MacDefender

Level 12
Verified
By that logic all vendors have the ability to spy and we should assume they all do. We can't verify any claims of what these vendors don't do.

Yeah there's basically two different levels of trust that we're talking about here:

The first, the one I wanted to focus on here, they are just doing what you agreed to in the form of a privacy policy or terms and conditions. In this case, as we have learned in this thread, you often are giving your AV vendor permission to upload a lot of information (potentially personally identifiable) in order to help with their cloud based intelligence.

The second, is what if the vendor is doing something sneaky they're not even telling you about? That's a valid question, and I am sure this happens all the time, where governments compel companies to do certain things, usually for high value targets where respect for the justice system gets thrown out the window. That I don't have any good advice on -- it's technically possible, and if you distrust the company so much that you think they might do that, then of course, as @The Cog in the Machine said, the wise thing to do is don't use their software at all.

But even focusing on the first one, there's some interesting implications, such as:
  1. If Kaspersky wanted to figure out who MacDefender is, they have all the info they need. They have already collected samples of all of my proof of concept demos. They likely collected the paths that include my username and the Visual Studio directory structure that proves that I own the source code. That's tied to a unique ID that identifies me as the paying license holder. This is what likely happened for the NSA state sponsored malware case, and the ability for them to do this is spelled out clearly in their privacy policy.
  2. In the USA, if a company owns this kind of records, they are legally required to respond to legal subpoenas for this information. Think of the times that FitBit data got used in murder trials, or Alexa voice recordings got used in court. Similarly, a court subpoena could easily ask "What URLs did MacDefender visit and what apps did he launch on this night?" if it's relevant to a case. As long as the company has a way of retrieving that data, they cannot easily turn down such a request.
 

blackice

Level 28
Verified
Yeah there's basically two different levels of trust that we're talking about here:

The first, the one I wanted to focus on here, they are just doing what you agreed to in the form of a privacy policy or terms and conditions. In this case, as we have learned in this thread, you often are giving your AV vendor permission to upload a lot of information (potentially personally identifiable) in order to help with their cloud based intelligence.

The second, is what if the vendor is doing something sneaky they're not even telling you about? That's a valid question, and I am sure this happens all the time, where governments compel companies to do certain things, usually for high value targets where respect for the justice system gets thrown out the window. That I don't have any good advice on -- it's technically possible, and if you distrust the company so much that you think they might do that, then of course, as @The Cog in the Machine said, the wise thing to do is don't use their software at all.

But even focusing on the first one, there's some interesting implications, such as:
  1. If Kaspersky wanted to figure out who MacDefender is, they have all the info they need. They have already collected samples of all of my proof of concept demos. They likely collected the paths that include my username and the Visual Studio directory structure that proves that I own the source code. That's tied to a unique ID that identifies me as the paying license holder. This is what likely happened for the NSA state sponsored malware case, and the ability for them to do this is spelled out clearly in their privacy policy.
  2. In the USA, if a company owns this kind of records, they are legally required to respond to legal subpoenas for this information. Think of the times that FitBit data got used in murder trials, or Alexa voice recordings got used in court. Similarly, a court subpoena could easily ask "What URLs did MacDefender visit and what apps did he launch on this night?" if it's relevant to a case. As long as the company has a way of retrieving that data, they cannot easily turn down such a request.
A fair point by both you and @The Cog in the Machine . There are vendors I don't trust, sometimes only a hunch. I wouldn't always argue it's logical but I trust it.
 
Kaspersky actually notified the nsa of the lapse in the security of their agent (by notifying what he had allowed to be uploaded to their cloud scanner), and it fit the democrats, rhinos, and fake news narrative at the time of Russian collusion, so they ran fake news crazy on it. if Kaspersky wanted to spy, they wouldn't have reported what they found.
 

MacDefender

Level 12
Verified
Or that's precisely what they wanted you to think, it would actually be pretty smart.
Haha that's the thing about speculating about motive -- the truth is something we can never know unless we're Kaspersky or the NSA.

