Is Your Antivirus Tracking You? You’d Be Surprised At What It Sends

Terry Ganzi

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
Source: http://www.makeuseof.com/tag/antivirus-tracking-youd-surprised-sends/

Your antivirus software is watching you. A recent study shows that popular antivirus applications like Avast assign your computer a unique identifier and send a list of all web addresses you visit to the manufacturer. If the antivirus finds a suspicious document, it will send the document to the antivirus company. Yes, your antivirus company might have a list of web pages you’ve visited along with your sensitive personal documents!

AV-Comparatives’ Data Transmission Report
We’re getting this information from AV-Comparative’s Data transmission in Internet security products report, released on May 8, 2014. AV-Comparatives is an antivirus testing and comparison organization.

The study was performed by analyzing antivirus products running in a virtual machine to see what they sent to the antivirus company, reading each antivirus product’s end user license agreement (EULA), and sending a detailed questionnaire to each antivirus company so they could explain what their products do.

The study says “We gave higher weighting to our own measurements and the EULA (as we understand it) than to the replies to our questionnaire.” In other words, some antivirus companies responded with incorrect answers that contradicted what their products actually did!

We encourage you to check the study and consult the table on page 3 for yourself. You’ll be able to see exactly what your current antivirus product does. The study includes antivirus products by AhnLab, Avast, AVG, AVIRA, Bitdefender, BullGuard, Emsisoft, eScan, ESET, Fortinet, F-Secure, G DATA, Kaspersky Lab, McAfee, Microsoft, Panda, Sophos, Symantec, Trend Micro, Vipre, and Webroot.

av-comparatives-questions.png





A Unique Identifier And Web Addresses You Visit
All of the antivirus products in question — aside from products by eScan and Fortinet — assign your system a unique identification number and transmit this number.

Many products also transmit a list of visited URLs, or web addresses — both malicious and non-malicious ones. All of the products aside from AhnLab, Emsisoft, and Vipre transmit these URLs to the company. It’s unclear which types of addresses each product transmits. Some products may only transmit a malicious address you find to the company, while some products may transmit all addresses you visit to the company. Tied to a unique identifier, this means an antivirus company could have access to your browsing history.

Some products also transmit your computer’s name, local IP address, language, running processes, and Windows user name to the antivirus company.

avast-security-statistics4.png


Non-Executable Files, Including Documents
When an antivirus finds a “suspicious” file, it wants to send that file to the antivirus manufacturer so it can be examined for malware. The antivirus company can analyze the file and produce a virus definition to defend against the malware. This doesn’t just apply to executable files. Your antivirus may also send your personal documents to the antivirus company. For example, if you have a business document in Word format and the antivirus thinks the document is suspicious, it may send that document to the antivirus company. This means your antivirus company may be getting its hands on your sensitive documents.

Avast, Fortinet, Kaspersky Lab, Symantec, and Vipre all will transmit documents and other non-executable files. AVG, ESET, McAfee, Microsoft, Sophos, Trend Micro, and Webroot all won’t tell us if they transmit documents. It’s probably best to assume these products transmit documents, too. AVG, McAfee, Trend Micro, and Webroot won’t even allow you to opt out of sending these non-executable files.

windows-defender-maps.png


Why All the Data Collection?
Antivirus companies want all the data they can get. However, we users don’t have an easy way of knowing and choosing what types of data we share with the antivirus company. The idea that the web pages we visit and our personal documents could be getting sent in the background is scary. We didn’t even think of this and didn’t have the option to make an informed decision. If this data is sent unencrypted, it’s also possible for people on the same local network — or intelligence agencies like the NSA tapping the internet backbone — to capture this information.

According to the study, antivirus companies at least say they aren’t linking this information together to track you:

“Vendors tell us that the data gathered and transmitted by each product does not go to a single collection centre; rather, specific elements are transmitted separately to different isolated end points, without any connection between them. Thus e.g. licence-management data is sent separately from product-usage statistics. They say that as there is no connection between these systems, the data collected by one cannot be linked with the data collected by another. Consequently the privacy of the user should be safeguarded. “

avast-community.png


The Most Privacy-Conscious Antiviruses
AhnLab sends the least amount of data according to this test. It won’t send URLs you visit, personal documents, or even executable files and other personal information to the antivirus company. It will transmit information about the antivirus product, a unique identifier for your computer, your operating system version, and hashes of files. A hash will let the antivirus company detect whether the file matches another file they know about, but it won’t actually let them view any of the contents.

Emsisoft also comes out looking good. They send a bit more information when you encounter malicious files — for example, they’ll send suspicious executable files to the antivirus company — but they’ll never send a list of websites you visit or your documents over the Internet

Both of these products are paid antivirus products. They’re the only antiviruses in the study that don’t send the most sensitive types of data to an antivirus company.

emsisoft-anti-malware-trial.png


There’s no one free antivirus product that stands out from all the others in offering the best privacy features. Your best bet is consulting the table for more information when choosing an antivirus product. Along with checking antivirus test results, this information can help you make an informed decision.

