Hacker News new | past | comments | ask | show | jobs | submit login
Kaspersky AV injected unique ID allowing sites to track users in incognito mode (heise.de)
552 points by r0nny on Aug 18, 2019 | hide | past | favorite | 155 comments

Interesting. I think its time to get rid of this junk. I always had a bad feeling about AVs, due to repeated "extra vulnerabilities" they seemed to introduce, while not providing measurable added value compared to Windows Defender.

That Kaspersky is apparently too stupid to fix this leak properly even after it was pointed out, suggests to me that their developers obviously are incompetent and the trust int hem doing AV right is approaching zero, if they can't even load a script into a website without leaking like the Iraqi marine.

Android AVs are data hoarding goldminers. The Android ecosystem is replete with AVs with questionable privacy policy. To me, it seems like most utilities on Android (like AVs) solely exist to compromise user's privacy. Some even bundle in free VPNs (and you can straight away guess why it's free).

One of India's largest telecom networks, known for self enforced censorship via deep packet inspection, has an AV on PlayStore with 10m installs.

Some excerpts from their privacy policy [0]:

> Reliance Jio does not sell or rent any Personal Information.

Followed by:

> Reliance Jio may provide your information or data to its partners, associates, service providers and third parties as necessary or appropriate

> Any personally identifiable information provided by you will not be considered as sensitive if it is freely available and / or accessible in the public domain.

[0] https://www.jio.com/en-in/jio-security-privacy-policy

They don’t sell it or rent it, they give it away! That’s some pro-level weasel wording.

They're saying they sell your information, but not your personal information. And then they say that any information they get isn't personal.

Given that most private info such as SSNs have been leaked to the public domain, that covers quite a lot haha.

Reminds of me the WoT Extension "Data breach": https://www.makeuseof.com/tag/web-trust-data-breach-accident...

Getting rid of AVs is old news. If almost no one in infosec trusts using them then why bother?



Sometimes i get the feeling some are contrarian only for the sake of it. Advocating using windoze without av is like advocating not using condoms because it doesn't feel good.

Windows with its built-in Windows Defender and your Common Sense 2019 Computer Professional Edition is going to be enough nowadays.

Just to clarify, does Common Sense 2019 Pro come with an ad-blocker for protection against malvertising? I still run into a lot of people who think malvertising isn't a thing. It was worse back when flash adverts were common, but it's still really bad

Install them uBlock Origin and 99% of the problems are gone.

Unfortunately common sense is not very common

fortunately, but how will these AV industry survive is the question?

As a rare windows user (two or free times a year) i never trust a machine without an av. maybe things changed, but i see windows as so unsafe that i would not even login with to regular email, let alone make online payments. I simply see that os as a vulnerability by default.

I don't run Windows myself, but honestly: Remote exploitable Windows vulnerabilities on a default install are somewhat rare nowadays. MS has come a long way here.

I remember the smashing the stack for fun and profit windows days. It was so easy to inject shell code it was laughable. Btw can you still name a file smss.exe, run it, and not end the process with the task manager?

I just tried this on Windows 10 1903 and had no problem ending the process with task manager.

You live in the XP days.

The majority of the Windows haters I come across seem to be the same.


Since you've ignored our request to stop posting flamebait, we've banned this account.

If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.


I haven’t ran Windows outside a VM (and only then for FPGA/ASIC programming tools) in the better part of a decade myself and loathe every second of the time I do run it in a VM, yet I still think you are out of line here.

Maybe consider cooling off before posting more?


Perhaps your arguments would be more persuasive if you didn't immediately label anyone who disagrees with you a "fanboi".

Or if there was literally any substance to them besides ranting and whining.

Mate, seriously? Windows itself has come a long way to be considered stable. The real risk is user-space applications, like.. AV's.


Sorry to tell you that you simply have no idea of what you're talking about.

Windows really isn't as bad as its reputation when it comes to security. It goes for windows as it goes for any other OS: Don't install crap you cannot trust. Don't run everything as root (UAC). Think before you give anything elevated rights.

I have seen my share of ridiculous security flaws in ALL OS'. Anyone remember when you could login on any mySQL server by simply trying enough times? That wasn't windows specific! (back in 2012!)


But then, I don't trust Microsoft, either.

In Debian, I can be reasonably confident that no information leaves the system without my authorization.

Edit: Just out of curiosity, am I wrong in mistrusting Microsoft, or in trusting Debian?

If you are using Windows, I recommend using defender over any other AV option[0]. Understand, if you are already using Windows, you are already trusting Microsoft. If you don't trust Microsoft you probably shouldn't be using Windows.

[0] There are enterprise solutions that may be better for centralized control in a mixed environment (osx/Linux/windows). Please consult your CISO

I do agree with that.

Except that I do use Windows without trusting Microsoft. I use install disks that I've purchased ~anonymously for cash. And I only run VMs, which hit the Internet via nested VPN chains, and sometimes Tor.

So all the telemetry that Windows collects from the VM's you're running are sent to Microsoft through nested VPNs over TOR?

I don't think Microsoft minds or cares that your Windows VM telemetry gets send to them that way or any other way?

How are your VPNs and TOR helping you with the Microsoft you don't trust?

Microsoft can collect anything it wants from those VMs. Because they contain nothing that I don't want them to know. In particular, they don't contain anything about my meatspace identity.

Sometimes I do need to put data on VMs that I want kept private. For that, I clone a Windows VM, add a virtual disk containing the data, and then start it with no network connectivity. When I'm done, I detach the data disk, and delete the VM.

Are you sure they don't leak any information sufficient to identify you? Let's play this through; 33 bits of information leak your identity (assuming 8 billion humans)

If you set your timezone; that's already leaking 5 bits of information (37 timezones), it lets an observer narrow down your location. The times the VM is active can confirm this (by observing when the VM is more active vs not, your sleep pattern can be derived)

Your language setting can nail down north vs south hemisphere, that leaks another bit of information.

Since you come from a Tor endpoint, we can exclude with high probability old demographics and very young demographics (>65 and <14 years old), those seem to rarely use such tools. That eliminates about 34% of the population, leading to another 8 bits of entropy leaked. The usage pattern of the mouse can be used to confirm (shaky movements could indicate cognitive impairment common among elderly as well as usage habits like only using VMs outside common school times).

We're down to 19 bits; Only 500'000 people share these traits with you.

By profiling which websites you visit and the fact you're using tor, one can take a guess at your gender, likely male. Another bit is gone, 250'000 people left.

Identifying 1 in 250'000 people based on them using a VPN; depending on region between 18 and 30% of people use a VPN atleast once per month (statista), that fact alone leaves you with 13 bits on both ends of the range.

1 in 8000 people.

Are you certain you can hide among 8000 people? Because things like movies being watched or social network usage can further leak entropy and reduce your anonimity set. Your meatspace identity is protected by 13 bits.

And if you visit very specific websites, like LGBT-related content, this can be used to identify you as LGBT, moving you down to 4 bits of entropy. 16 people.

I'm not sure about timezones but there live about 6 times as many people on the northern hemisphere than the southern, so that's not one bit of information.

I know (and have known, unfortunately) multiple people over 60 that use Tor. Aha but such people are even rarer and therefore must be even easier to identify ... or are they? :)

In fact I know a handful of kids younger than 14 who have on occasion used Tor as well.

If you already (reasonably) assume the gender is most likely male, then you should know that is also less than one bit of information.

Etc. You need to try a bit harder :)

You know a handful of kids but kids aren't that likely to use tor, selection bias strikes again!

Same for over 60yo.

There is plenty of other ways to wittle away at the bits. I think you're overconfident.

For the most part, I only use Windows VMs when I need Excel for >50MB spreadsheets. Or to test Windows VPN clients.

Your analysis strikes me as implausible. Few adversaries could see all of those parameters. For example, it's typically Tor through a nested VPN chain. So it'd be nontrivial for a local observer to know that I'm using Tor. Or for a remote observer to know that I'm using VPNs.

And seriously, why would I use my meatspace timezone? But actually, I do sometimes, just to be more random. Also, my sleep schedule is highly irregular, as one can tell from my HN posting history.