But what's clear is that Kaspersky's explanation is plausible -- if you opt into KSN, you are giving Kaspersky consent to upload to KSN anything they deem suspicious. And that doesn't even have to mean it shows you that it detected anything during a scan. in the NSA case, it was an executable and a high interest strain of malware. So one might otherwise ask "Hey Kaspersky, of the billions of things that get uploaded to KSN, why did you look at that particular one with such scrutiny?", but I think the fact that it was a high value malware variant at the time is probably a sufficient explanation there.

It's hard to accuse a program of malice when it was literally doing exactly what you agreed to let it do. And we all agree that KSN is one of the most powerful, most effective cloud systems out there.
 
Hi there!!

Well, I think I might give some extra info I just discovered myself doing some tests...

Let's start and check what happened to me, let's see

Let's sign out of KSN network on my PC:

View attachment 238497

These were my settings of Application Control --> Maximum restriction doesn't allow to write C:\

View attachment 238496

View attachment 238514

Let's disable KSN rules and see what happens:

View attachment 238505

I downloaded Audacity on an USB and plug it... Right click on Audacity already shows that KSN reputation check isn't available:

View attachment 238506

Trying to execute Audacity will fail

View attachment 238503

Let's check Application Control and see what happened

View attachment 238507

Kaspersky set it to maximum restriction... Let's delete it from list and update the Kaspersky history now:

View attachment 238508
View attachment 238509

Nothing there now...

Let's turn on the KSN rules back and see what happens:

View attachment 238510

Voilà!!! Now the Audacity installer works!!!!!

Let's see on Application Control what happened:

View attachment 238511

This time, the setup was put into trusted mode. You can even see it is trusted on the KSN if right click on that file:

View attachment 238512

And remember, I opted out. But let's recheck just in case:

View attachment 238513


So, well, looks like Application Control is still able to load KSN rules although u opt-out KSN policy (if Internet connection is available, if not, it will still go to high restricted, as if u opt in KSN). However, u will lose abilty to check reputation on right click.

I hope this helps clarify a bit, as for me it has given me the whole key about it!!

Cheers!
Hey there!
It would be nice if some of you guys could try this as well and report if in your case it is behaving the same!
@MacDefender for example, since u are the OP, or maybe you @oldschool, @harlan4096 or anyone using Kaspersky haha Does in your case opting out KSN have same effect as described?
I tried with 3 exes and all behaved same, but would be nice to confirm if some of u guys e experiencing same!
Cheers!
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
This is normal behaviour, since one of the already mentioned in this thread features of KSN is whitelisting, if You disable Trust digitally signed applications and ALSO STOP KSN WHITELISTING RULES... You are stopping any criteria to Application Control categorizes the application to install, so it is moved to restricted group :)
 
This is normal behaviour, since one of the already mentioned in this thread features of KSN is whitelisting, if You disable Trust digitally signed applications and ALSO STOP KSN WHITELISTING RULES... You are stopping any criteria to Application Control categorizes the application to install, so it is moved to restricted group :)
Yes of course. But I thought that opting out KSN would make it unable to load the KSN rules, and looks like that it still load them although you opt out the KSN.
I thought that opting out would make App Control like untucked KSN rules or as no Internet available, but looks like it works same as if u opt in KSN if you have Internet ofc.
Cheers!
PS: I have always the trust digitally signed apps unchecked, then I rely on KSN only
 

fabiobr

Level 10
Verified
  1. This helped Kaspersky identify the source (the NSA), but the NSA accuses Kaspersky of exfiltration through this process.
Being the devil lawyer here, but NSA doesn't accuse only this, it accuses Kaspersky from stealing confidential documents beyond malware. Kaspersky, on a huge post in their blog SecureList, explains everything and says that the cloud system, by "mistake", sent everything in the folder and Eugene said to delete them (confidential docs) after a security analyst warned him. They said it was multiple detections on the folder, so the engine sent everything.

