others might want to do the same, because as one former NSA operator explained, “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”
There have long been bad actors in the crowded antivirus industry that have been surveilling customers and collecting and selling their data. Their security benefits are debatable, but they are certainly a losing proposition in terms of privacy. If you intend to install antivirus software on your computer, do your research beforehand and choose carefully.
The best way for individuals to use antivirus software is to use a local scanning program and download signature files to scan with. Whether you choose to do this or not, it’s important to develop lifelong safe computing behaviors. Pay attention to where you go online and watch what you click on. Think twice before any risky activity.
Update from 8/16: Ars Technica reports that for four yeasr Kaspersky AV software has been injecting unique identifiers into users’ web traffic, making it possible ot ID them even when browsing in private mode or using different browsers.