It turns out that people's irregular sleep patterns are in fact not quite as irregular when you actually measure them. On the other hand, I believe HN posting history just says "X days ago" for posts older than a day, so you can't get fine grained schedules from that (I might have graphed yours, otherwise, just to see).

Right, you'd need to scrape HN real-time to get a detailed posting history.

About sleep schedule. I really don't have one. I work and sleep when I feel like it. And I nap. And I have modafinil and zolpidem available. And coffee.

If you charted my waking and sleeping times long-term, you'd find pretty much a random walk. I can be up as much as 30-40 hours, or as little as ~1 hour. And I can be sleeping for anywhere from ~1 hour to maybe 15 hours or more.

You're more likely to sleep at night than not, that's sufficient to establish your timezone with good accuracy.

Fefe, a german blogger, had this analysis done using his posting history on his blog, allowing readers to not only determine his timezone, but when he was travelling and where.

then, if I were to make a wild guess I'd say you're in Scandinavia or other high latitude place :)

Windows telemetry will know it's Tor. Irregular sleep schedules are usually very regular when looked at over a long time.

OK, Microsoft knows that some persona uses Tor. So what?

Sure, mine is "regular". In the sense of regularly random.

As mentioned, this lets microsoft single you out as an individual that is using Tor, among other signals. That makes you quite identifiable.

Sure, "identifiable".

But they still have no clue who I am. Which is all that concerns me.

Are you sure? Because the step between "identifiable" and "your personal identity" is short. Recent studies found that social graphs between social networks for the same person almost perfectly match. If you have a social network account (Facebook/Twitter/Netflix/Amazon/etc.) and you also have a social network account in the VM (HN) then someone can match those identities.

But changing the timezone to a different value or providing a few false flags would cripple this line of thinking.

Not meaning to come across as mean, but could you explain your reasoning behind such precautions, and why they seem worth the extra effort to you? It would seem to me that if you just need to occasionally run an exe that you could most likely get it working with WINE.

Once I have a Windows VM that's stable, with the apps that I usually need, the rest of it takes little time. Mainly it's Excel that I need. And I need it to use all available CPU cores. I suppose that might work in Wine, but that seems like an iffy approach.

Why do I take such precautions? Well, I've been an anonymous coward for a couple decades. I've corresponded with many people, and played with many projects. I honestly have no idea who might be after me, or for what. Ideally, nobody, for nothing. But ...

Given that, I take whatever precautions I practically can.

And it's also a hobby. Perhaps like building little ships in glass bottles. But hopefully maybe useful to someone.

That setup doesn’t work with games, too - unless you’re willing to turn off your GPU in the main OS so that it could be used in the other guest.

I don't play games. And even if I did, I'd never pass a physical GPU to a VM. That's almost as iffy as direct access to physical storage.

The reason the Windows Defender is so good these days is https://docs.microsoft.com/en-us/graph/security-concept-over...

The idea is everyone pools their threat data and immunity to new threats can be rapidly disseminated via Azure. The time window any new malware has to exploit Windows 10 anywhere in the world is measured in 10s of minutes now. It’s impressive stuff. The ISG can spread immunity much faster than malware can spread itself.

Of course wearing my cynics hat, they never bothered to backport it to Windows XP and that’s why the NHS was hit with WannaCry. But the other side is that they had plenty of time to upgrade...

How does it help against new threats exactly, if they are not auto-detected in the first place?

Suspicious files - if you fully buy into the solution - are uploaded to Azure and “controlled detonation” in a VM assesses if they’re malware. Then a signature is generated and distributed. It’s super slick. MS are serious about rehabilitating their security reputation.

You are wrong about trusting Linux.

Linux would badly need AV if it was a more popular desktop OS. Right now the user base is just too small to be a valuable target.

A regular Linux distro (without SELinux or some kind of application sandboxing and a hardened setup including NOEXEC home, forbidding ptrace, ...) is very susceptible to compromise.

All it takes is somehow getting the system to execute one unprivileged shell script and your user is permanently hosed.

An attacker can spy on everything, including other applications memory, unless they prevent it. Browsers are also easily compromised by just injecting a extension that can spy on everything.

