
How Antivirus Companies Handle State-Sponsored Malware - hatchan
https://www.schneier.com/blog/archives/2013/12/how_antivirus_c.html
======
CaptainZapp
I remember the BMG Sony rootkit scandal vividly
([http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...](http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal))

Most of all I remember that the only company not willing to sit tight was
FSecure. They contacted BMG Sony and where about to go public, when Mark
Russinovich publicized this atrocity. At least that's how I recall it.

It's since then that I have zero faith in security software vendors.

------
salient
NSA doesn't need to ask anti-virus companies to ignore certain malware, as
long as Microsoft is handing them lists of _fresh_ Windows vulnerabilities
months before they even begin working on fixing them.

[http://www.bloomberg.com/news/2013-06-14/u-s-agencies-
said-t...](http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-
data-with-thousands-of-firms.html)

Until that policy changes at Microsoft, at least 90 percent of the PC users
will never be truly safe.

~~~
eliteraspberrie
That program is MAPP (Microsoft Active Protections Program). [1] All
governments (except Iran, Syria, etc.) are part of it, as well as hundreds of
private companies internationally. Of course, vulnerabilities are routinely
leaked. [2] Other programs include the SSI (Shared Source Initiative) [3] by
which governments get access to the Windows source code, and the GSP
(Government Security Program) [3] which helps governments find vulnerabilities
in said source code.

Not to mention COFEE [4] -- I wonder how many antivirus detect that,
especially since its source code was leaked...

[1] [http://technet.microsoft.com/en-
us/security/dn467918](http://technet.microsoft.com/en-us/security/dn467918)

[2] [http://www.zdnet.com/blog/security/microsoft-kicks-
chinese-c...](http://www.zdnet.com/blog/security/microsoft-kicks-chinese-
company-out-of-vulnerability-sharing-program/11853)

[3] [https://www.microsoft.com/en-
us/sharedsource/default.aspx](https://www.microsoft.com/en-
us/sharedsource/default.aspx)

[4]
[https://wikileaks.org/wiki/Microsoft_COFEE_(Computer_Online_...](https://wikileaks.org/wiki/Microsoft_COFEE_\(Computer_Online_Forensics_Evidence_Extractor\)_tool_and_documentation,_Sep_2009)

------
pilom
There are now some companies which provide non-signature based anti-virus
detection to potentially detect zero-day malware. Most of them work by
spinning up a vm, run or open the file to check, and verify any changes to the
system. Check out [http://www.fireeye.com/](http://www.fireeye.com/) (funded
by the CIA's startup incubator In-Q-Tel)
[http://www.fidelissecurity.com/](http://www.fidelissecurity.com/) (from
General Dynamics) and Northrop Grumman is releasing one soon too.

Not sure if I'd trust these companies more or less than the signature based
companies.

~~~
seefriek
I deployed Fireeye over a year ago, and can confirm it's very good a spotting
malware that most AV vendors don't. I can't, however, confirm it doesn't have
back doors so that three-letter agencies can't tell it not to detect something
they don't want it to.

------
homersapien
I bet that if you had asked AT&T and the like - before they got caught - if
they gave the NSA warrant-less access to U.S. citizens' communications, they
would have also said "no."

------
eliteraspberrie
I doubt the NSA needs to co-opt antivirus companies, they are already
worthless. Besides, Kaspersky for one is lying. His company works closely with
the FSB:

 _We have very good relations with both the FSB cybersecurity department and
the Moscow police department. They know us. They know us as people who support
them when they need it._

[http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/](http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/)

(edit:) and the FBI:

 _Даже США: мы периодически консультируем ФБР._

[http://www.rusrep.ru/2008/32/interview_kasperskiy](http://www.rusrep.ru/2008/32/interview_kasperskiy)

------
hawkharris
I enjoyed the article, but explicitly asking anti-virus companies if they have
complied with such a government request seems silly.

It's like asking a politician, "Have you ever been unfaithful to your wife?"

"What's that? No? Okay, well you heard the man. Time to move on."

~~~
Nimi
Agreed. This sounds like a debate that could be settled by testing different
antivirus products (and their old versions) against state-sponsored malware.

~~~
privong
I'm not sure that's a good test; any publicly known example of state-sponsored
is almost certainly in current antivirus software. Since they're publicly
known, there's no advantage to continuing to be sneaky about it — it would
certainly tip people off that the companies were under the thumb of a
government. And testing older version probably won't help, because you can't
prove that the company knew about them before the rest of us did.

------
r0h1n
Isn't the more telling part the cos. that haven't responded till now? Notably
US ones Symantec and McAfee.

------
hackula1
I always assumed the handled it through Accounts Receivable.

------
diminish
>>ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro confirmed the
detection of state sponsored malware, e.g. R2D2 and FinFisher; they have never
received a request to not detect malware. And if they were asked by any
government to do so in the future, they said they would not comply.

Glad to here we're safe.

------
enkephalin
>> _My reasoning is that antivirus is a very international industry, and while
a government might get its own companies to play along, it would not be able
to influence international companies._

this sounds more like an assumption than reasoning. given all we know to date
about the operations of the NSA and the CIA (they collaborate closely at
times), we should not be so hasty in dismissing such an important topic.

>> _Understanding that the companies could certainly lie, this is the response
so far: no one has admitted to doing so._

well.. they wouldn't, would they.

