SeriousHoax

Level 32
Verified
Sorry I missed this quote:

I think kudos goes to ESET for actually having a UI for communicating what they are uploading! Norton also has "File Insight" log events that roughly state that it uploaded something because you executed a download, for example, without a ton more detail than that.

Kaspersky's and F-Secure's are both really hush -- I don't see ANY log entries explaining that they are sending things back to the cloud.
Yes this is nice from ESET. Like KSN, ESET's LiveGrid can be used too without agreeing to submit. But LiveGrid is no way as good as KSN.
Norton is the king of logs. Never seen a product with so much logs about everything it does which is great even though some logs are not easy to understand.
Hmm right, if more products provided logs of files it submits would be better. But some products are even harsher. If I remember correctly, Bitdefender doesn't even have an option to opt out of their cloud submission.
 

MacDefender

Level 12
Verified
I have always considered KSN as a privacy-thing rather than protection. Based on that, I have never enabled/used this function. In what scale does KSN matter?
Here's a real world example. I was testing a home-coded ransomware simulator. I executed the sample in a VM running Kaspersky. System Watcher kicked in after 5 files got encrypted, killed the executable.

Little did I know, it also uploaded at least something about it to KSN.

Next up, on my host machine, when I tried to copy the file to another VM, Kaspersky on my host machine detected a "UDS: MSIL/something" trojan on that executable. 5 minutes ago, it was considered clean. But now, suddenly, it's considered malicious and detected via signatures, all because one VM running Kaspersky became victim of an attack caused by that executable.

This is the value of KSN as a security feature. For zero day circulating threats, it transforms a dynamic (behavior blocker) detection into a static detection for all other users.

In practice, any time you see a signature from Kaspersky that starts with "UDS", that means that someone opting into KSN encountered this, and reported it to the cloud automatically. If everyone stopped contributing, there would be no UDS cloud detections.

That's basically the fundamental value of a crowdsourced cloud like this. I do think it's quite valuable and the future of effective AVs. However, the feature needs to be a lot more transparent and communicative about what it's reporting back to the cloud.
 

Nightwalker

Level 21
Verified
Trusted
Content Creator
I have always considered KSN as a privacy-thing rather than protection. Based on that, I have never enabled/used this function. In what scale does KSN matter?

KSN is Kaspersky cloud, so you are missing reputation info, urgent detections, more advanced emulation tricks (done in the cloud), FP control and much more; KSN is on the most robust modules (albeit "invisible") of Kaspersky.

If you use Kaspersky you NEED to have KSN enabled, no questions about it.

For me it is all very simple, if you dont trust Kaspersky (and their privacy policy), just use another product.

More info about all this:
 

MacDefender

Level 12
Verified
KSN is Kaspersky cloud, so you are missing reputation info, urgent detections, more advanced emulation tricks (done in the cloud), FP control and much more; KSN is on the most robust modules (albeit "invisible") of Kaspersky.

If you use Kaspersky you NEED to have KSN enabled, no questions about it.

For me it is all very simple, if you dont trust Kaspersky (and their privacy policy), just use another product.

More info about all this:

This is very true as well. I didn't realize KSN supported this (thank you for the link), but many other advanced antimalware systems like F-Secure's Online Cloud and Cisco ThreatGrid do this.

Basically, the cloud has the option of capturing an executable, then attempting to perform automatic malware analysis on it in a sandbox, and have you wait there for a few seconds for a more detailed verdict. This is a common technique for an enterprise on-premise APT protecting box like those from FireEye/Palo Alto, but some AV software also do this as part of their security cloud.

If you are a "passive" KSN user, you definitely lose out on the malware emulating sandbox analysis. With that said, because of how computationally expensive this is, the cloud doesn't perform this analysis in realtime very often.
 
Hi there!!

Well, I think I might give some extra info I just discovered myself doing some tests...