Also he lack of dynamic firewalls makes it hard to monitor/prevent unwanted network traffic. (which could often be easily circumvented, though)

Yes, Linux distributions don't have protection against malicious software. If you downloaded thrid-party program and run it, it can read everything from your home directory, including cookies and browser history, it can inject itself into browser process, it can see everything you type.

And if you decided to add third-party apt repository, for example, to use Node.JS or VS Code, you give permanent root access to the owner of repository. Also, some third-party .deb packages (for example, Slack) automatically add their repository and public key to apt sources list upon installation.

For example, there is a third-party repository, that allows installing multiple versions of PHP in Debian. This repository replaces cryptographic libraries provided by Debian with its own ones (you can see those packages here: https://packages.sury.org/php/pool/main/o/openssl/ )

Also, in Linux unprivileged program, run under "nobody" account, can read all unique hardware identifiers like MAC address, HDD serial number etc.

Thanks. I do appreciate that there are vulnerabilities.

So I work only in VMs. I do nothing on host machines except to run VMs, and keep the OS up to date. And I compartmentalize rigorously. Minimally in different VMs. When it matters more, in different host machines. And when it really matters, in different host machines on different LANs. Only text files cross important security boundaries. And machines that my ~anonymous personas use never see anything about my meatspace identity.

This is, of course, just a hobby.

I think for the purposes of antivirus software, trust issues can be set aside here. Windows Defender ideally has the upper edge for choosing an antimalware solution for Windows in that it's baked in directly to the OS and therefore has more control and ability to prevent malicious activity than a third-party solution. You might not have to trust Microsoft due to privacy concerns, but for something like antivirus software that protects their operating system, intentionally making Windows Defender inferior software just isn't within their best interests.

Windows Defender is a superior AV solution for the same reason first party map solutions are superior to third party.

When part of your core functionality is dependent on coverage and total install count, you're never going to beat someone who leverages control of a lower part of the stack.

How can one "set aside" privacy issues?

Wasn't the argument you're responding to that Defender is the superior solution so that you don't have to trust other vendors than Microsoft, of which the trust point is moot if you've already chosen to run Windows?

My point is that using Debian is the superior solution, from a privacy perspective. But yes, I do agree that Defender is the best option, if you must use Windows.

Certain companies pay microsoft ridiculous amounts of enterprise software; you can probably trust ms not to do anything that would piss off those companies, simply because they act in their own self-interest. Beyond that, not really.

Debian and openbsd are probably as close as it gets to having an actually secure system, and if I had to pick an os for a very critical application, it would definitely be one of those. But really, honestly, any of debian, ubuntu, fedora, alpine, arch, gentoo, slackware; freebsd, openbsd, netbsd, dragonflybsd are probably more than sufficient for any practical need you might have for privacy and security.

[1] (Debian had a weak PRNG for ~2 years in ~2006-2008) teaches us every distribution or OS vendor can make huge mistakes, with very simple actions (ie. the systems are complicated).

(I'm not saying you should not trust Debian though.)

I do wonder if a stateful OS such as nixOS can help mitigate the threat of malware easier (sans extradition of data, for that we'd need capability-based security, or something like pledge). If it'd be user-friendly, like TimeMachine, that is.

[1] https://www.schneier.com/blog/archives/2008/05/random_number...

Is that so? Chromium browser, distributed in Debian repositories, sends a signal to Google (with cookies) every time you open new tab if you use Google as default search engine (you can easily verify this by opening a new tab, running developer tools and refreshing the tab. The URL is https://www.google.ru/_/chrome/newtab?ie=UTF-8 and it has headers preventing caching).

No sane person would use Chrome/Chromium and Google, and expect privacy.

> In Debian, I can be reasonably confident that no information leaves the system without my authorization.

Only if you are not running a webbrowser

> Edit: Just out of curiosity, am I wrong in mistrusting Microsoft, or in trusting Debian?

Only fools trust Microsoft (or Google, or Facebook). I slightly hoped they were turning in the right direction in win 2000 and xp and even 7. But vista and the rest shown their true nature. About Debian i have mixed feelings. On one hand they are a very respectable distribution, on the other hand - systemd.

> Only if you are not running a webbrowser

Touché. I am not hard-core enough to browse in terminal. I don't use Chrome/Chromium though.

I actually rather like systemd. Most of the time, at least. But yes, I know the controversy. So do you like Devuan?

Have you personally audited every line of every piece of code in your Debian install? The usual retort is “many eyes”. How “many eyes” were on the OpenSSL vulnerability that was in many open source distributions for a year and a half.

> or in trusting Debian?

From a security POV Desktop Linux is an utter disaster.

For attackers it's like going back a decade in time.

Please explain.

Security from what? By default, there are no services listening. And what malware runs on Linux?

>By default, there are no services listening.

Desktop linux, not "the Linux kernel". The kernel isn't amazing, but on the desktop side you regularly see downright absurd stuff like this https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit...

and less surprising bugs like this https://donncha.is/2016/12/compromising-ubuntu-desktop/

The quality of software outside of some widely deployed server software tends to be quite poor, exploit mitigations are not being implemented.

>And what malware runs on Linux?

Far too many to list. You can easily find hundreds of public examples. This terrible wikipedia page provides a decent starting point with a list of names to google https://en.wikipedia.org/wiki/Linux_malware

> you regularly see downright absurd stuff like this

That's a bug which only occurs on five year old distributions and which was fixed years before any exploit was ever found. Honestly if that's being brought up as a bad example Linux is looking pretty good compared to other operating systems.

> That's a bug which only occurs on five year old distributions and which was fixed years before any exploit was ever found

I don't think we're reading the same post unless you got confused by the part where he discusses the exploit not the bug.

> Honestly if that's being brought up as a bad example Linux is looking pretty good compared to other operating systems.

Compared to what? FreeBSD? Certainly not any modern desktop OS.

MSFT is investing heavily in exploit mitigations while Linux distros are probably still struggling with ASLR. https://www.blackhat.com/docs/us-16/materials/us-16-Weston-W...

Yeah. The first article he linked to specifically called out Windows for doing fonts in kernel-space, to put that gstreamer vulnerability in context.

An attacker can trivial phish to sudo password and execute arbitrary commands every time you open the terminal.

shellrc and profile as well as almost all core unix tools allow running arbitrary code.

You can even bend the paths of bashrc and friends so the user can't trivially inspect them without dropping to root first (at which point, arbitrary code can trivially obtain root access too)

ls -l ~/.bashrc and by design.

The last paragraph of the article was particularly astounding on this point, in that it explains how to disable the script injection rather than purge all Kaspersky software from the computer. That seems to contradict everything that preceded it.

I know how to uninstall software. I probably wouldn't know where to disable a particular feature or that I could disable it at all.

I guess I don't understand why anyone would want to leave it installed after that magnitude of trust violation (silent privacy-destroying MITM of HTTPS traffic by default).

Why do you? Edit: Or maybe I'm misinterpreting?

Not everyone is able to choose what software is installed on the machine they use. Especially for AV, that may be enforced by the company one works for.

What company is using Kaspersky? Aren't they on US security blacklists?

This may be surprising, but there's people outside the US.

In fact more than 95% of people are not presently in the US.

It would be surprising if 95% of businesses outside of the US use Kaspersky. It would be surprising for any large company using them.

Most installs are from individual people in and outside of the US.

Their fix is apparently to not leak machine-unique UUIDs but UUIDs unique to the version of the AV. Thanks Kaspersky for leaking if the users AV is vulnerable to exploits!

That's not really a big deal. The attackers can just be indiscriminate and hit a good number of vulnerable instances. And it's already pretty standard for clients to send used agent versions.

Well, it is, because you can now deploy much more targetted payloads, which means you can hit even more instances with a little bit of extra work, comparatively.

Honest question: what is AV even for these days? I have had some form of AV on all of my Windows machines since the 90's. I don't think I have seen a detection in at least ten years.

Every single company I worked for installed AV on our work computers, which was a huge resource hog and made the highest-specced MacBook Pros feel like cheap netbook.

I suspect it is mandated by some sort of compliance requirement, and the IT departments are just ticking a box. Maybe that's how this industry is still alive.

PCI DSS Requirement 5 demands AV. Many financial industry standards, and auditors that verify the same, will demand an AV installation.

The AV needs to be up to date, pervasive, and with central reporting. Here is where simply having Windows Defender installed falls flat -- when it finds some malware on Betty's computer, you can't be sure what the scope was until you investigate yet standalone Windows Defender won't give you that information. So you need the enterprise version with the reporting console, alerts, etc.

AV is a nuisance for most of us, and I've gone sans it for many years, but it's critical in most workplaces because there are a lot of people who will happily run that program, etc, and you can't catch everything at the edge.

ISO 27001.

It doesn't mandate it explicitly, but your auditor may get fussy if you can't answer questions about the relevant controls with a clear answer.

If you have an IT department, they will insist on AV software just to cover their ass. Noone there wants to be the one explaining to a clueless boss that they didn't use av software og something bad happened.

I don't mind having an antivirus on Windows but I despise having real-time file scanning when I have a computer with spinning rust. Node Package Manager install or yarn install creates thousands of tiny files and my understanding is that these "antivirus" software try to scan each file at the same time as npm wants to create them or in earlier days even as subversion was trying to do something.

I imagine things are different for people on PCIe NVMe SSD but Windows (or any modern OS I guess with any antivirus) is not so good if we are on spinning rust.

I think if we insist on real-time file scanning, the least we can do is provide at least a decent SATA SSD like the Samsung 860 EVO and adequate RAM to avoid thrashing.

I was using a spinny disk for a few weeks and I upgraded back to SSD the other day. The difference is incredible. Browser used to take 10 seconds to start, now it's instant. The only good thing is, I got so frustrated waiting constantly that I optimized my software to minimize IO (eg disabled browser history) so now it's even faster.

I will blow your mind when I will tell you to use a RamDisks for fastest run times wink wink

If you use a Samsung SATA SSD, just enable RAPID mode in the Samsung Magician program. The different with and without is huge.

(Enabling RAPID mode basically creates an invisible RAM disk and uses it under the hood.)

is this different than just allocating swap space on the SSD?

Very different. The RAPID mode is basically a RAM disk under the hood -- it does its best to cache often-accessed files and temporarily prioritise loading big files on demand (which is the use-case of games, they often have huge files with textures and sound).

Gotta say, it works amazingly well. I am getting almost PCI/NVMe speeds on my SATA III SSD.

> The RAPID mode is basically a RAM disk under the hood -- it does its best to cache often-accessed files and temporarily prioritise loading big files on demand (which is the use-case of games, they often have huge files with textures and sound).

Sorry if this is obvious but does that mean we will have a better experience with a total of 32GB RAM than say 8GB? I have not worked with RAM disk before...

windows defender does the same thing by default. first step setting up my workstation for c++ dev is always specifically excluding my source code directories and msvc.exe and friends. sometimes takes me a few days to notice all the ancillary processes that will trigger the file scanning and whitelist them. otherwise it eats a whole logical core every time I kick off a compile.

Reading sibling comments I have an idea for a startup.

Make an AV, that does not really do anything, but can be used by thoughtful companies to "tick the box". Sell licenses and then do only the minimum required for compliance.

It could be described that it uses Windows Defender service to provide the basis of AV solution.

An AV that alarmed on unpatched vulnerabilities might be better. Attackers will resignature their code to evade everything on VT, then spam the world to hit whoever hasn't patched.

For ransomware anyway. If they're targeting you specifically they'll find out what you're running and customize against it.

A vulnerability scanner would be welcome. I would even run something like that on my linux machines.

As far as I'm aware, there are no governmental regulatory requirements to use AV software. All such requirements are generated by individual organizations, for example this one by NC State: https://policies.ncsu.edu/regulation/reg-08-00-10/

Nobody told NC State to require anti-virus, and the same company that created the requirements isn't going to accept some "minimal" solution to check their own box. Instead they will maintain a list of approved software, and your solution won't be on it.

If nothing else, herd immunity.

That said, I don't know if there's any compelling reason to use something beyond what the OS vendor already provides.

Agree with you, on Windows. But when you go into Linux and Mac territory, there really isn't any OS Vendor specific security solution that does what many people need.

AV is still super important to have for people who don't understand that downloading a fake flash player to watch the newest game of thrones episode isn't the best idea. And there's a lot of those people out there.

Ironically those are the same people who will install 2 or 3 different virus scanners simultaneously ("just in case") thereby making their PC as unusable as it would be with even the worse virus.

Apple does actually have malware protection built in to macOS. It's not nearly as extensive as something like Windows Defender and is pretty much invisible to the user, but it does exist.

Herd immunity is a decent argument. Still, it is hard to evaluate the effectiveness of the solutions out there.

Do we even need A/V for windows ? I think Microsoft Defender along with "proper digital hygeine" obviates the need for dedicated A/V solutions.

They use Mcaffee where I work, and have done for more than 10 years - it's an absolutely horrible resource hog, and keeps my laptop's fans permanently whining like it's about to explode. Things got better after the switch from mechanical disks to solid state, but the 12 or so processes it has permanently running (yes, really) still use more CPU combined that anything else. And it's never found a virus, as we catch everything at the email server, and I know what not to open in any case.

I'm not sure why anyone would use any other than Defender TBH. I wonder if perhaps it's licensed separately for enterprises?

The only annoying thing about it is that it periodically notifies me that "It has not found any threats". I guess even computer programs feel lonely at times.

It can be turned off. But I kinda understand why they do that. Every other antivirus constantly show various "licence is ending", "some component is outdated" messages.

Anti-virus here means anti-privacy. What shocks me most is that this is in the paid versions as well.

I run Linux and have ClamAV installed for some compliance thingy, yet I have never run it (the compliance thingy tells me to have AV installed, not to actually run it). I can totally recommend some up-to-date Linux distro in case you want to steer clear of "virusses (etc)".

I used to run ClamAV for a few years, both on Linux and macOS. The only thing it ever detected were Windows viruses in my spam mailbox. Every time I received a spam email, ClamAV would complain and I'd have to go delete the email that was already not in my inbox.

This is ironically one of the ways using any AV can increase the attack surface of a device, leading to its compromise. I don't know if ClamAV has ever had an issue, but it seems lots of people here have forgotten the zoo of not-that-long-ago Windows Defender exploits that could be triggered by it scanning various files, like in a spam email the user never even looked at but their client downloaded a copy of anyway. The issues are often made worse by the AV processes that get owned already having root privileges.

Why does it shock you? Do you think Kaspersky was selling user info, and not just doing their security scanning work with an unintentionally leaking side effect?

Some years ago I found Mcafee Enterprise doing something similar, where it added a unique ID to the user agent string on Firefox. It didn't inject it tlat runtime though, it actually modified your Firefox profile files to set it.

I presume this wouldn't allow tracking in private browsing mode (I guess Firefox doesn't use the standard user agent), but still not good.

Avast also tracks clickstream data and sells it to Jumpshot.

Jumpshot is Avast.

Just a subsidiary.

Does that somehow make it OK?

That's what some people seem to think about Pocket belonging to Mozilla or Mozilla owning part of Cliqz... it's OK if they have a business relationship that loosely looks like control

Without knowing anything about the specifics here... yes, I can confidently say that transmitting information between two companies with the same owner is "ok" and should be expected.

I think that's splitting hairs, and focusing on the wrong aspect of it. Avast gives clickstream data to a digital marketing company. That company happens to be a subsidiary, so Avast is a digital marketing company. The problem becomes one not of a company sharing your private information with another so it can me monetized, but the initial company monetizing it itself. If you have a problem with your data being used for marketing by your AV vendor, whether it's shared to make it happen is likely of little consequence to you.


And there are other risks to users. Once that data has been collected, others may access it, and use it in far more damaging ways. Users in China or Saudi Arabia, for example, may end up in jail, or worse.

Not certain of specifics of this case but in general absolutely no! As a data controller you collect users' data for a purpose. If you use that data for a seprate purpose you need seperate consent from users to use their data.

I meant that it's not OK to collect clickstream data. At all. As I recall, Apple got nailed about Safari doing that, and stopped.