Image Credit: Cristiano Betta on Flickr

Source: http://www.makeuseof.com/tag/antivirus-tracking-youd-surprised-sends/
 
Last edited by a moderator:

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
where is trust port?
what do Trust Port do???
 
Last edited:
  • Like
Reactions: Terry Ganzi

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Terry, thank you for reminding us to be more aware as this article has changed my viewo_O (again). I have flip-flopped back and forth between wanting to be a good sport by "..helping to improve the software through sharing usage data." and "Just saying NO to collecting my data for any reason!":rolleyes::D
 
Last edited:

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
It's not just antivirus companies which send this kind of sensitive data. I could tell you some pretty chilling stories about data collection, one nearly got me arrested :(

I'll never forget though, seven years ago this month, when Norton antivirus sent my sensitive source-code back to it's servers. The code was for an anti-phishing application I was programming. Three days later Norton ran a background scan without my knowledge and the whole source-code folder was deleted without my consent.

I did have a backup but it wasn't recent, and I abandoned the project. Last time I ever used Norton, last time I ever trusted programs sending data back to their own servers.
 
Y

yigido

It's not just antivirus companies which send this kind of sensitive data. I could tell you some pretty chilling stories about data collection, one nearly got me arrested :(

I'll never forget though, seven years ago this month, when Norton antivirus sent my sensitive source-code back to it's servers. The code was for an anti-phishing application I was programming. Three days later Norton ran a background scan without my knowledge and the whole source-code folder was deleted without my consent.

I did have a backup but it wasn't recent, and I abandoned the project. Last time I ever used Norton, last time I ever trusted programs sending data back to their own servers.
Woouvv this can't be real :eek:
 
  • Like
Reactions: Cowpipe

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Woouvv this can't be real :eek:

I don't think it was some kind of conspiracy with Norton (obviously we'll never know for sure though http://malwaretips.com/styles/MalwareTips/xenforo/clear.png), I think they just grabbed the phishing signatures that I had hard-coded in the software and added them, and then when Norton scanned it picked up the signatures and just deleted the whole folder believing all the files to be related. I don't know, I was seriously angry with them though :(
 
  • Like
Reactions: marg and yigido
Y

yigido

I don't think it was some kind of conspiracy with Norton (obviously we'll never know for sure though http://malwaretips.com/styles/MalwareTips/xenforo/clear.png), I think they just grabbed the phishing signatures that I had hard-coded in the software and added them, and then when Norton scanned it picked up the signatures and just deleted the whole folder believing all the files to be related. I don't know, I was seriously angry with them though :(
Thanks for the sharing your experience, I am sorry for you..
 
  • Like
Reactions: Cowpipe

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Thanks for the sharing your experience, I am sorry for you..

I was pretty young and naive, my own fault really :p Norton deleted a large part of my virus collection a couple of years ago too. Some very rare samples which were given to me directly by the virus writers got lost, I've never managed to get all of the samples back. Hopefully other people won't make the same mistake, and will change the default settings after they install :)
 
  • Like
Reactions: marg

Kate_L

in memoriam
Verified
Top Poster
Well-known
Jun 21, 2014
1,044
Comodo does the same, almost all AV send unknown files for scanning or they know are there so what you do it is public. In Avira you have "Confirm ... " something like that so you can check what is sends and what it doesn't.

It is funny because I wrote on my status a few days that I can't trust any AV and now we are talking about this :D
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Every link you take
Every click you make
Every app you break
Every scroll you take
I'll be watching you

Every single day
Every word you say
Every game you play
Every night you stay
I'll be watching you

-AV

Hahaha, brilliant :D And very true ;)
 
  • Like
Reactions: Terry Ganzi

Nico@FMA

Level 27
Verified
May 11, 2013
1,687
I knew this already hence why i wrote it into my guides some time ago.
Most Av brands have a menu or a check box or a section within their EULA & License where they notify you about transmitting data.
However they call it statistical data and such.
Fact is that documents, system files and other data is being transmitted to for example cloud based AV engines.
It does not take a genius to figure out that this is one VERY rich pool to draw big data from, as even protected files are being analyzed.
So lets say that a company using these kind of statistical data gathering techniques wants to exploit the data for ads or other reasons then they have a wealth of info with personal details first hand.
Microsoft does however take it a step further, they can literally tell everything you have done so far with your PC since you installed a Windows OS, they can even see the content of your personal files if they wish so.
Most people do not realize that your Windows OS does connect to a Windows statistics server several times within the hour.
So they pretty could in real-time see what you are up to.
Just install Fiddler or some other program that can monitor outgoing connections and write down the IP addresses and do a trace on them, and you will see that out of the 10 connections your PC makes (Even if you do not actually use the Internet yourself at that time) at least 3 will be windows connections, and they serve only 3 main reasons: Windows Validation, Windows Update, Windows Data Gathering.
Sure there are more reasons but these 3 are the most obvious ones.
Here take a good read its a older blog from 2010 but it has VERY valid info you will be surprised.
So yes most third party software will gather info about you, its really not just AV vendors and Microsoft.
And let me tell you ALL data is directly identifying you, regardless if claimed otherwise.
Keep in mind your hardware ID's are 1000000% unique so this leads only to ONE pc on the world... yours.
Your phone number does identify you as you are the one answering the phone, its your name on the subscription and its your name on the phone bill.
Your IP address is also directly linked to you as the same rules apply here as on the phone number.
On top of that most ISP providers offer, Internet, Phone, and TV in one package and you have one router that distributes all that and gathers info. And this very info is also collected by for example Windows OS / Microsoft so if they wish they can even see what movie you did watch using your on demand option in the menu on your TV.
Your power usage and such from various sources in the house is also known, as some of those kitchen machines and everyday devices have a Internet connection, so does your energy grid. For example here at my own house i can set the temperature and lights and such by just using my phone while i am 100 miles away visiting family.

All these things go over the net, and as long you are running windows it will capture the data and sniff your network traffic.
So they certainly do not just collect windows OS data only, even while they advertise differently.
However if you spend some time reading their licenses and such it will actually tell you exactly that what i just said.
Now the thing is that Microsoft does not piece together the info to make you identifiable so they basically only take what they need and the rest is being stored for 6 months. However Agencies do have unlimited access to the storage regardless what they claim.
By US law any tech firm needs to give them access if required. So they might not look into your private details in real time but they can at any point in time.

To get back at the AV collection of Data lets take Kaspersky for example:

B. RECEIVED INFORMATION


* Information about your computer hardware and software, including operating system and service packs installed, kernel objects, drivers, services, Internet Explorer extensions, printing extensions, Windows Explorer extensions, downloaded program files, active setup elements, control panel applets, host and registry records, browser types and e-mail clients that are generally not personally identifiable;

[...]

* Information about applications downloaded by the user (URL, attributes, file size, information about process that initiated download); Edit: Url data also means literally every site you have visited this due to the fact that windows will download EVERY picture and such from any webpage you see in your browser (and this is being stored into your Internet temp files) So it becomes scannable by KAV and thus collected.

* Information about applications and their modules run by the user (size, attributes, date created, information about PE headers, region, name, location, and compression utilities used);

[...]

* The Kaspersky Security Network service may process and submit whole files, which might be used by criminals to harm your computer and/or their parts, to Kaspersky Lab for additional examination.

The reason i did make a edit is to show that things are not just as they are written.
You have to read between the lines and connect the dots.
If you have a little computer knowledge and you know how some processes go then reading a EULA or License suddenly reveals a more complete picture that offers more info then the dull legal text and fancy words they use.

Anyway long story short i tried to explain how things really go as the news topic above does have great info but still does not show how deep it really goes.
But as a IT Professional take my word for it, Non identifiable does NOT exist. No matter how its being formulated....
But i could be wrong afteral your hardware ID, IP, Phone and such are the same right? Because we all in this world have the same credit card number we have the same name, the same date of birth the same pc the same habits..... whahaha sarcastic grin.

oh-really-3.png


Cheers
 

marg

Level 13
Verified
May 26, 2014
600
I was pretty young and naive, my own fault really :p Norton deleted a large part of my virus collection a couple of years ago too. Some very rare samples which were given to me directly by the virus writers got lost, I've never managed to get all of the samples back. Hopefully other people won't make the same mistake, and will change the default settings after they install :)
Cowpipe... You have to admit at least Norton was doing its job. It seems like it did its job too well though.:eek::D
 
  • Like
Reactions: Cowpipe

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Cowpipe... You have to admit at least Norton was doing its job. It seems like it did its job too well though.:eek::D

Haha, that's very true actually! :D It managed to detect some of the samples which were unreleased, would have been great to have Norton detect the samples (so I could categorise them), the problem was that rather than quarantine items by default, it just deleted them.

Unfortunately @marg Norton has a long history of this kind of behaviour, for example when a false detection caused Norton to delete important system files and indeed part of it's own files (preventing it from updating). Having said all that, I can't help but admire you're interesting take on things! :p
 

Arakasi

Level 4
Verified
Jul 12, 2014
195
Will you be ok without it ?
Probably / Most definitely

Would we (every ESET user) be ok, if everyone disabled it ?
Absolutely, positively, NOT !!

It helps all of us together, catch new threats (zero-days). In a sense, we need each other, to help each other, spread info about these new threats that are popping up daily, and keep prevention up and spread down, and low, especially evil ones that are self-replicating(very rare these days). Or ones that move through mail (example).

https://forum.eset.com/topic/2369-disabling-eset-live-grid/
https://forum.eset.com/topic/2366-a...ion-in-internet-security-products/#entry13504

That goes for the rest of the antivirus companies, that only have this option to assist in a group contributed effort to watch malware.
Its highly likely, these companies care more about company growth, business success, the fight against malware, and to help get their product out there, than your documents, movies, pictures, which they probably care nothing about.

The exchange of personal identifiable information is a totally different story, and that is a topic that has already been discussed.
It is not exchanged.

However we do have a discussion going on back at the ESET forums regarding the unencrypted license info transferred back and forth.
We are waiting to hear back from staff.

Good day :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top