Let's start and check what happened to me, let's see

Let's sign out of KSN network on my PC:

1588377044407.png


These were my settings of Application Control --> Maximum restriction doesn't allow to write C:\

1588377026644.png


1588378620389.png


Let's disable KSN rules and see what happens:

1588378109222.png


I downloaded Audacity on an USB and plug it... Right click on Audacity already shows that KSN reputation check isn't available:

1588378125658.png


Trying to execute Audacity will fail

1588378064105.png


Let's check Application Control and see what happened

1588378207612.png


Kaspersky set it to maximum restriction... Let's delete it from list and update the Kaspersky history now:

1588378260349.png

1588378279771.png


Nothing there now...

Let's turn on the KSN rules back and see what happens:

1588378325404.png


Voilà!!! Now the Audacity installer works!!!!!

Let's see on Application Control what happened:

1588378428969.png


This time, the setup was put into trusted mode. You can even see it is trusted on the KSN if right click on that file:

1588378452702.png


And remember, I opted out. But let's recheck just in case:

1588378488669.png



So, well, looks like Application Control is still able to load KSN rules although u opt-out KSN policy (if Internet connection is available, if not, it will still go to high restricted, as if u opt in KSN). However, u will lose abilty to check reputation on right click.

I hope this helps clarify a bit, as for me it has given me the whole key about it!!

Cheers!
 

MacDefender

Level 12
Verified
I would uninstall the product if I do not trust or have some doubts about it rather than disabling some components.

I don't distrust the product, I just have certain cases where I don't want the kinds of information they say they're going to collect and I concentrate all of that onto one machine.

I think Kaspersky is being very forthcoming with what they collect and I fully understand why they're taking it.

It's just like how I don't distrust Google enough to throw out all of my Google Assistant devices, but I won't talk about private health / confidential work matters while the mic is on.

They gave me a control and I trust that it works. Same with KSN -- I trust that when I say I turn off KSN, it won't be uploading parts of files, list of processes, etc etc etc.

Hopefully that description makes sense, it's hard to find the words for it. I think I can both trust the program AND decide that certain features are not appropriate for my use cases.
 

blackice

Level 28
Verified
It is good to remember the level of access an AV has to your system. Just recently there was the controversy with anti-cheat software having kernel access. We all have to consider what we allow such low level access on our systems. If an AV company wanted to spy they all could. That’s why I trust Edge, M$ already has access to everything if they want to spy on me. Guess what, I bet my money (literally) that they don’t. Or I wouldn’t run Windows. I’m boring as heck, and if M$ wanted to steal my banking info they have the deep pockets to sue into the ground, and no reason to do so anyway. They nickel and dime ME into the ground anyway. If you trust K installed I’d trust KSN, unless I was a developer (or similar), which I believe is the case with our friend @MacDefender .
 

MacDefender

Level 12
Verified
It is good to remember the level of access an AV has to your system. Just recently there was the controversy with anti-cheat software having kernel access. We all have to consider what we allow such low level access on our systems. If an AV company wanted to spy they all could. That’s why I trust Edge, M$ already has access to everything if they want to spy on me. Guess what, I bet my money (literally) that they don’t. Or I wouldn’t run Windows. I’m boring as heck, and if M$ wanted to steal my banking info they have the deep pockets to sue into the ground, and no reason to do so anyway. They nickel and dime ME into the ground anyway. If you trust K installed I’d trust KSN, unless I was a developer (or similar), which I believe is the case with our friend @MacDefender .

That is correct — I am a software developer and a lot of my sensitive work does involve compiling and running brand new binaries — the kinds of things that KSN might collect. I would be doing myself and my clients a disservice to have that extricated and I totally understand the KSN terms as well as why this kind of uploading benefits their product and my security!

Just as an example, if I found some random free movie watching program, that’s something I distrust. It’s not touching this computer at all. That’s not how I regard Kaspersky or any other security product. I trust particular products like Kaspersky, ESET, Emsisoft, etc to do only things I agreed to let them do. But some products like ESET and in particular Emsisoft do not automatically upload anything to the cloud without me submitting it. Emsisoft says they will ask you for permission before reporting something to the anti-malware network. I would be willing to use that cloud service on this machine.
But at the end of the day I like the protection of Kaspersky, even if I have to run KSN in the passive mode on one of my machines.
 

blackice

Level 28
Verified
That is correct — I am a software developer and a lot of my sensitive work does involve compiling and running brand new binaries — the kinds of things that KSN might collect. I would be doing myself and my clients a disservice to have that extricated and I totally understand the KSN terms as well as why this kind of uploading benefits their product and my security!

