Hacker News new | past | comments | ask | show | jobs | submit login
Kaspersky in the Middle – what could possibly go wrong? (palant.de)
110 points by robin_reala 29 days ago | hide | past | web | favorite | 40 comments

Which other AntiVirus vendors do this? How can you opt-out and is there a point to installing anti-virus software to begin with?

If you use Windows, use Windows Defender. It doesn't MitM your connections and has a comparable detection rates for 0days and common malware to all other modern AVs. Microsoft has put a lot of work into making Defender as secure as possible (you can even run it inside a VM so any exploit of defender is just trapped inside a HyperV VM instead of your system).

There is no point in installing any other AV vendor; they all suck, their software sucks, they ask way more than it's worth (nothing) and they frequently break security measures of software all over the ecosystem (some AVs still disable ASLR/KASLR to make injecting their DLL into all processes easier)

Also, Microsoft has an incentive to eliminate viruses and malware completely - to make their OS safer. Third party AV companies rely on continuing threats to stay in business. I'm not saying AV companies hold back or help malware out, I'm saying Microsoft has good reason to throw huge resources at the problem as a whole.

...and to build on your comment: Incentive to not slow down the performance of the OS while protecting it.

That was what caught my eye about MS's antivirus offerings from the start. I was really impressed how well it ran without me ever noticing.

I got a new laptop from work recently and I didn't spend a great deal of time looking it over as i was busy and ... of course I hit some random performance problems as McAfee was abusing my machine while I was trying to work. Endlessly installing antivirus programs is getting pretty old.

I had to help some regular computer user to clean their computer; one of the user's requests was to "fix" their McAfee, meaning, to update the subscription and solve other "security threats" (not viruses) that McAfee reported. After seeing how indecent this antivirus is, how it uses real intimidation, and is very intrusive with constant pop-ups, we settled on not continuing the subscription and getting rid of it altogether.

I was dealing with MySQL running on a Windows server box with McAfee Active Response running (MarService.exe). It has a feature for tracking files created/deleted, which is accomplished by hashing all new files, saving them to its own local DB, and presumably pushing them to the management server async. The app running on MySQL frequently creates many new tables and fills them as part of SOP, so the disk was constantly hammered by both MySQL and McAfee...

Windows Defender is the worst-performing antivirus on the market so that logic flies out the window.

Can you undergird this claim? (serious question, no flaming)

I disagree that this incentive differs for Windows Defender vs other AVs.

All AV software has the desire to not negatively impact performance because if it's horribly slow people will uninstall it / quit paying for it.

The parent comment is pointing out that companies which primarily produce AV products benefit from the continued existence and fear of malware (to a degree at least). This is different for MS, as the eradication of Windows viruses will help Windows, which should be large enough a benefit to override any perverse incentives Windows Defender would otherwise have.

I know what you're trying to say is "also, Windows Defender isn't as slow", which happens to be true, but I think that's simply an emergent effect of other factors, such as AV companies feeling the need to "do more" to add value (whereas Windows Defender is funded by MS, so it has less incentive to "stand out").

> Third party AV companies rely on continuing threats to stay in business.

i'm pretty neutral on this topic, but doesn't this point by extension mean they have a more direct interest in discovering security flaws and publishing them rather than burying them under the rug if they haven't been seen in the wild?

I think they share the same incentives in the sense that discovering, patching and reporting flaws is the mission statement.

Where they differ, I think, is the end goal. Non-MS AV need an ecosystem where there is still active threats to make revenue. MS actively doesn't want any threats, because they would realize more profits through their OS being marketable as virus-free.

I'm not saying Non-MS AV is out there introducing threats. But, they are incentivized to play whack-a-mole with bandaid fixes (keeping the ecosystem in check but alive) whereas MS is incentivized to go after root problems (kill the virus ecosystem, profit from OS).

What would you suggest for Mac and Linux? I lot of enterprise contracts and security certifications require "anti-virus installed and up-to-date".

What's the best way of meeting that checkbox for Mac and Linux laptops?

Install ClamAV but don't run the daemon?

I've had something similar happen, VirtualBox has measures to try to detect if it's been hijacked, by malicious software or AV (although the distinction could be argued).

Windows Defender is on every machine, so what would be the point of writing a virus that is detected by it? The same for Kaspersky. These programs are easy to test against and well-known. They are designed to work against old viruses that have already been detected and analyzed.

It's better to use lesser known antivirus products with good heuristic detection. I will not mention names but there are a number of products out there, including ones that block every executable not on a whitelist.

You can't just wave your hand and say that some lesser known "no names mentioned" product is better than Defender because you want it to be. If you have evidence that some AV product is out-performing Defender, it's extremely selfish and negligent to keep that information to yourself.

I'd much rather trust MS with Defender over some lesser known AV product which likely doesn't have billions of dollars, unfathomably large samples/datasets, and extensive experience with APT's.

As pointed out, no one really has a better incentive to detect and eliminate virus's than MS does in an effort to make their OS virus free.

Fair enough, but I did give a concrete reason why I believe some "no name mentioned" products may be better than Defender and other common antivirus products.

They will not only detect existing viruses. AV software has used heuristics to detect viruses for decades, and more recently ML is being used. Microsoft has really been investing in Defender and Defender ATP recently and there have been several Twitter and blog posts about the successes their ML approach is yielding, including for new viruses.