They said too that, since Kaspersky was one of the first companies detecting NSA malware, their proactive modules were set to detect this kind of malware and it did it. Most of them were PDM and HEUR.

Edit: If anyone is interested, they explain a little how detection works too Investigation Report for the September 2014 Equation malware detection incident in the US

Equation Group: NSA Malware, Kaspersky and Symantec (US!!) were one of the first companies publicizing this malware group and connecting it to NSA.
 
Last edited:

fabiobr

Level 10
Verified
You are being ingenuous if you think that Kaspersky proactive modules didn't send malware actions to the cloud, if System Watcher is triggered the module might send every data change made by malware and rollbacks info to Kaspersky servers. The first person infected is basically a virtual sandbox to them.

You really believe that such a good module doesn't need data to be powerful? And they would create a module that doesn't feedback and couldn't help their own detection? Kaspersky can rollback because get data of the system, of course, storage locally but the question is if this data is sent.
 

fabiobr

Level 10
Verified
I read much stuff, so it would be if you do a full scan it upload all things to KSN. One guy on kaspersky forum complained that it uploaded 1 GB stuff to K ..... I don't know how much they can see from the things it uploaded (like documents, pictures... etc)
Yes, that's why after a scan finished log says "X files exclude by the cloud check" or something like that.
 

fabiobr

Level 10
Verified
In a short, Kaspersky literally uploads everything, every info 😯
I haven't read ESET's privacy policy, maybe you can have a look? But the thing I like about ESET's auto submission is, in settings, there's option to log all the suspicious files that's gets submitted to ESET and this also notifies you when it submits something to them. This way, I know exactly when and what files are submitted to them. Submission of documents are disabled by default but can be enabled if someone wants to. There's another option which submits anonymized statistical information but this can be disabled too.
I don't know what else they collect but I like this flexibility a lot and is better than most security solutions out there.
I like this ESET approach, when I use ESET software always enable this notification of submission files.
 

fabiobr

Level 10
Verified
F-Secure is like because they have Mikko :)

Also


Also this

link-bloqueado.png

🤔
 

SeriousHoax

Level 32
Verified
There were few other reasons why USA suspected Kaspersky. I was discussing this with someone and he pointed this out to me. This is a quote from the Washington post article:
https://www.washingtonpost.com/worl...8ce774-aa95-11e7-850e-2bdd1236be5d_story.html
Kaspersky is also the only major anti-virus firm whose data is routed through Russian Internet service providers subject to Russian surveillance. That surveillance system is known as the SORM, or the System of Operative-Investigative Measures.
The company said that customer data flowing through Kaspersky's Russian servers is encrypted and that the firm does not decrypt it for the government.
Andrei Soldatov, a Russian surveillance expert and author of "The Red Web," said, "I would be very, very skeptical" of the claim that the government cannot read the firm's data. As an entity that deals with encrypted information, Kaspersky must obtain a license from the FSB, the country's powerful security service, he noted, which "means your company is completely transparent" to the FSB.

Here's one more quote from the NYT article
Kaspersky Lab did not discover the Israeli intrusion into its systems until mid-2015, when a Kaspersky engineer testing a new detection tool noticed unusual activity in the company’s network. The company investigated and detailed its findings in June 2015 in a public report.

Here's from Kaspersky report so Israeli hacker did actually monitor what Kaspersky does.
In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.

But again, Kaspersky's ties to FSB was still just a speculation without any solid proof so far. Kaspersky since moved a many of their services from Russia to Switzerland. But software development is still done on Russia. Anyway, personally I've no problem with using Kaspersky.
 

Devilboss94

Level 1
Hi, I have been a user of Kas for many years, this shows that I trust them and I personally consider it one of the most transparent companies together with Eset.
Doubting them only for that 2017 incident with Nsa is wrong in my opinion when there is no evidence and in addition to this Kas has immediately proved active in posting many user data servers from Russia to Switzerland.
I am very paranoid about privacy, I always disable all telemetry and sending files, but on Kas I have only disabled data for marketing purposes.