NOTE: This is not meant to be a political/conspiracy related thread. I'd prefer to just focus on the cloud telemetry / automatic sample submission aspect.
Using Kaspersky for about a week now, it's gotten me to take a closer look at the whole NSA controversy. In terms of what factually happened, it seems like the verifiable part of the story is:
- A NSA worker plugged in a thumb drive containing state sponsored malware
- Kaspersky scanned and detected malware
- An automated cloud submission process reported that back (or collected the entire sample?)
- This helped Kaspersky identify the source (the NSA), but the NSA accuses Kaspersky of exfiltration through this process.
In general, this is basically how
every cloud based AV works. You are contributing to the cloud intelligence every time you encounter a new executable/file, and the cloud reserves the right to collect either the entire binary or just metadata about it as you encounter such files. In fact, some like the F-Secure or Avira cloud, their privacy policy states that they may collect the entire executable as part of cloud / sandbox scanning.
So this got me to look at Kaspersky's privacy policy, and here's the section I could find:
Namely, with regards to binary submissions:
Long story short, there's very permissive language being used here that basically say that if Kaspersky detects a suspected attack, they are willing to upload many files that they think are related to the attack.
What's interesting to me is that most cloud services have a clause where they basically say they only upload executables (WinPE executables, DLLs, etc) and not documents/scripts. Kaspersky does not. Kaspersky's also has a lot of language regarding unique identifiers -- they don't usually send things like serial numbers or MAC addresses, but they do mention they send hashes of such information and use it. This is very different from a lot of other cloud providers who anonymize this sort of information.
Overall I think this makes their cloud a lot more powerful in terms of being able to analyze zero day samples on customer machines, but it's worth remembering, as a general reminder, ALL cloud AVs perform this kind of automatic sample submission. They usually have a way to turn it off, but sometimes that comes at the expense of no longer being able to use the cloud database anymore (e.g. you have to participate to get the benefits). Kaspersky's KSN policy is very transparent in terms of spelling out what they are doing, but what they are spelling out is rather broad. The kinds of things they are collecting (exact paths of files, samples of files, hash of your MAC address, name of your wifi network, list of all installed applications and their exact versions) can be used to form a very specific fingerprint that de-anonymizes the user, which can be easily part of the explanation for how a cloud sample submission was enough for Kaspersky to tie one person's file on a thumb drive to the organization that it came from.
I'm curious what thoughts and experiences we have about the Kaspersky cloud or any other cloud in terms of what gets automatically submitted, etc.