Why is the data even being collected?

Oh, didn't know that.

Can anyone tell me how kaspersky is injecting a script into an HTTPS site?

From the screenshot in the article, there doesn't appear to be a kaspersky browser extension in use.

I guess it would have to be a MITM of some sort. Either by installing a cert or by getting the TLS keys from the browser, I suppose?

Many antivirus applications install a local certificate authority so they can MITM HTTPS.

From my experience most fail to check the original CA meaning anyone can intercept your traffic...

They should generate that certificate along with private key on your local machine, so it does not allow anyone else to intercept your traffic. Even seemingly harmless applications can do that. For example Blizzard Battle.net Launcher (used for all games) does that.

The issue is that you must check the external connection, i.e. <-2-> in:

  User <-1-> antivirus <-2-> Site
If not a hostile actor can inject themselves in a way which is completely invisible to the user:

  User <-1-> antivirus <-2-> Hostile <-3-> Site
Actually checking <-2-> is tricky but many antivirus tools don't even try.[1]

[1] https://news.ycombinator.com/item?id=10727431

Well, if antivirus does MITM and does not check website certificate properly, it's seriously broken. I expected that any MITM proxy properly validates server certificate.

This was my immediate thought. Where is rewrite happening? All the options seems icky.

I think AV vendors used to do browser addons to provide some functionality. But since browser extensions in all popular browser are now effectively neutered versions of their former selves, they are probably resorting to stuff like this. It can be hard to even get a browser addon installed as a third party program without resorting to hacks (thanks to browsers having taken measures after the toolbar hell).

Windows AV software is notoriously "icky". Microsoft had been making a effort to push AV vendors towards more"official" means of real-time hooking, but many still use DLL injection, kernel hooking etc.

Why would they use a unique id unless they intending to track or deliver unique JS payloads to each user?

Edit: Especially frightening given allegations of FSB ties that other users pointed out https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations...

I thought the only people that used AV programs were old people that were getting scammed?

There's lots of 'Do we need Kaspersky' type questions in here already. The more pertinent question is whether AV is actually effective, or if stronger countermeasures like application whitelisting are needed?


You would need a document whitelist since many programs can be hijacked using buffer overflow attacks or outright support execution of arbritrary scripts.

I'll also point out that defending against buffer overflows which are considered vulnerabilities is a far saner boundary than a blacklist of files which grows infinitely.

Or we could, you know, just stop using Microsoft Office and Adobe products which are a huge, if not the biggest culprit of that kind of crazy behaviour.

I don't fully understand why everyone gets upset over browser leaks when in private mode - most websites interested in tracking private sessions will just associate private and non-private sessions by IP address.

If you're paranoid enough to use a VPN for 'private' traffic, you should probably be running such sessions in a VM using something like the tails live CD.

For sure.

But using Tails in VMs isn't recommended. Better is using Whonix, because it isolates the Tor client and userland in separate VMs. It also has a LiveCD mode. And for added security, you can run it in Qubes.

Funny that you namedrop like three security products but fail to evaluate which hypervisor should be used, which is probably the most important part of a secure environment if unauthorized code execution fits in your threat model.

Sorry. Whonix, by default for non-expert users, runs in VirtualBox. You can also use KVM. And Qubes basically uses Xen.

My threat model is mainly about preventing potential adversaries from learning my ISP-assigned IP address. I don't care all that much if a VM, or even a host machine, gets pwned. My stuff is well enough compartmentalized that I'd at most lose some work. But not my privacy.

Indeed. Private sessions do not make you untrackable, the only difference is nothing is saved from the session. But many people misunderstand what private/incognito mode does.


A good time to remind people that thr U.S. government is not a fan of kaspersky products.

AV, always reminding you you’re under attack since 1986.

If i click the above article link, then come back to this thread, will i find a unique id used to track me planted somewhere amongst my cookies?


Kaspersky is not affiliated with FSB.

Russian cyber-security company claiming they're not affiliated with Kremlin in any way. What could go wrong given right now they're preparing for the next big war?


Agree with the first half of your sentence. Did you vote for NSA tracking?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact