MacDefender

Level 12
Verified
NOTE: This is not meant to be a political/conspiracy related thread. I'd prefer to just focus on the cloud telemetry / automatic sample submission aspect.

Using Kaspersky for about a week now, it's gotten me to take a closer look at the whole NSA controversy. In terms of what factually happened, it seems like the verifiable part of the story is:
  1. A NSA worker plugged in a thumb drive containing state sponsored malware
  2. Kaspersky scanned and detected malware
  3. An automated cloud submission process reported that back (or collected the entire sample?)
  4. This helped Kaspersky identify the source (the NSA), but the NSA accuses Kaspersky of exfiltration through this process.
In general, this is basically how every cloud based AV works. You are contributing to the cloud intelligence every time you encounter a new executable/file, and the cloud reserves the right to collect either the entire binary or just metadata about it as you encounter such files. In fact, some like the F-Secure or Avira cloud, their privacy policy states that they may collect the entire executable as part of cloud / sandbox scanning.


So this got me to look at Kaspersky's privacy policy, and here's the section I could find:
B. RECEIVED INFORMATION

In order to help detect new and evasive information security threats and their sources, identify potential intrusion threats, and act promptly to improve the level of protection of the information stored and processed by the User on the computer, the User agrees to automatically submit the following information:
1. Information about the version of the operating system (OS) installed on the computer and the OS service packs installed: OS bit version, kernel objects, drivers, services, Microsoft Internet Explorer add-ons, printing system add-ons, Windows Explorer add-ons, objects downloaded, Active Setup elements, control panel applets, entries in the hosts file and the system registry, network name of the computer (local and domain names), regional settings of the OS (time zone, default keyboard layout, interface language), UAC settings, OS firewall settings, OS parental control settings, data and settings of operating system services.
2. Information about all installed applications: the name and version of the installed application, the versions of installed updates, the name of the publisher, the date of installation and the full path to the installation folder on the computer.
3. Information about the installed software of the Rightholder and status of anti-virus protection of the computer: software version, information about the files of loaded modules, their names, sizes, paths to them, checksums (MD5, SHA2-256, SHA1), publisher, signature and integrity, IDs of processes into which modules have been loaded, the module loading sequence, versions of anti-virus databases used and the time of their most recent update, statistics on updates and connections to Rightholder’s services, unique ID of software installation on the computer and unique ID of the computer, information about the software operating mode.
4. Information about the wireless network connection of the computer used: wireless network name, checksums (MD5 and SHA256) MAC address of the access point, attribute of the computer being powered by a battery or power grid, attribute of DNS availability, type of computer, information about the type and level of security of the wireless network; unique IDs consisting of the unique ID of the computer, unique ID of software installation on the computer, name of the wireless network, and MAC address of the access point; information about wireless networks available for connection: network name, MAC address of the access point, information about network security and signal quality level; attribute of a VPN connection being used, category of wireless network configured in software, DHCP settings, checksum (SHA256) of the IP address (IPv4 or IPv6) of the computer, domain name and checksum (SHA256) of the path from the URL address of the Internet access service; parameters of WPS access points: checksums of the name and serial number of the device, name and number of the device model, name of the device manufacturer; local time of the start and end of computer connection to the wireless network, mode of control of device connections to the home wireless network, list of available wireless network access points and their parameters.
5. Information about activity on the User’s computer: information about processes running in the system (system process ID (PID), process name, account under which the process was started, the application or command that started the process, the full path to process files and the command string used to launch the process, indicator signifying that the process file is on the autorun list, a description of the product to which the process belongs (product name and publisher information), information about digital certificates used and information needed to verify their authenticity, or information to the effect that the file does not have a digital signature), URL addresses of the websites visited and time of visits, response from the DNS server and duration of response buffering, IP addresses (IPv4 or IPv6) of the DNS server or domain of the website, domain name, method of domain name discovery, attribute signifying that the domain name is listed, name of the file of the process accessing the website, size and checksums (MD5 and SHA256) of the file, path to the file and path template code, result of verification of the file’s digital signature, User Agent string, duration of storage of this information prior to transmission to KSN, search queries, parameters of HTTP queries, protocol processing error type, time that has elapsed since the last user activity on the computer, as well as information about modules loaded into processes: their names, sizes, types, checksums (MD5, SHA2-256, SHA1), and paths to them.
6. Information about all scanned objects and operations: name of the object scanned, scan date and time, names and sizes of files scanned and paths to them, date and time of file creation, name of the packer (if the file was packed), data of the PE header of the file, version of the compiler, number, size and data of file sections, file entropy, ID of file type and format, URL and IP addresses from which the object was downloaded, ID of the download protocol and number of the connection port, checksums (MD5, SHA2-256, SHA1) of the process that downloaded the object, checksums of the object (MD5, SHA2-256, SHA1), type and value of the additional checksum of the object, information about the digital signature (certificate) of the object (date and time signed, name of the certificate holder, serial number of the certificate and checksum calculation algorithm, information about the public key of the certificate: checksum (SHA2-256) of the public key, ID of the certificate database, name of the certificate issuer, result of certificate verification), ID of the software task that performed verification, date and time of verification, result of completed verification, and decisions of the user and product following verification, information about changes of the trust group.
7. If a threat or vulnerability is detected, information about the object scanned is supplemented with information about the ID, version, and type of the anti-virus database record, threat name per the Rightholder’s classification, checksums (MD5, SHA2-256, SHA1) of the file of the application that requested access to the URL where detection occurred, the IP address (IPv4 or Ipv6) of the threat detected, ID of the type of traffic in which detection occurred, ID of vulnerability and its danger class, URL address of the page where detection occurred, number of the script on the page, ID of the threat, type and status of detection, interim results of object analysis, attribute signifying that the object is a container, and the level of process integrity.
8. Network attack information: IP address of the attacking computer and number of the port on the user’s computer targeted by the network attack, ID of the attack protocol, name and type of attack.
9. URL and IP addresses of the page where malicious or suspicious content was detected, name, size, and checksum of the file that requested access to this URL, ID and weight of the rule that returned the scan verdict, and attack target.
10. Information about links blocked by the Parental Control and Web Policy Management components: reason for the block, version of the Parental Control and Web Policy Management components, URL and IP address of the blocked link.
11. Information about operation of the URL Advisor component: user decisions on whether domains are safe or malicious based on scan results, checksums (MD5) of the URL and Referrer of the domain scanned, ID of the URL Advisor component.
12. Results of email scanning by the Anti-Spam component: version of the Anti-Spam component, IDs of triggered scan rules and their weight, IP address of the sender, most probable IP address of the spam source, email status after scanning.
13. Information about operation of the Safe Money component: attribute of its operating mode, information about changes made by the user to the list of websites protected by the component: URL address and Referrer (if any) of the website, attribute signifying that the website has been edited, edited, or removed, mode of component startup for this website, context of changes made to the list of websites; information about the browser used to visit the website: URL address and Referrer of the website, name and version of the browser, type of browser startup, duration of launch and attribute of launch success, information about the level of its protection and type of message about the level of protection, name and version of the browser from which the browser currently in use was launched.
14. Information about operation of the Trusted Applications Mode component: ID of the version of its settings, attribute of its operating mode, result of file status verification and source of the trusted status, aggregated data on the number of trusted, untrusted, and unknown objects.
15. Aggregated data on the results of scanning using local and cloud KSN databases during the scan period: number of unique unknown objects, number of unique trusted objects, number of unique untrusted objects, total number of “unknown object” verdicts, total number of “trusted object” verdicts, total number of “untrusted object” verdicts, number of objects found to be trusted based on certificate verification results, number of objects found to be trusted based on the trusted URL address, number of objects found to be trusted based on the logic of trust inheritance from a trusted process, number of unknown objects for which a trusted or untrusted verdict has not been issued, number of objects that the user marked as trusted. Version of the local KSN database on the computer at the time of transmission of statistics and ID of the database management setting of software, information about successful/failed requests to KSN (connections and transactions) and the time spent on transactions, duration of the KSN connection session, volume of data sent and received, start and end times of the operation to gather information to be relayed to KSN, and the total number of requests to KSN that have failed for some reason with the reason indicated.
16. Information about operation of the Private Browsing component: Referrer from the HTTP tracking request, name of the service or organization providing tracking services, category of the tracking service per the Rightholder’s classification, ID and version of the browser that opened the URL.
17. If a potentially malicious object has been detected, the transmission includes information about process memory data, elements of the hierarchy of system objects (ObjectManager), UEFI BIOS memory data, names of registry keys and their values.
18. Information about system log events: event time, name of the log where the event has been detected, type and category of event, name of the event source and event description.
19. Information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the file of the process that opened the port, path to the process file and its digital signature, local and remote IP addresses, numbers of the local and remote connection ports, connection status, port opening time.
20. Information about the running file: its checksum, format, number of times the file was run, version of the statistics package, software details: build number, IDs of the application and its version.
21. Information about the completed rollback of malware activity: information about the file whose activity is rolled back (file name, full path to the file, file size and checksums (MD5, SHA2-256, SHA1)), information about successful and failed attempts to remove, rename, or copy files and restore registry values (names of registry keys and their values), information about system files modified by malware before and after the rollback, name of the detected threat per the Rightholder’s classification, ID of anti-virus databases and ID of the record in anti-virus databases based on which the verdict was returned.
22. Information about the use of VPN connection: IP address of the VPN server to which the connection is established, unique ID of software installation on the computer.

If software had been unloaded, the data listed under items 5, 6, 7 are not transmitted but may be stored in a limited-size storage on the User’s computer. Such data cannot be restored after software is removed. After software has loaded, such data will be relayed to Kaspersky Lab for the purposes mentioned above.

Objects that can be exploited by intruders to harm the User’s computer can be also sent to Kaspersky Lab to be examined additionally:
• Files or their parts.
• Name, size, and version of the file being sent, its description and checksums (MD5, SHA2-256, SHA1), file path, ID of the format, name of the publisher, name of the product to which the file belongs.
• Certificate validity start and end dates and times if the file being sent has a digital signature, date and time when the certificate was signed, name of the certificate publisher, information about the certificate holder, impression and public key of the certificate and algorithms used to calculate them, certificate serial number.
• Information about the date and time of creation and modification of the file, an attribute signifying whether or not the date and time of file signature is used in signature verification, the result of integrity verification of the file.
• Objects detected at malicious links.
Such objects may be temporarily stored on the User’s computer until they are transmitted.

In addition, for purposes of preventing and investigating incidents, the transmission may also include executable and non-executable trusted files, segments of random access memory, boot sectors of the operating system, and application activity reports containing:
• Information about processes and services that have been started: checksums (MD5, SHA2-256, SHA1) of the process or service file, file name and size, file path, names of and paths to files accessed by the process, names and values of registry keys accessed by the process, segments of random access memory, URL and IP addresses accessed by the process or from which the file that was run originated.
• The name of the account under which the process is running, the name of the computer on which it has been started, headers of process windows, ID of anti-virus databases, name of the threat detected per the Rightholder’s classification, unique ID of the license, expiration date and type of license, version of the operating system (OS) and service packs installed on the computer, and local time.

To improve product performance, the User agrees to submit the following information to Kaspersky Lab:
• Information about the Rightholder’s software installed on the computer: date and time of installation, software name and version, versions of installed updates, information about the license installed (its ID and type), unique ID of software installation on the computer and unique ID of the computer, interface localization, date and time set on the computer at the time of data transmission to KSN, ID of software rebranding.
• Information about the versions of the operating system (OS) and service packs installed on the computer, current OS localization language and the localization language selected during OS installation, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, OS architecture, parameters of the OS operating mode, information on whether or not the Device Guard mode is enabled.
• Information about software installed on the computer: software name and the name of its vendors, information about registry keys and their values, information about files of components of installed software (checksums (MD5, SHA2-256, SHA1) of the file, file name, path to the file on the computer, size, version, and digital signature), type of application involved in the detection.
• Information about hardware installed on the computer: information about RAM size, processor (CPU) brand and number of cores, brand of hard drives (HDD), type, name, model, and version of firmware, parameters of integrated and plug-in devices.
• If a threat is detected, the attribute signifying that the object is a container and the level of process integrity are transmitted.
• Information about the use of the product’s user interface: information about open interface windows (IDs and names of windows and control elements used) and navigation between windows, data describing the reason for window opening, time and type of user interaction with the interface, information about changes made to product settings and parameters (name of the setting or parameter, their old and new values).
• Information about errors encountered by product components: error type and time, ID of the product component and task that returned the error.
• Information about the scanning of secure connections: certificate used in establishing the connection and its checksums (MD5, SHA2-256, SHA1), DNS and IP address (IPv4 or IPv6) of the network resource, number of the remote port, name and version of the application being run that established the secure connection, and the path to this application, code of the error encountered while scanning the secure connection (if an error has been returned).
• Information about incompatible third-party software found during product installation: time and method of detection of incompatible software, its name and type, localization of the product being installed, date of release of the component responsible for detection of incompatible third-party software, information about the decision made by the user on the third-party software detected.
• Information about the quality of updates of the installed product and anti-virus databases: IP address (IPv4 or IPv6) of the update source used, type of the update task, ID of the previous and current software update, number and total size of files downloaded during the update process, average update file download rate, average speed of network transactions during the update process, status of completion of the update task, type of error that may have occurred during the update process, ID of the product component that runs the update, value of the TARGET filter of the update task; date of creation of index files of the installed and downloaded updates, date and time of the installed and downloaded updates.
• Information about the resources used by product components during object scans: actual and average duration of scanning by different product components, total, minimum and maximum scan times, network traffic interception, number of scan requests, ID of the scan operation, start and end times of the launch of the service process and interface of the Kaspersky Lab product, duration of gathering of data on third-party software, number of events during this time.
• Information about interactions between the product and My Kaspersky services: ID and name of the service domain to which the request has been sent, number of requests and successful/failed connections to each service, number of responses from each service, number of request errors and timeouts, start and end times of the process of gathering data on the number of requests and connections.
• Information about the process attacking the product self-defense component: name and size of the process file, its checksums (MD5, SHA2-256, SHA1), full path to the file and path template code, dates and times of creation and compilation of the process file, attribute of an executable file, attributes of the process file, information about the certificate with which the process file is signed, code of the account under which the process was launched, IDs of operations performed to access the process, type of resource with which the operation is performed (process, file, registry object, window search using the FindWindow feature), name of the resource with which the operation is performed, operation success or failure, reputation of the process file and its certificate according to KSN.
• ID of the software process being attacked.
• ID of the event that crashed the software or application installed on the computer.
• Information about software operation on the computer: information about processor (CPU) usage, data on memory usage (Private Bytes, Non-Paged Pool, Paged Pool), number of active protocols and number of waiting threads, duration of software operation until the error occurred.
• Information about the system at the time when the BSOD occurred: name and version of the driver that caused the BSOD, code of bug check and its parameters, driver failure stack, ID of the type of detected memory segment created during the failure, attribute of OS session duration of more than 10 minutes prior to the BSOD or unexpected power off, unique ID of the OS memory segment, date and time of the BSOD, reports of software drivers from the memory segment (error code, module name, name of the file with source code and the string in which the error occurred), full number of the OS kernel build, name, localization, and version of the application in which the failure was detected, number of error and its description from the system log of the application for which the failure was detected, information about an exception error in the application, address of the application failure in the format of a module offset, name and version of the application module in which the failure occurred, attribute of application failure in the software plugin, failure stack, duration of application operation prior to the failure, method of detection of the software failure (driver intercepts, traffic processing, or number of waiting threads), name of the process that initiated traffic interception or exchange that resulted in the software failure.
• Name of the root index file of databases, its date and time, secondary index files and their date and time for certain categories of updates, names of certain files from updatable categories and their checksums for databases already downloaded and those being downloaded.
• Information about the NativeImage file: type, name, checksums (MD5, SHA2-256, SHA1) of the file, full path to the file on the computer, file path template code, ID of the version of the file module, checksum (SHA256) of the digital signature of the build from which the file being scanned was created, and ID of the method of determination of the build, IDs of file integrity check results.
• Information about operation of the Private Browsing component: URL addresses added by the user to the list of exclusions or removed from it, attribute signifying that an URL address has been added to or removed from the list of exclusions, ID of component configuration.
• Information about the System Watcher component: full number of the component version, build number, ID of the current component event that took longer to process than the time limit set, event processing duration, total number of such events, name and checksums (MD5, SHA2-256, SHA1) of the file of the process that initiated the current event, name and code of the directory containing the file on the computer, maximum permissible event processing time, code of the event that caused an event queue overflow and the total number of such events, name of the file, directory, and code of the drive directory containing the file of the process that initiated the current event that caused an event queue overflow, checksums (MD5, SHA2-256, SHA1) of this file, ID of the event whose processing was interrupted due to timeout, ID of the interception filter and type of interception event, size of the event queue of the component at the time of transmission of statistics, difference between the first and current events in the queue at the time of transmission of statistics, probability of transmission of statistics, ID of preparation of statistics, type of scan task from which the product received the date of installation of the detected application, path, date, and time of installation and most recent use of the detected application, status of the detected application, date and time of the OS launch, date and time of received event of a controlled action in the OS, date and time of the product installation, date and time of System Watcher launch, the number of reinitializations of antivirus databases after their update, date and time of the last reinitialization of antivirus databases after their update, delay time of processing an event of an action in the OS by the subsystem of permanent event storage, delay time of processing an event of an action in the OS by the subsystem of proactive protection, delay time of processing an event of an action in the OS by the subsystem of behavioral analysis, the number of queued synchronous events of performed actions in the OS, the number of processed events of performed actions in the OS, the number of processed synchronous events of performed actions in the OS, the number of delayed events of the current type of performed actions in the OS, summarized delay time of all the events of the current type of performed actions in the OS, summarized delay time of all the events of performed actions in the OS.
• Upon detection of changes to a monitored system setting, the product submits the ID of the category of the modified setting, the ID of the type of setting change, and the name of the browser to which the setting belongs.
• Information about operation of the Installation Assistant component: name of the setup file of third-party software, checksums (MD5, SHA2-256, SHA1) of the setup file, its size, type, and full path to the file, path template code, additional information about the template file (file description and version, name and version of software installed by the file, name of software publisher, internal file name, original file name, copyright notice, language of software localization, attribute of availability of a digital signature, name of the entity or organization that signed the file), date and time of the most recent update of anti-virus databases installed on the computer, name of the category of the setup file per the Rightholder’s classification, ID, version and type of the anti-virus database record used, attribute of detection of the setup file in debugging mode, type and version of the template of the user interface of the setup file, its checksums (MD5, SHA2-256, SHA1), information about the use of the user interface of the setup file: ID of user activity involving an interface element, name, location and text of the interface element, attribute of the presence of command line parameters during the launch of the setup file, ID of the component scenario under which the statistics are transmitted, full version of the component.
• If the product detects an URL address that is used by an installer to download content that may contain advertising or proposals to install additional application, the transmission includes the detected URL address (domain name from the URL address if accessed via a secure protocol), the name of the URL address category per the Rightholder’s classification, the Referrer and IP address (IPv4 or IPv6) of the detected URL address.
• Information about the failed last OS reboot: number of failed reboots.
• Information about updates of installed applications: IDs of the application being updated and its updates, IDs of the localization language of the application and its updates, application version before the update, URL address used to download the update setup file, ID of the setup file download error (if any), attribute signifying a violation of the integrity of the update setup file, ID of user action when the list of exclusions is used, type of application being updated, names of process files preventing the installation of the update, ID of the update result, parameters of the command line for launching the setup file of the update, attribute of successful update installation.
• Information about operation of the PC Cleaner component: version of the database with information about installed applications and their updates, name and version of the scanned application, registry folder associated with the given application, folder into which the application was installed, string with the application removal command, language of application localization, ID of the application scan result, attribute of application installation only for the current user, attribute of application scanning in debugging mode, ID of user action when the list of exclusions is used, types of applications recommended for removal and applications being removed, names of process files preventing the removal, ID of the result of removal, attribute of successful removal, information about the suite to which the detected software belongs: ID, version, name, developer, language ID, type of the primary application in the suite, source of information about the date of its installation, date and time of installation and most recent use of the primary application in the suite, as well as the installation path and level of protection provided.
• Information about the use of Virtual Private Network (VPN) functionality: duration of the VPN session, information about the geographic location of the VPN server, volume of outbound and inbound traffic, ID of the VPN session launch scenario and type of launch, ID of user action upon the launch of the VPN session, type of the event that terminated the VPN session, type of processing of wireless network information, wireless network name, checksum (MD5) of the MAC address of the access point, information about wireless network type and security, checksums (SHA256) received using the unique ID of software installation on the computer, wireless network name and MAC address of the access point, attribute of availability of a VPN session launch scenario for the wireless network and the URL address, domain segment of the URL address for which the VPN session launch scenario was activated, value of the setting allowing the display of notifications about connections to an unsecured wireless network, the type of VPN session launch, ID of user action upon the VPN session launch.
• Information about the use of adaptive protection scenarios: ID of software or user action upon detection of password input; ID of OS setting that lowers the level of computer protection, ID of software or user action upon detection of this OS setting, type of subject that changes the OS setting, type of scan task during which the OS setting was detected, result of the scan task; checksum (SHA256) obtained using the unique ID of software installation on the computer and the ID of statistics, as well as the ID of attributes signifying that the computer is being used by a child.
• Information about any software notification: type and ID of the notification, the notification checksum (MD5) obtained using the computer ID and the ID of statistics being sent, the type of user activity indicating an active use of the computer, as well as the description of the application that is active at the time of user activity;
• Device information: MAC address, type, number of characters in the name, the name of the vendor, method of detecting the device in a Wi-Fi network; version of the engine to detect the device in a Wi-Fi network; type, vendor, name and OS of the device detected in a Wi-Fi network, and other technical information.
• Information about the use of application during suspension of anti-virus protection: name and checksum (MD5) of the executable file of the application, file path and file path template code, information about the reason for and duration of suspension of anti-virus protection.
• Information about hard drive parameters: ID of the S.M.A.R.T. parameter, data of S.M.A.R.T. attributes, model, serial number, name and version of firmware, size, status, operating time and temperature of the hard drive.
• Information about detection of incompatible driver environment: processor architecture, OS kernel version, full OS version with extended options and kernel version, extended CPU information, name of the incompatible driver, driver integrity options, operational state of drivers, full version of drivers, hypervisor support status.

By participating in the KSN program, you agree to submit the following information for the purposes listed above:
• Unique ID of software installation on the computer.
• Full version of installed software.
• ID of software type.
• Unique ID of the computer on which software is installed.

Namely, with regards to binary submissions:
17. If a potentially malicious object has been detected, the transmission includes information about process memory data, elements of the hierarchy of system objects (ObjectManager), UEFI BIOS memory data, names of registry keys and their values.
• Files or their parts.
• Name, size, and version of the file being sent, its description and checksums (MD5, SHA2-256, SHA1), file path, ID of the format, name of the publisher, name of the product to which the file belongs.
• Objects detected at malicious links.

Long story short, there's very permissive language being used here that basically say that if Kaspersky detects a suspected attack, they are willing to upload many files that they think are related to the attack.

What's interesting to me is that most cloud services have a clause where they basically say they only upload executables (WinPE executables, DLLs, etc) and not documents/scripts. Kaspersky does not. Kaspersky's also has a lot of language regarding unique identifiers -- they don't usually send things like serial numbers or MAC addresses, but they do mention they send hashes of such information and use it. This is very different from a lot of other cloud providers who anonymize this sort of information.

Overall I think this makes their cloud a lot more powerful in terms of being able to analyze zero day samples on customer machines, but it's worth remembering, as a general reminder, ALL cloud AVs perform this kind of automatic sample submission. They usually have a way to turn it off, but sometimes that comes at the expense of no longer being able to use the cloud database anymore (e.g. you have to participate to get the benefits). Kaspersky's KSN policy is very transparent in terms of spelling out what they are doing, but what they are spelling out is rather broad. The kinds of things they are collecting (exact paths of files, samples of files, hash of your MAC address, name of your wifi network, list of all installed applications and their exact versions) can be used to form a very specific fingerprint that de-anonymizes the user, which can be easily part of the explanation for how a cloud sample submission was enough for Kaspersky to tie one person's file on a thumb drive to the organization that it came from.


I'm curious what thoughts and experiences we have about the Kaspersky cloud or any other cloud in terms of what gets automatically submitted, etc.
 
Last edited:

MacDefender

Level 12
Verified
Just to follow up, i'd like to contrast this with the F-Secure Cloud Privacy Policy, which is slightly more explicit about the privacy implications. The whole document is here, but I'll quote some segments: Security Cloud privacy policy | F-Secure

F‑Secure automation is built to break F‑Secure's capability to link uploaded security data back to the user. Hence, we consider data in the Security Cloud as anonymized.

In some cases, these engines may encounter suspicious files that require deeper analysis within F‑Secure Security Cloud. This use case is limited to executables. Files uploaded in this fashion are processed by automation, which may perform structural and/or behavioral analysis. Files passing through our automated analysis systems are subject to strict controls.
. In this document, metadata refers to information such as file size, file name, file path, observed behaviors, or name of the detection. Executables in this document means applications and interpreted content such as Flash, Silverlight, document macros, and scripts.

By design, F‑Secure's protection services do not send any user-generated content, such as document files, to Security Cloud. Such files are already filtered out by the client software. Document files and other user-generated content file types may contain executable payloads (metadata). Cyberattacks often utilize scripts in document files and therefore it is important to extract the executable content from document files and perform cloud analysis for such metadata.

  • Send data incrementally. Security Cloud only collects more detailed data when it cannot deduce the nature of the suspicious behavior. At the first stage, Security Cloud only does a reputation query for an object. If this is insufficient, Security Cloud submits metadata about the object. If that is still insufficient, the object itself may be uploaded to Security Cloud for in-depth analysis.
  • Store only high-level IP information. The customer's full IP address is never stored. Some of our cloud analysis mechanisms collect metadata derivable from IP addresses connecting with that service, such as country and city-level geo-mapping information.
 

MacDefender

Level 12
Verified
It was a big scandal. Was it actually true? Who knows... but it's hard to trust russians. Eugene Kaspersky has ties to KGB.
Anyway, for the normal user it shouldn't matter.

It was, and I don't really care to speculate on whether the scandal itself is true or not. What I'm highlighting here is what you are giving Kaspersky permission to do by joining KSN, spelled out by their legal document. It is quite broad.

Personally, for the ways I use my Windows machines, I'm okay with it. But I don't think the average person that installs Kaspersky is explicitly aware of how much information the application is allowed to collect about your computer and your activities, especially if it sets off KSW or the signature engine.

EDIT: I am in no way singling out Kaspersky. F-Secure is the product I'm most familiar with from a privacy policy standpoint, this was just a point of comparison. I have no doubt that many other cloud AVs have similar data collection to Kaspersky.
 

DSD27

Level 5
It was, and I don't really care to speculate on whether the scandal itself is true or not. What I'm highlighting here is what you are giving Kaspersky permission to do by joining KSN, spelled out by their legal document. It is quite broad.

Personally, for the ways I use my Windows machines, I'm okay with it. But I don't think the average person that installs Kaspersky is explicitly aware of how much information the application is allowed to collect about your computer and your activities, especially if it sets off KSW or the signature engine.
Does it get much more information that other AVs?
 

MacDefender

Level 12
Verified
Does it get much more information that other AVs?

In my opinion it does -- compare the big quote block from my original post to my second post, which is F-Secure's cloud collection policy. Kaspersky is collecting much more fine-grained information about your machine as well as what exactly malware is doing on your machine (e.g. if ransomware rollback happens, the full name of each file rolled back is sent to the cloud)
 

SeriousHoax

Level 32
Verified
In a short, Kaspersky literally uploads everything, every info 😯
I haven't read ESET's privacy policy, maybe you can have a look? But the thing I like about ESET's auto submission is, in settings, there's option to log all the suspicious files that's gets submitted to ESET and this also notifies you when it submits something to them. This way, I know exactly when and what files are submitted to them. Submission of documents are disabled by default but can be enabled if someone wants to. There's another option which submits anonymized statistical information but this can be disabled too.
I don't know what else they collect but I like this flexibility a lot and is better than most security solutions out there.
 

Paul.R

Level 17
Verified
Last edited:

MacDefender

Level 12
Verified
In a short, Kaspersky literally uploads everything, every info 😯
I haven't read ESET's privacy policy, maybe you can have a look? But the thing I like about ESET's auto submission is, in settings, there's option to log all the suspicious files that's gets submitted to ESET and this also notifies you when it submits something to them. This way, I know exactly when and what files are submitted to them. Submission of documents are disabled by default but can be enabled if someone wants to. There's another option which submits anonymized statistical information but this can be disabled too.
I don't know what else they collect but I like this flexibility a lot and is better than most security solutions out there.


•Suspicious samples and metadata from the wild as part of ESET LiveGrid® Feedback System which enables ESET to react immediately to needs of our end users and keep us responsive to the latest threats providing. We are dependent on You sending us

oinfiltrations such as potential samples of viruses and other malicious programs and suspicious; problematic, potentially unwanted or potentially unsafe objects such as executable files, email messages reported by You as spam or flagged by our product;

oinformation about devices in local network such as type, vendor, model and/or name of device;

oinformation concerning the use of internet such as IP address and geographic information, IP packets, URLs and ethernet frames;


ocrash dump files and information contained.

Location data, screenshots, data about the configuration of your computer and data recorded by your computer's camera may be collected for Protection against misuse of Data function with retention period 3 months. The account on myESET needs to be created, through which the function activates data collection in the event of computer theft. Collected data are stored on our servers or on the servers of our service providers.
Ummmmmm I hope I'm misunderstanding what "data recorded by your computer's camera" means?


LiveGrid is unique ish in that you can participate/benefit WITHOUT submitting, per the developers:
Regarding the LiveGrid feedback system, it sends suspicious files to ESET where suspicious undetected files are replicated and a detection may be created automatically if a file turns out to be malicious. As a result, a brand new malware potentially running on your computer may be recognized and cleaned automatically within a couple of minutes. Note that sensitive files, such as Office documents, are excluded from submission by default. In environments with a strict policy not allowing to submit files, you can disable the LiveGrid feedback system while still keep the reputation system enabled and thus benefit from what LiveGrid brings.

Overall, ESET collects less identifiable information than Kaspersky in terms of what they spell out, but it's still more than F-Secure does, for example.

EDIT: Additional LiveGrid info:

These samples will also be sent to ESET in case the detection engine did not detect them. For example, samples which nearly missed the detection, or one of the ESET Internet Security protection modules consider these samples as suspicious or have an unclear behavior.

•Executables – Includes files like .exe, .dll, .sys.

•Archives – Includes filetypes like .zip, .rar, .7z, .arch, .arj, .bzip, .gzip, .ace, .arc, .cab.

•Scripts – Includes filetypes like .bat, .cmd, .hta, .js, .vbs, .ps1.

•Other – Includes filetypes like .jar, .reg, .msi, .sfw, .lnk.

•Possible Spam emails – This will allow sending possible spam parts or whole possible spam emails with attachment to ESET for further analysis. Enabling this option improve Global detection of spam including improvements to future spam detection for you.

•Documents – Include Microsoft Office or PDF documents with or without active content.
hmtoggle_plus1
Expand list of all included document file types

ACCDB, ACCDT, DOC, DOC_OLD, DOC_XML, DOCM, DOCX, DWFX, EPS, IWORK_NUMBERS, IWORK_PAGES, MDB, MPP, ODB, ODF, ODG, ODP, ODS, ODT, OLE2, OLE2_ENCRYPTED, OLE2_MACRO, OLE2_PROTECTED, ONE, ONEPKG, PDF, PPT, PPT_XML, PPTM, PPTX, PS, PSD, RTF, SYLK, THMX, VSD, VSD_XML, WPC, WPS, XLS, XLS_XML, XLSB, XLSM, XLSX, XPS

You are given 3 selections:

All infected samples – All detected objects by Detection engine (including potentially unwanted applications when enabled in the scanner settings).

•All samples except documents – All detected objects except Documents (see below).

•Do not submit – Detected objects will not be sent to ESET.


Note that "Except documents" still includes archives (zip and RAR files)....
 
Last edited:

MacDefender

Level 12
Verified
For me CheckPoint privacy policy it's like reading a book, so many pages...


i'm kind of curious, but ZoneAlarm seems to use the Kaspersky SDK (I saw UDS detections from it on VirusTotal). I clicked through their encyclopedia but didn't see whether or not they also contribute to the Kaspersky Security Network.
 

Tutman

Level 8
Verified
Namely, with regards to binary submissions:


Long story short, there's very permissive language being used here that basically say that if Kaspersky detects a suspected attack, they are willing to upload many files that they think are related to the attack.
I don't have KSN turned on for that reason and just being paranoid in general I guess! I don't like file submissions unless it doesn't know what it is or I can't opt out of it. One reason I don't like alot of AV software.
 

DJ Panda

Level 29
Verified
I don't trust Russian really at all but Kaspersky has been a reptuable company for a long time despite it's geographical location. Honestly the NSA can go * off. It's kinda funny that they got triggered messing with a malware THEY created. I feel no sympathy for them. "Security" association my butt..