Just as an example, if I found some random free movie watching program, that’s something I distrust. It’s not touching this computer at all. That’s not how I regard Kaspersky or any other security product. I trust particular products like Kaspersky, ESET, Emsisoft, etc to do only things I agreed to let them do. But some products like ESET and in particular Emsisoft do not automatically upload anything to the cloud without me submitting it. Emsisoft says they will ask you for permission before reporting something to the anti-malware network. I would be willing to use that cloud service on this machine.
But at the end of the day I like the protection of Kaspersky, even if I have to run KSN in the passive mode on one of my machines.
I would say there are benefits to autouploading for certain users. I don’t feel many MT visitors are in that category.
 

MacDefender

Level 12
Verified
I would say there are benefits to autouploading for certain users. I don’t feel many MT visitors are in that category.

I also fully believe that if something is off by default but opt in, more users will say no.

To the credit of many of these vendors (Kaspersky, Norton, and ESET and probably others too), you are asked at install time if you want to participate actively in their cloud component.
 

The Cog in the Machine

Level 23
Verified
I don't distrust the product, I just have certain cases where I don't want the kinds of information they say they're going to collect and I concentrate all of that onto one machine.

I think Kaspersky is being very forthcoming with what they collect and I fully understand why they're taking it.

It's just like how I don't distrust Google enough to throw out all of my Google Assistant devices, but I won't talk about private health / confidential work matters while the mic is on.

They gave me a control and I trust that it works. Same with KSN -- I trust that when I say I turn off KSN, it won't be uploading parts of files, list of processes, etc etc etc.

Hopefully that description makes sense, it's hard to find the words for it. I think I can both trust the program AND decide that certain features are not appropriate for my use cases.
But will we ever know if disabling KSN will stop Kaspersky from uploading some files and gather some info? I believe that a capable company like Kaspersky can secure and hide what their software does. For me, while I believe that Kaspersky is not privacy friendly at all, would use it because its is one of the best when it comes to security. I would not disable KSN even on devices where I store sensetive files; I am using Windows on the first place (which is the worst thing ever from a privacy point of view).
 

blackice

Level 28
Verified
But will we ever know if disabling KSN will stop Kaspersky from uploading some files and gather some info? I believe that a capable company like Kaspersky can secure and hide what their software does. For me, while I believe that Kaspersky is not privacy friendly at all, would use it because its is one of the best when it comes to security. I would not disable KSN even on devices where I store sensetive files; I am using Windows on the first place (which is the worst thing ever from a privacy point of view).
By that logic all vendors have the ability to spy and we should assume they all do. We can't verify any claims of what these vendors don't do.
 

MacDefender

Level 12
Verified
But will we ever know if disabling KSN will stop Kaspersky from uploading some files and gather some info? I believe that a capable company like Kaspersky can secure and hide what their software does. For me, while I believe that Kaspersky is not privacy friendly at all, would use it because its is one of the best when it comes to security. I would not disable KSN even on devices where I store sensetive files; I am using Windows on the first place (which is the worst thing ever from a privacy point of view).
I think this is hard to hide. There are security researchers much smarter than me looking at all of this software. They can compromise the machine they’re installed on but it’s very hard for them to hide from a firewall appliance or something inspecting the network traffic.

more importantly if they steal data like that, they would be in violation of a lot of laws in countries where they conduct business, and I don’t personally believe they can afford to do that.

This would be the kind of attack reserved for cases like how the CIA strongarmed Edward Snowden’s email provider. If you aren’t that important to Kaspersky or Russia, in my opinion they will not risk getting caught stealing your data.