A lesser known anti-virus will also be from a smaller vendor with less resources to get 0day malware into their signature databases or maintain a good heuristic detection. A lesser-known AV with a good signature DB and heuristic engine is a unicorn.

I disagree with the point you made about 0days and detection rates. Defender has less false positives, but almost never catch the files that actually matter, like important 0days or antiemulation and anti-unpack files. They are pretty slow with crafting generic detections.

While I understand that data from well known tests may support your point, as an employee for 2+ years at a security vendor I can say with certainty that defender falls way behind when it comes to fast generic detections and response time. I quite frequently find myself copying maliciois files to my work laptop with defender activated and the detection rate is pretty poor as shown by the actual number of files that got copied. Not even mentioning how it quietly scans my files and activates itself even though I singlehandedly shut it down a minute ago

So presumably you have a product in mind which did catch all of these things, and are willing to point people in the proper direction?

What I can say from a more or less objective standpoint, the best vendors according to a response-time metric are Eset, Kaspersky and Bitdefender. Each of them have their own weaknesses and I do not know what is the performance impact for using them alongside defender

Interesting, thanks for answering. Is this object standpoint of yours from 3rd-party studies of response-time metrics, or anecdotal data from yourself?

Also, how substantial are these differences? Is it worth (in your opinion) being MitM'd by Kaspersky to realize the supposed benefits?

The data is empirical, based on comparative results of some files I've mananged to get my hands on over the years. I can't argue on MitM, because I haven't worked with traffic and traffic analysis, but when it comes to malicious executables and exploits, it's definitely worth the mitm inconvenience.

Ironically speaking, privacy concerned users are mostly IT-versed which can evade most of malware effects by just being attentive and caucios, while my mother, for example, doesn't care about MitM'ing her traffic, while I do care about her vising some shady sites while watching her beloved internet series.

Bottom line, if you are well versed, you probably can limit yourself to the default windows defender, but when it comes to successful unreleased exploits or a computer/user that is likely to download/run unknown executables some high-end vendor might be faster than other researches

Some time ago I tried Bitdefender on Windows and it immediately MitMed itself so that it could append green check marks after every search result on Google to signal me that that site is 'safe'.

There was no browser extension from Bitdefender involved and it applied to all installed browsers. Maybe browsers and Microsoft should actively fight this??

There is also AdGuard for Windows/Mac/Android which does this in order to block ads without the involvement of a browser extension. While this sounds like a bad alternative to uBlock Origin, it could be a necessary workaround in the future if Google succeeds with their Manifest V3 'conspiracy' against ad blockers. On Android it is also a better alternative to DNS/hosts based ad blockers because it won't leave blank ad placeholders in Chrome.

To answer the last, at this point, you install (or have preinstalled) AV to comply with enterprise IT policies.

Or be protected from bank fraud. Not that the AV will stop it, but having no AV gives the banks a reason to reject the claim. At least with DB in Germany. But they accept Windows Defender!

German banks and technology are terrible! They're now using an app for authentication, that you can only get from Google's PlayStore or Apple's App Store.

Germany, the country of data protection, and yet their banks force you to use Google/Apple.

Oh sure, I can use terminals or pay money for a hardware device whose manufacturer has an exclusive contract with the bank, but this is absurd considering all they'd have to do is provide a channel for getting the APK straight from their own servers instead of through Google.

...or at least give me an SHA256 of the APK, so I can really be sure that when I use a 3rd party app to download it, I'm not getting a Trojan or something.

True. I guess they have to go through Apple's app store anyway, but they could offer the APK on their website.

On the other hand, I can set up a recurring payment, for free, from one account to a different account, at a different bank. In the US, my bank sends a check. Per snail-mail.

(Also: photoTAN is great. Could please all banks do that if they need an app anyway?)

> but having no AV gives the banks a reason to reject the claim

a good reason to only do banking on an iPad/iPhone...

A few years back ESET MitM traffic (this can be disabled, but was the default), I'm not sure what the situation is now as I since switched to Defender precisely because of the MitM "feature."

I'm using ESET Nod32 and it's still on by default but it can be easily deactivated in the settings panel.

Unfortunately, Defender is still the worse in system performance impact (1) and I can't bear it especially when you do `npm ci` or the like. Or if you are into gaming, launching Steam with/without Defender enabled and you see 10-20 secs launch time difference.

I don't understand why Microsoft doesn't focus on that. They reached good detection rate but the slowdown induced by Defender still make other AVs worth it (same good detection rate but with less performance impact).

[1] https://www.av-comparatives.org/tests/performance-test-april...

Most AntiVirus vendors have something that resembles this in at some portion of their solution. It is often found in the web-protection side, which can easily be disabled if necessary.

I know Avast hijacks https traffic.

Yeah. And it even shows popup stating "Your browsing is insecure, update to avast premium" or something like that. Funny thing is, it happens (the popup) way more often when in internet banking or on porn sites. Kinda creepy.

The diagram doesn't show a data link from the AV software to the AV vendor headquarters. Is that correct?

Yes, the data is being messed with locally. The article is about a well-intended security downgrade.

That's an unrelated issue and linked from the article.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact