This guide tracks privacy issues with antivirus software and is periodically updated with new information. (First published on February 4, 2019, last updated on July 15, 2019.)
It goes without saying that reliable antivirus software plays a crucial role in IT security. As malware continues to become more sophisticated and prolific (more than 350,000 malware samples are released every single day), home users and business owners alike need to have protection in place to stop these modern digital threats.
However, antivirus products are not immune to privacy problems. While the antivirus industry is ostensibly on the side of good, many antivirus products behave in a way that infringes on users’ privacy. Whether they intercept web traffic, sell browser history data, or allow backdoor access to government agencies, many antivirus products are guilty of jeopardizing the very thing they are designed to protect: your data.
Here are five ways antivirus software may interfere with your privacy.
1. Selling your data to third-party advertisers
To provide you with the protection you need to keep your system safe, your antivirus software needs to know a lot about you. It keeps an eye on the programs you open to ensure you’re not accidentally executing malicious software, and it monitors your web traffic to stop you accessing dodgy websites that might try to steal your login credentials. It might even automatically take suspicious files it finds on your computer and upload them to a database for further analysis. This means your antivirus software could collect and process an awful lot of your personal data if it wanted to.
With great power comes great responsibility.
While some antivirus providers are quite conscientious with their users’ data and only use it when absolutely necessary, others are much less scrupulous.
AVG – A few years ago AVG came under fire when the company announced changes to its privacy policy that would allow it to sell its users’ search and browser history data to third parties (i.e. advertisers) in order to monetize its free antivirus software. Of course, AVG isn’t the only antivirus company to monetize its users’ data.
Avast – Avast’s popular free android app sends personally identifiable information such as your age, gender and other apps installed on your device to third-party advertisers. As an AVG spokesperson explained to Wired, “Many companies do this type of collection every day and do not tell their users.”
From free VPN services to free antivirus, the old adage rings true: if you’re not paying for the service, you’re probably the product.
2. Decrypting encrypted web traffic
Most modern antivirus products include some sort of browser protection that prevents you from accessing known phishing and malware-hosting websites. However, doing so is easier said than done due to the fact that so much data is now transferred via Hypertext Transfer Protocol Secure (HTTPS).
HTTPS is the protocol your web browser uses when communicating with websites. The “S” in HTTPS stands for “secure” and indicates that the data being sent over your connection is encrypted, which protects you against man-in-the-middle attacks and spoofing attempts. Today, 93 percent of all websites opened in Google Chrome are loaded over HTTPS, up from 65 percent in 2015. If you want to know if a website uses HTTPS, simply check the URL or look for a padlock icon in the address bar.
The rapid adoption of HTTPS has helped to make the web a more secure place, but it has also introduced an interesting problem for antivirus companies. Normally when you visit an HTTPS website, your browser checks the website’s SSL certificate to verify its authenticity. If everything checks out, a secure connection is established, your website loads, and you can browse away to your heart’s content, secure in the knowledge that the website is legitimate.
But there’s just one problem. Because the connection is encrypted, there’s ultimately no way for antivirus software to know if the website you are trying to visit is safe or malicious.
Most antivirus products use HTTPS interception to overcome this issue. This involves installing a local proxy server that creates fake SSL certificates. When you visit an HTTPS website, your connection is routed through your antivirus’ proxy server, which creates a new SSL certificate and checks the safety of the site you’re trying to access. If your antivirus software judges the website to be safe, the site loads as normal. If the website is unsafe, the proxy will display a warning in your browser.
By redirecting your data through a proxy, your antivirus is decrypting the data you send on encrypted connections – data that is only meant to be visible to you and the HTTPS website.
There are a few ramifications here:
- Because your antivirus is faking SSL certificates, there’s no way to be 100 percent certain that the website displayed in your browser is the real deal. In late 2017, Google Project Zero researcher Tavis Ormandy discovered a major bug in Kaspersky’s software. In order to decrypt traffic for inspection, Kaspersky was presenting its own security certificates as a trusted authority, despite the fact that the certificates were only protected with a 32-bit key and could be brute forced within seconds. This meant that all 400 million Kaspersky users were critically vulnerable to attack until the company patched the flaw.
- Most antivirus products query the safety of a URL server side, which means the company could potentially track your browsing habits if they wanted to.
- It increases the risk of phishing attacks and man-in-the-middle exploits.
A team of researchers even published a paper on the troubling security implications of HTTPS interception by popular antivirus companies, where they noted:
As a class, interception products [antivirus solutions that intercept HTTPS] drastically reduce connection security. Most concerningly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities. We investigated popular antivirus and corporate proxies, finding that nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates). While the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences.
VPN.ac examined the issue as well and discovered that antivirus suites carrying out HTTPS interception also break HTTP Public Key Pinning (HPKP):
HPKP is a technology enabling website operators to “remember” the public keys of SSL certificates in browsers, enforcing the use of specific public keys for specific websites. This reduces the risk of MiTM attacks using rogue/non authorized SSL certificates. But HTTPS scanning and HPKP can’t work together, therefore if a website has HPKP enabled, when you access it the support for HPKP for that site will be disabled in the browser.
VPN.ac found this to be the case with ESET, Kaspersky, and Bitdefender:
Tip: Avoid antivirus software that utilizes HTTPS interception/scanning, or just disable this “feature” within your antivirus.
3. Installing potentially unwanted programs on your computer
Even if your antivirus doesn’t pose a direct threat to your privacy, it may come bundled with software that does. As the name suggests, potentially unwanted programs, or PUPs for short, are applications that you may not want on your computer for various reasons.
While they’re technically not malicious, they usually change the user experience in some way that is undesirable, whether that’s displaying advertisements, switching your default search engine, or hogging system resources.
Many free antivirus products come with PUPs such as browser toolbars, adware, and plugins that you may inadvertently allow to be installed while quickly clicking through the installation process.
For example, free versions of Avast and Comodo try to install their own Chromium-based web browsers, which you may or may not want on your computer. Meanwhile, AVG AntiVirus Free automatically installs SafePrice, a browser extension that claims to be able to help you find the best prices while shopping online. Unfortunately, it can also read and change all your data on the websites you visit.
A few years back Emsisoft found that most free antivirus suites were bundled with PUPs. Here were the culprits:
- Comodo AV Free
- Avast Free
- Panda AV Free
- AdAware Free
- Avira Free
- ZoneAlarm Free Antivirus + Firewall
- AVG Free
PUPs aren’t inherently malicious, but they can seriously encroach on your privacy. Some PUPs will track your search history or browser behavior and sell the data to third parties, while others may compromise your system’s security, affect system performance, and hinder productivity. Keep unwanted applications off of your computer by carefully reading installation options during the setup process and only install the software and features that you need.
4. Cooperating with governments
It’s theoretically possible that antivirus software could be leveraged to help government agencies collect information on users. Most security software has very high access privileges and can see everything that’s stored on a computer, which is necessary in order for the software to keep the system to safe. It’s easy to see how this power could be used by nefarious parties to spy on individuals, businesses, and governments.
Kaspersky Lab, a Russia-based cybersecurity company whose products account for about 5.5 percent of antivirus software products worldwide, was embroiled in a major privacy scandal a couple of years ago. According to the Washington Post, Kaspersky software used a tool that was primarily for protecting users’ computers, but also could be manipulated to collect information not related to malware. Kaspersky is the only major antivirus company that routes its data through Russian Internet service providers, which are subject to Russia’s surveillance system.
In September 2017, the U.S. government banned federal agencies from using Kaspersky Labs software following allegations about cooperation between Kaspersky and Russian intelligence agencies. Shortly after, the FBI began pressuring retailers in the private sector to stop selling Kaspersky products, and the British government issued a warning to government departments about the security risks of using Kaspersky software.
Of course, it would be naive to think this issue is limited to Russian software. Similar concerns have been raised recently about Huawei equipment with “hidden backdoors” installed.
“Antivirus is the ultimate back door,” explained Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security, as quoted by The New York Times. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”
5. Undermining security and giving hackers access to private data
Sometimes, security software does the opposite of its desired intent by undermining your security.
One such case occurred with the Royal Bank of Scotland (RBS), which was offering Thor Foresight Enterprise to its business banking customers. In March 2019, Pen Test Partners discovered an “extremely serious” security flaw with the software that left RBS customers vulnerable:
Security Researcher Ken Munro told the BBC: “We were able to gain access to a victim’s computer very easily. Attackers could have had complete control of that person’s emails, internet history and bank details.”
“To do this we had to intercept the user’s internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it’s often all too easy to compromise home wi-fi set ups.
“Heimdal Thor is security software that runs at a high level of privilege on a user’s machine. It’s essential that it is held to the highest possible standards. We feel they have fallen far short.”
While Heimdal was quick to patch the vulnerability within a few days, it does raise an interesting point. That is when your security software is actually undermining your security.
Choose your antivirus software wisely
In the best case scenario, antivirus companies use your data responsibly to refine their products and provide you with the best malware protection possible.
In the worst case scenario, they sell your data to third-party advertisers, install annoying software on your system, and cooperate with government agencies to spy on your personal information.
So, how do you sort the best from the rest?
- Pay for your antivirus software. Most free antivirus products will be far more liberal with your data than premium software as the company ultimately needs to monetize their services in some way.
- Read the end user license agreement. Know what you’re getting yourself into before you install the product. Take a moment to read the license agreement and/or the company’s privacy policy to find out what the organization intends to do with your data.
- Read installation options: It’s easy to blindly click through “Next” when installing new software. This can result in the installation of browser toolbars, adware, and all sorts of other PUPs, which can encroach on your privacy in various ways.
- Customize privacy settings. Some antivirus software will allow you to customize privacy settings such as usage statistics, browsing behavior, and whether to upload malicious files for analysis. Adjust these settings to maximize your privacy.
- Read AV reports. Some independent analysts release reports on how antivirus companies handle your data. Take the time to read these reports and reviews to get a better understanding of a company’s reputation and how it handles privacy matters.
It’s important to note that this article isn’t a rallying call to abandon all antivirus software in the name of privacy, because there are some good players out there.
Antivirus software is an essential part of modern IT security and plays a critical role in protecting your data against malware, phishing, and a plethora of other digital attacks that pose a real threat to everyday users.
While some antivirus providers are invasive and should be avoided, there are still some companies that strive to protect their users’ privacy. Emsisoft, for example, has earned itself a reputation for providing reliable protection without compromising its users’ privacy. ClamAV is another privacy-friendly option that is completely open source.
So do your homework, weigh up your options carefully and remember that not all antivirus solutions are created equal when it comes to respecting your privacy.
Last updated on July 15, 2019.
Tell me about TotalAV antivirus.
Hi I haven been using “AVG antivirus software 2019 FREE” for about six months i recently uninstall it does than mean they still have or own my personal information? Like my name address password etc. And could they still track people?
Hello, that would be a question for AVG and you could also read their privacy policy.
Sorry I got concerned I was reading on there policy but they were vague in certian areas becuse could services like these still hold on to users even after uninstalling? There privacy policy page stated things like retention and storage also you don’t have to answer immediately im in no rush.
Seems like there is a free tool made by emsisoft named emsisoft emergency kit, since it’s free, do you recommend it for users who can’t pay for the anti-malware product?
It’s just an emergency kit and not their main product.
See what Avast is doing to me, are they not enough to collect my data for a moment when I register and buy the product? even though I have un-checked the Personal Privacy list in the application.
https://images2.imgbox.com/66/e9/RQEi5LM0_o.png
https://images2.imgbox.com/10/9c/jt7bVPsa_o.png
kolmteist – that’s bad news even after having paid, for them not to honor their own app settings that a user elects for ones own privacy on their device.
–
CANCELLATION AND REFUND POLICY FOR AVAST, AVG, CCLEANER AND HMA! SOLUTIONS:
We offer a 30 day money-back guarantee on subscriptions for certain Avast, AVG, CCleaner (including Defraggler, Recuva and Speccy) and HideMyAss! Solutions that end users purchase directly from us through our online retail stores or through Google Play. If your purchase qualifies, and you follow all the instructions in this Cancellation and Refund Policy within 30 days of the date of purchase, we will terminate your subscription and refund 100% of the price you paid for the then current Subscription Term.
.
We also allow you to cancel your subscription and request a refund (prorated for the unexpired or unused portion of the Subscription Term) if we provide notice to you that we are amending the End User License Agreement we entered into with you in respect of such subscription and/or Solution (the EULA), and you object to such amendment within 30 days of the date of such notice.
.
1. End users purchase directly from us through our online retail stores or through Google Play.
2. We also allow you to cancel your subscription and request a refund (prorated for the unexpired or unused portion of the Subscription Term) if we provide notice to you that we are amending the End User License Agreement we entered into with you in respect of such subscription and/or Solution (the EULA), and you object to such amendment.
– 1 and 2 only give the window of 30 days of the specific dates.
https://www.avast.com/cancellation-refund-policy
–
I would seek a refund from Avast ‘citing’ what you have said here.
If they don’t agree, take it on the chin and look for another A/V soon.
Fallback to a restore point before installing Avast or do what’s necessary to rid the device completely of it…
*Run any one A/V you’d consider through their trial offered first.
– Try reaching out to Emsisoft and see if they would work with you in some special way, discount a % to leave Avast asap, tell you of their next major sale event – etc…
**Making contacts is important – refund and/or deal, otherwise how would you know for sure?
Thanks for the info.
Greetings : )
I recently installed Linux and am giving it a go based on one of your other articles. That being said, is AV necessary for Linux? if so can you recommend one? Not sure if I’ll go back to Windows, but with all the talk of AV companies collecting data, would Windows defender be good enough with safe surfing habits and being conscious of whats being run on ones PC? I used to use bitdefender av free with Windows but probably wont going forward
Hi Xavier, although Emsisoft does not offer anything for Linux, you can check out ClamAV.
A lot of AV providers have been rolling out their own VPN’s really.
Here is a suggestion for the big VPN players How about including AV service along with their packages that are privacy friendly?
Imagine Express VPN doing this. You would be very happy and much more likely to become or stay a customer.
Hi Matt,
That’s a terrible ideal and you must josh yes – for VPN’s or A/V to do so in a combo… Keep them separate by all means : ) for privacy.
Are you just seeing if people are paying attention here?
You’ve must of missed the part above in the article about A/V’s not being immune to users privacy problems.
Besides an A/V’s infringing on users’ privacy, they can be a backdoor to your device data for an whoever entity that leverages them.
I hope this is never realized and people don’t support it, as it will lead to more of a continual erosion of online user privacy.
What about intel chipsets with backdoors , computace and much more phishy patents u even dont know ..
guys, please…
Yes, this topic is a large one.
Concerning Android, most Android antivirus apps definitely collect data. I believe Emsisoft only works for Windows. I used Avast but collects way too many data and I send it away. I now temporarily use Kaspersky for now but I don’t think there’s an Android antivirus out there that doesn’t spy you. Any suggestions?
Hi BeeBee, Emsisoft does indeed have a Mobile Security product, you’ll need to buy it in combo as the Anti-Malware Home & Mobile.
I don’t see any other way to purchase it separately. You can test run it for 30 days also before you decide.
–
“Emsisoft Privacy Policy” > Transparency Report
We are publishing this Transparency Report quarterly on whether we have received governmental requests to disclose information about our customers, whether we have modified any parts of our software for the purpose of collecting information about our customers or for the purpose of bypassing detection of malicious software.
“We believe it is important to let our users know in cases we are required to disclose information with governments.”
We can confirm that:
• Emsisoft has never modified its software for the purpose of collecting data due to political pressure.
• Emsisoft has never modified its software to prevent detection of any malicious software due to political pressure.
• Emsisoft has never terminated a customer or taken down content due to political pressure.
https://support.emsisoft.com/topic/29954-transparency-report/?tab=comments#comment-187683
– – Emsisoft confirms or asserts this as “political pressure” but when they started out with the wordage or terminology as “governmental request” and even saying “governments.” That indeed loses some weight of meaning as I see it – as governmental request or as “governments” should be meant as world wide requests. Where as their saying political pressure, I take it as only of it’s local jurisdiction in which they operate from. Then if Emsisoft really plans on keeping it’s Transparency Report updated quarterly why have this only shown in their PP section…
–
I’m a little put off by the AV industry as my research into it leads me only to hope for better standards from AV companies in 2019 going forward…
– Knowing now – that some AV products are established as simply offering the design of an interface, adding a mini-updater, throwing in a couple of Windows functions to simulate continuous protection, sticking an icon in the system tray, wrapping it all up in an installer to sell.
Within this AV model type there’s no need in a reason for them to look for new malware – all they need to do is monitor the flow from other public online multi-engine scanners like VirusTotal. There’s no need for them to analyze anything either – they simply set a multi-scanner to “detect” files that other AV vendors have already detected. Detected files by using an MD5 are to make sure there are no false positives. All these ‘would be AV products’ like these are nothing to use or even to having developing their own engine.
–
Before you buy into any AV vendors product note these important facts that AV-Comparatives offers. Then note that “certification” from the AV testing firms are most likely to be different overall.
“there are more products out there than most of the users even known/heard about. We have strictly limited the number of listed vendors, all of whom should fulfill certain requirements. These include keeping the product and the company website up to date, being included in VirusTotal, being integrated in Windows Security Center, participating in independent third-party tests, and avoiding deceptive practices.”
– “In recent years, the AV software market started to consolidate, so there are considerably fewer vendors than in past – several companies stopped their business, got acquired by other AV vendors or license now a third-party engine in their product instead of developing their own engine.”
https://www.av-comparatives.org/list-of-consumer-av-vendors-pc/
https://www.av-comparatives.org/tests/real-world-protection-test-february-june-2018/
https://www.av-comparatives.org/tests/android-test-2018-200-apps/
The AV industry puts me off too. I agree with everything you wrote. I ‘ll check with Emsisoft again. No idea they had a mobile app. Thank you again. You and Sven are treasures.
Yes, Emsisoft use a “badged” version of Bitdefender’s attempt at an antivirus application, but that is seriously handicapped by the [bogus!] ‘security’ for which Android is famous. Malware which is incorporated in an Android application can be addressed by uninstalling the compromised application, but Android provides more support for malware than for the Android user, or “userland” applications, antivirus and other security applications included.
Google Removes Vital Privacy Feature From Android, Claiming Its Release Was Accidental
eff.org/ deeplinks/ 2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them
Google Axed Android’s App Ops
blog.malwarebytes.org/ mobile-2/2013/12/google-axed-androids-app-ops
.
I think Android finally introduced a version of App Ops with version 7, but it is necessary to install the application, and then hunt for the “permissions” listing. Unfortunately, many consumers would not know of this feature. Not quite sufficient to meet standard security requirements.
Bitdefender will provide “web protection” for HTTP/HTTPS traffic between Google Chrome and the Internet, but not for HTTP/HTTPS traffic between the Android device and the Internet! Something to do with Android’s sandboxing I suppose, plus application developers tending to be unfit for purpose.
Android features used maliciously – Malwarebytes Labs | Malwarebytes Labs
blog.malwarebytes.com/ cybercrime/2014/07/android-features-used-maliciously/
.
It seems that Android will support “web protection” for HTTP/HTTPS traffic between the Android device and the Internet, but most security application developers seem not to have worked that one out yet?
As I have yet to get anything better than a consumer-grade cellphone, I am using NetGuard No-root Firewall Pro which allows installing a user’s choice of blocklist. There is at least one other open source VPN, but NetGuard uses Android’s VPN mode only to filter HTTP/HTTPS traffic. No VPN tunnel to a remote server unless the developer’s proprietary modification is accepted.
Hello John,
Not quite sure of the post except to tell all Android users they had got something only to loose it. Man, that was a privacy feature preventing a collection in sensitive data of location or address book back in Android 4.3 Jelly Bean. It was since removed by Google as labeled to an accident (experimental purpose). That feature was removed in a following Android 4.4.2 KitKat update.
This link – https://www.eff.org/deeplinks/2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them
–
Though, Google removed Android’s App Ops feature, users on the earlier Android version were able to get around it by advanced methods (not stock) –
https://www.eff.org/deeplinks/2013/11/awesome-privacy-features-android-43
https://www.xda-developers.com/protecting-your-privacy-app-ops-privacy-guard-and-xprivacy/
–
Still in Android 6.0 Marshmallow introduced – App permissions as now granted individually at run-time, not all-or-nothing at install time as in Android Lollipop 5.x and below.
Which continues in it’s OS versions still today though vary by the OS version as I understand. https://en.wikipedia.org/wiki/Android_version_history#Android_6.0_Marshmallow_(API_23)
https://support.google.com/googleplay/answer/6270602?hl=en-GB
https://developer.android.com/training/permissions/usage-notes
Here’s how it works in 6.x, 7.x, 8.x
https://www.howtogeek.com/355257/can-you-control-specific-permissions-on-android/
–
The biggest trouble with Android as I see it is in the OS version update problem of device manufacturers on older hardware of users,
*Hopefully, all new devices released with Project Treble on Android Oreo upwards, allow bypassing much of the testing that currently was required by manufacturers, chipmakers, and carriers. https://www.digitaltrends.com/mobile/android-distribution-news/
– Of course, that’s still no incentive for device manufacturers to update devices to newer Android OS versions after they’re released (especially cheaper ones). Updating an older Android OS version that’s been replaced by a newer device model, especially when they’d rather encourage you to buy their newest model on the latest Android OS anyway.
–
Although, Emsisoft NOVEMBER 7, 2016 blog article looks to offer more in that mobile version 3.0
https://blog.emsisoft.com/en/24341/emsisoft-mobile-security-3-0-malware-protection-and-more-for-your-android/
than the offered of 3.0.9 released as of January 7, 2019.
https://www.emsisoft.com/en/software/mobilesecurity/
https://play.google.com/store/apps/details?id=com.emsisoft.security&hl=en_US
Nonetheless it (3.0) mentions it partnered with mobile segment leader Bitdefender to bring you the best mobile protection available incorporated as Emsisoft Mobile Security. Goes on to mention the partnership gives you the best of both worlds; the best mobile protection on the market bundled with our award winning Emsisoft Anti-Malware.
– NOT indicating nor a distinction that both are of the mobile versions platform or yet to only a meaning overall in the Anti-Malware Home & Mobile combo…
https://www.emsisoft.com/en/company/about/
https://en.everybodywiki.com/Emsisoft
Needs translated-
https://de.wikipedia.org/wiki/Emsisoft_Anti-Malware
That’s why A/V vendors put me off of my full trust.
Why would you even need an AV for Android? It’s utterly useless…
You can always pay and use AdGuard for Android if you’d want to tackle these kind of below things on rooted and unrooted devices – it’s not an antivirus/malware app.
“AdGuard for Android provides you with reliable and manageable protection. AdGuard removes all the annoying ads from web pages and applications, blocks loading of dangerous websites from all browsers, and does not allow anyone to track your activities on the Internet. AdGuard stands out against it’s counterparts, as it can work either in HTTP proxy or VPN mode,” blocking throughout the whole Android system.
–
You can completely shut down cellular/WiFi access for any app and just as easily restore it. Bar a particular app or browser from being filtered for whatever reason in one tap.
Apps Management module has its own statistics, so you can see how much traffic each app consumes. Thus, you control which apps transmit data.
*If your device is rooted, or if you only care about blocking ads in WiFi networks, you can switch AdGuard to proxy mode and then let any other app use the VPN function.
–
AdGuard Cares about your privacy !
They value the privacy of your personal data above anything else. With AdGuard, you will be safe from online trackers and analytics systems that lurk on the web trying to steal your sensitive information. You won’t find AdGuard in the Play Store simply because of Google’s very peculiar policy towards ad blockers, that any app able to block ads across the device is not allowed there.
–
https://www.android.com/play-protect/
Sure most PEOPLE will access Google Play and rely on Play Protect. Play Protect certainly has its work cut out for it, but that doesn’t mean the chances of downloading an infected app are completely zero.
So mobile A/V still means something to some people especially if they’ve ever been infected.
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
“Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources.”
That means infections are possible to a mobile device even from ransomware.
–
Others that try to play it safe, only to download apps from the Play Store, sometimes elsewhere of third-party sources too, while keep their security settings enabled. There are those who like to take a walk on the wild side and not do any those things, and then the rooter crowds.
VirusTotal for an inspection of any apk’s before installing of warning flags observed.
– Especially if not wanting to endow Google with more power over them, their devices and to seeing further into their life.
–
The root crowd most likely has one up on the others I’ve mentioned, they’ve probably installed a custom recovery like (TWRP), and taken periodic manual backup’s of their system.
They just need a recent manual backup to fall back to in cleansing out an infection.
Others can learn from this guide.
https://www.digitaltrends.com/mobile/how-to-remove-malware-from-your-android-phone/
Good luck !
Hello Sven,
thank you for the article. I used no antivirus for a year, but the problem is the online banking. If you don’t use antivirus and the account is compromised then the bank is not in duty. No court will accept the hints on bad antivirus software. So I still using one, ESET which is no longer listed on av-test.org because the company ist not willing to pay for the testing. This shows what normally happens, that only companies listed, if they payed.
This I combined with NordVPN, what you are also recommend, and a pi-hole, which itself uses a free DNS at digitalcourage. Think at the end you have to trust in companies and people…
best regards
Stefan
Hi Falkenhayn,
Interesting things you’ve brought up. Are you referring to a phone or in desktop/laptop use with banks ? In the US banks usually offer phone apps to do banking online.
Would you tell us what country a bank requires the use of installed antivirus with banking accounts ? I’ve never herd of that before – in the security of online banking relying on their users having their own AV installed.
I mean after all if the bank offers online banking it must have it’s own security of it’s site when you interact with it, most likely takes down your IP, besides entering your password – you must answer security questions – right. As this is the case with me and telling the bank I’m on a shared or public computer – for the reason on a VPN.
–
I understand why AV testing labs have to charge AV vendors and I don’t think it’s necessarily true about Eset not willing to pay for the testing. See https://www.av-comparatives.org/vendors/eset/
AV testing is a business with its own economy from AV vendors as it requires investment in infrastructure, office space and salaries. And just like many businesses, there is a correlation between quality and profit. Sometimes companies consciously lower their quality to increase their profits.
This is true of the renowned German test lab AV-TEST.ORG and probably why Eset is not participating with av-test lab any longer because without no warning they have modified their certification process.
You can see one report on this action in a metamorphosis that has taken place with AV-TEST,ORG here-
https://eugene.kaspersky.com/2013/05/09/av-test-certification-devalued/
Eset more than likely opted out to avoid a test result from a lab certification process that has since seriously devalued itself by a
lowered threshold. More so now, that it will rank mostly useless AV vendors taking part in testing where they once knew their level of protection had no chance of getting a certificate before.
Hello Hard Sell,
thanks for your answer. As long nothing happens using online banking, no problem. But if your account is empty after an attack, then you have to proof, if you have done everything to secure your device. Here is a link from Switzerland, but Germany the same. https://www.beobachter.ch/geld/banken/betrug-im-onlinebanking-neu-bis-zu-100000-franken-gedeckthttps://www.beobachter.ch/geld/banken/betrug-im-onlinebanking-neu-bis-zu-100000-franken-gedeckt
If everything was ok, then the bank in this case will pay up to 100.000 CHF, but it is your duty to install an antivirus program. It is not the question which one, but to have one installed and updated. I know, for iOS there is no antivirus, so nobody can expect. But for PCs, MACs and so on.
I am no friend of this testing labors, I prefer tests from other like c’t (www.heise.de). They do this also from time to time, and it seems more practical.
Best regards
Hello Falkenhayn, I’m only trying to help out.
Thanks for replying with a link.
https://www.beobachter.ch/geld/banken/betrug-im-onlinebanking-neu-bis-zu-100000-franken-gedeckt
I’m not totally in an understanding – but, according to the Swiss site (additional links offered) it seems to talk about increasing their citizens adoption rate in online and mobile banking.
While giving them reassurance, “One of the most important reasons for rejecting e-banking is the lack of security from the users’ point of view. This is where the new performance promise of PostFinance comes in. Today, it promises its customers to fully cover financial losses in e-finance and in the PostFinance app, which arise from phishing or malware attacks, up to an amount of 100,000 francs per case.”
https://blog.hslu.ch/retailbanking/2018/08/20/postfinance-bietet-ab-heute-eine-garantie-fuer-schaeden-im-e-banking-an-eine-einschaetzung/
[At the same time, this promise of service also applies to customers which do not use (current) virus protection and / or no firewall. For such customers, the offer seems very generous.]
–
From the first link (in my reply) – [Concretely, PostFinance customers new to damage from phishing and malware (malicious computer programs such. As viruses and Trojans) explicitly protected, this is so in the new terms and conditions for e-finance. However, this warranty does not apply to claims that are “due to gross negligence on the part of the customer”. ]
Due diligence remains:
[For example, it would be considered grossly negligent if a customer has repeatedly been the victim of cyberattacks because after the first case he has ignored the recommended precautions, such as installing an antivirus program. Or log in to e-banking in public space and get away from the computer without logging off, explains Möri. The customer has a certain duty of care. In repeat cases, therefore, the promise of service would not always be effective despite the new passage in the fine print.]
–
There seems to be a warranty/service clause given of “gross negligence” after a first cyberattack, with your adhering to the recommended precautions, as then of such to installing an antivirus program as a duty of
your care.
{Maybe something is lost in the translation to english from the link(s).}
–
A specific bank may say otherwise or lest try to understand this in their own favor and not to the customers benefit effectively. I’d check with a banks officer and get something in print to rest assured.
Who knows-
The whole drift of the World Wide online and mobile banking industry sector may come to require antivirus programs on their customers devices someday. That for their deposited insured covered amount to apply, because attackers are advancing, and/or acting more professional…
AT THE present it only seems suggested to an option and not mandatory if never being a victim before.
Thank you
Is it more of a money game than a security stance to protect the purchasers of their Anti-virus/malware any more ?
I’ve read in order to enhance their security product portfolio, well-established companies in the market are focusing on acquiring small-scale vendors.
–
Before, you could simply rely on the anti-virus product without much awareness of its functions and processes, now you need to investigate it.
As everything internet connected is related to the data on your system or your generating using the web.
Antivirus vendors have to be compliant with the General Data Protection Regulation. Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general then, a customer is the controller of Customer Data. As in general, the A/V vendor is the processor of Customer Data and the controller of Other Information related to the Customer account.
–
Many antivirus/malware products in the resent past have had serious problems without much public knowledge spread to know. So you’ve paid for their protection but they didn’t live up to it…
–
Some flaws were basic, and should have been caught by the company during it’s code development and review.
In some cases, the flaws only allowed an attacker to bypass the antivirus scanners or undermine the integrity of it’s detection systems.
But others were far more serious, and would allow an attacker to gain remote-code execution on a machine, some even turned the security software into an attack vector for intruders to seize control of a victim’s system.
–
Unpackers and emulators of anti-virus/malware products have been a huge source of vulnerabilities and will continue to be as these Security vendors will often cut corners.
Security software tasked with protecting our critical systems and data shouldn’t also be the biggest vulnerability and liability present in your system.
–
Ormandy has criticized the antivirus industry for years for failing to secure its own software, and for failing to open their code to security professionals to audits for vulnerabilities.
He would know, Ormandy has previously discovered serious flaws in products belonging to a string of high-profile security shops as below-
–
How to Compromise the Enterprise Endpoint June 2016
As Symantec use of the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities. That’s 17 Symantec enterprise products in all, and eight Norton consumer and small-business products.
https://googleprojectzero.blogspot.com/search?q=antivirus
–
McAfee: memory corruption processing relocations May 2016
https://bugs.chromium.org/p/project-zero/issues/detail?id=817&can=1&q=&sort=-id
–
Comodo Antivirus March 2016
https://bugs.chromium.org/p/project-zero/issues/detail?id=769
–
TrendMicro: Multiple HTTP problems with CoreServiceShell.exe March 2016
https://bugs.chromium.org/p/project-zero/issues/detail?id=775
–
Kaspersky: Mo Unpackers, Mo Problems Sept. 2016
https://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html
–
Analysis and Exploitation of an ESET Vulnerability June 2015
https://googleprojectzero.blogspot.com/search?q=antivirus&updated-max=2015-09-22T10:22:00-07:00&max-results=20&start=2&by-date=false
–
Sophail: Applied attacks against Sophos Antivirus
https://lock.cmpxchg8b.com/sophailv2.pdf
–
Other past examples:
https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=&sort=-id
–
Other things you may be interested in-
Exploiting Android devices ecosystem, two major TEE “Trusted Execution Environment” implementations exist – Qualcomm’s QSEE and Trustonic’s Kinibi (formerly <t-base).
https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html
Regarding – “in order to enhance their security product portfolio, well-established companies in the market are focusing on acquiring small-scale vendors.”
ACQUISITIONS:
Bitdefender Buys Network Security Analytics Startup RedSocks
https://www.crn.com/news/security/bitdefender-buys-network-security-analytics-startup-redsocks?itc=refresh
Carbonite To Buy Endpoint Security Stalwart Webroot For $618.5M
https://www.crn.com/news/security/carbonite-to-buy-endpoint-security-stalwart-webroot-for-618-5m?itc=refresh
Palo Alto Networks In Talks To Buy Cybersecurity Startup Demisto: Report
https://www.crn.com/news/security/palo-alto-networks-in-talks-to-buy-cybersecurity-startup-demisto-report?itc=refresh
Palo Alto Networks To Buy Cloud Security Startup RedLock For $173 Million
https://www.crn.com/news/security/palo-alto-networks-to-buy-cloud-security-startup-redlock-for-173-million?itc=refresh
DXC Plans To Acquire Denmark’s EG For Microsoft Dynamics 365 Skills
https://www.crn.com/news/managed-services/dxc-plans-to-acquire-denmark-s-eg-for-microsoft-dynamics-365-skills?itc=refresh
I’m not the best knowing for antivirus. What do you recommend for Anti-Virus Sven? I’m using Free Avast Anti-Virus version.
Hey Jack, as a general rule of thumb I don’t spend much time examining/recommending AV software. But strictly from a privacy perspective, it looks like Emsisoft is among the best available, and I would generally recommend against any free AV solution due to privacy concerns.
Great article,thanks for your articles,i don’t imagine how dangerous it’s internet these days, hope you continue sharing your knowlegde with us.
please can you do a review about this vpn, “vpntunnel” ,it is trustworthy ?
[https://vpntunnel.com/]
Thanks for your answer.
Hi Axel, I’ve not looked into it yet, but will hopefully get time for more reviews later in the year.
Hi Taylor, I like your site and clear and detail analysis, followed by clear and impartial suggestion. One thing I am not still clear, if I install a top rated VPN, even after, do I need to install anti-virus for my privacy and protection? Does VPN do any anti-virus job? Would appreciate if you could give your expert opinion on this.
Hi Mike, a VPN fulfills a different purpose from antivirus – see the main VPN guide for more of an explanation. There are some VPNs that block malicious websites – see for example NordVPN with the CyberSec feature or Perfect Privacy with the TrackStop filter, but these still don’t offer the full system-wide protection of an antivirus suite. So to answer your question, a VPN will not replace the need for antivirus.
Off-topic, but information that may interest people:
https://archive.fo/mz3oQ
“The president of FamilyTreeDNA, one of the country’s largest at-home genetic testing companies, has apologized to its users for failing to disclose that it was sharing DNA data with federal investigators working to solve violent crimes.”
It effectively means that they’ve given over their entire database for the US government to comb through until they find what they want.
Question is: How much has the US government retained? Can we honestly think that they only took what they needed & didn’t keep everything they harvested in case they need it for “future reference” to solve crimes?
A slippery slope indeed.
Thanks for the tip, Richard.
I saw this article appear last night and I do agree with the most of it.
The only thing that raised a question was related to Emsisoft and Bitdefender specifically.
I’ll be honest, I’m a pretty satisfied customer of Bitdefender (paid version), so I started digging to see if Emsisoft is any better. Actually, for the most part, I think most top marketed AVs do a good job, but still, I’ll continue, and I think I don’t have to go beyond privacy policies of these 2 AVs. If you read them both, you can see that they are pretty similar. Emsisoft advertises on their company description page advertises the point called “Entirely For You”, and specifically:
“We are loyal to our customers. We don’t track your info, we don’t share your data, and we don’t betray you for a quick profit by using nasty toolbar bundles. We simply offer efficient anti-malware, for your computer and you.”
If you start reading the privacy policy though, you can easily see that it contradicts this point, as it actually does share what they call “Other data” with third party services, and has quite a lot of subprocessors (Bitdefender being one of them)…
Also, that AV data transmission report is dated in 2014, thus 5 years ago, so it’s quite outdated, as it’s says (for example) that Emsisoft does not collect OS and location, and their privacy policy explicitly says that they do…
Hey, with that 2014 report Emsisoft was shown as Austria local, today it’s based in New Zealand.
“Also, that AV data transmission report is dated in 2014, thus 5 years ago” – Makes me wonder why the Anti-Virus Comparative guys hasn’t kept it updated / money changed hands, AV vendors protested, Anti-Virus Comparative changed it’s management team ?
*Even for someone else doing a similar fact finding survey of anti-virus producers on users metadata transmission – I can’t find one…
–
“I’ll be honest, I’m a pretty satisfied customer of Bitdefender (paid version)” – Would that still be the case if you knew BD can get enough of your private info and as “Bitdefender has admitted that it compromised a user.”
The source goes on to say – I didn’t look carefully at Bitdefender Internet Security, because users can’t opt out of uploading “suspicious” files. Of the products that I did research, only AhnLab and Emsisoft assert that they won’t share user information with third parties. Even so, I didn’t find any evidence that any anti-malware provider had compromised its users. Until now, that is.
[ With the help of Bitdefender, an internet security company advising Europol’s European Cybercrime Centre (EC3), Europol provided Dutch authorities with an investigation lead into Hansa in 2016. ]
–
Emsisoft Anti-Malware:
It uploaded nothing during scans, with Anti-Malware Network off or on.
Bottom line, AhnLab and Emsisoft seem to be the best options from a privacy perspective. Both clearly state that they won’t share user information with third parties, without exception.
SOURCE: July 14th, 2017
https://www.ivpn.net/blog/are-anti-malware-products-uploading-your-private-data
–
Emsisoft Privacy Policy – Legally binding version (darker texts), Practical version (gray texts) or the @PARTS REPRESENTED BELOW.
How We Share and Disclose Information:
This section describes how Emsisoft may share and disclose Information. Customers determine their own policies and practices for the sharing and disclosure of Information, and Emsisoft does not control how they or any other third parties choose to share or disclose Information.
@In limited cases we share information with others, but we are not responsible for their data handling practices.
–
Customer’s Instructions:
Emsisoft will solely share and disclose Customer Data in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and in compliance with applicable law and legal process.
@We only share data if you allow us to do so.
–
To Comply with Laws:
If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.
@We don’t like doing so, but if a court rules that we have to provide specific user data to them, we have to abide.
–
With Consent:
Emsisoft may share Other Information with third parties when we have consent to do so.
@If you specifically allow us to share your data, we may do so.
[That’s the important ones under this ‘Share and Disclose Info’ area]
–
As far as I can see BITDEFENDER association with Emsisoft is as follows.
Subprocessors:
Emsisoft currently uses third party Subprocessors to provide infrastructure services.
Prior to engaging any third party Subprocessor, Emsisoft performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.
Entity Name: Bitdefender SRL
Subprocessing Activities: Service Provider. We send them your name and email address for Emsisoft Mobile Security license activation.
Entity Country: Romania
@Hard_Sell I don’t know what happened to our full discussion (was probably too long and deleted by admin =) ), but I’d still want to get at least this message out there:
Bitdefender did not admit on compromising it’s user, it admitted advising EC3 during Hansa investigation, those are 2 totally separate things.
Hey Sven! So if Emsisoft is the top-shelf AV for Windows… what would be a comparable app for Mac users??? Cheers, George
Hey George, I can’t say for certain with Mac OS as I don’t spend much time looking at AV software, other than this article to examine the privacy aspects.
Appreciate your candid feed back. That said, I’m hopeful, and with any luck, others on this platform can and will recommend something for Mac folk! 🙂
Very good article! Thank you Sven! Thank you also Hard Sell for the useful and informative comment!
I am curious should it be a problem/an issue if a community like EFF (being very recognizable) publicly requests either AV producers to consider an option to start being more transparent in terms of data collection by initially proposing a comprehensive guide and a list of requirement data to be provided? If this request is not efficient, then do you think that it would be a great idea to do the following. Assume EFF start a campaign with the support of the major NGOs and along with the public defenders of transparency and privacy rights, and major IT firms having interest in this campaign, by organizing some kind of League of Endorsed Transparent AV Solutions Providers. This league should simply list all AV products, who comply with the proposed data transparency publication. I could assume that if a AV firm wants to attract privacy respecting clients, then it would opt-for similar League.
It was just a naive idea.
Hi Vector, interesting idea, basically a certification that antivirus software meets basic privacy protections.
Hi Vector,
That’s a mighty nice thing to say about my research, thank you.
I don’t think your ideal is naive, then with the tweak Sven mentions to go from the campaign, or endorsement model to a certification class rating system for all A/V firms.
That class or classes ratings system must include transparency of all user/device sensitive data and metadata collected and transmitted and to defining this data encrypted retention, storage duration in a standard across the board policy.
The part of this rating system should addresses the adequate certification of their SSL/ROOT certificates to properly analyze HTTPS traffic.
–
If this should never come to exist you always have your vote by the almighty $$ to go with the best privacy respecting A/V firm to date – and convince family and friends to do the same. Thanks : )
Hi Sven,
Quite the eye-opener for your readers to know and understand somethings, and very nicely done on your part – Sir.
If I may address a few things by your numbers 1-4 to inherent risk as crucially observant perceptions.
–
# 1
It’s absolutely true that paying for software is in no way a guarantee that your data won’t be collected and/or shared or sold on to others.
Clearly, antivirus manufacturers have to comply with the laws of the countries in which they are established, however, this should be the only reason for providing user data to third parties.
Okay, so it is possible that intelligence/law-enforcement agencies in some countries prohibit vendors (security or otherwise) from revealing any cooperation with them.
– Good programs should not only disclose that sensitive data may be collected and transmitted but, also offer an opt-out option for users.
– Better would be to make those features a requirement of opting-in from the start, as well to defining the products data retention, storage policies (time duration before deletion – if ever) of their customers data obtained.
–
# 2
To guard against phishing and malware-hosting websites – look to an ad blocker like the installed version of AdGuard.
https://adguard.com/en/welcome.html
It’s been advised to just disable the HTTPS scanning feature of your antivirus. This functionality in anti-malware’s contradicts the very idea of TLS/HTTPS point-to-point security and gives the users a false sense of security from many security products.
TCP/IP HTTPS protocol:
Because traffic is encrypted, it’s not normally accessible for security inspections, antivirus products install their own root certificates on computers to be able to analyze HTTPS traffic.
Not only do security software’s reduce the connection security, but also introduce vulnerabilities such as failure to validate certificates properly.
So instead of helping the user stay safe, this opens the gate to vulnerabilities, in a study shown.
https://zakird.com/papers/https_interception.pdf
More:
SSL/TLS/HTTPS: Keeping the public uninformed
https://www.computerworld.com/article/2909512/security0/ssl-tls-https-keeping-the-public-uninformed.html
HPKP: HTTP Public Key Pinning
https://scotthelme.co.uk/hpkp-http-public-key-pinning/
Pinning hopes on pinning
http://www.economist.com/blogs/babbage/2011/09/internet-security-0
–
# 3
Inadvertently installing bundle programs – browser toolbars, adware, and plugins or other (PUPs).
It’s more than an annoyance and disruption of your regular running system.
It’s a privacy issue as they can then show you ads, monetize or sell your search and/or browser data.
– How to Perform A Manual PUP Removal
https://blog.emsisoft.com/en/31451/how-to-perform-manual-pup-removal/
–
# 4
Anti-virus/malware vendor programs, what else has such a free reign to every nook and cranny of your system with an advance system level over everything else.
Others in this lineup are the online scanners of the most popular anti-virus/malware programs where they offer free scans to check out your PC.
– Remember, in either case you’ve agreed to their ‘end user license agreement’ so what data did you just give away and for how long ?
If it was a free online scan – did it plant a bug, ID, tag of some sort to label your system for future tracking ?
Worth reading:
PRISM > The program (scroll down to it)
“Data, both content and metadata, that already have been collected under the PRISM program, may be searched for both US and non-US person identifiers. These kinds of queries became known as ‘back-door searches’ and are conducted by NSA, FBI and CIA. Each of these agencies has slightly different protocols and safeguards to protect searches with a US person identifier.”
“NSA databank, with its years of collected communications, allows analysts to search that database and listen ‘to the calls or read the emails’ of everything that the NSA has stored, or look at the browsing histories or Google search terms that you’ve entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future.”
–
WHERE DOES MALWARE COME FROM ?
Just a thought, if some Anti-virus/malware vendors go to such lengths to package (PUPs), wouldn’t it also make sense that they release ‘malware’ in the wild to sell their products to defeat it ?
– Government agencies in countries around the world have been known to plant cookies and even malware on unsuspecting users in order to record data. Web site operators and search engines use many techniques to try and follow you across the internet.
You must be aware of all of these methods and guard against them as well being informed by the Restore Privacy site.
Vault 7: CIA Hacking Tools Revealed:
https://wikileaks.org/ciav7p1/
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.”
–
Bottom-line:
If an Anti-virus/malware vendors jurisdiction play a roll and it’s continued concept of users privacy plays an important rule for you.
You can’t do much better than Emsisoft’s security and privacy practices as they’re always trying to get the word out about both how it benefits you.
https://www.emsisoft.com/en/
Thanks for the feedback, as always, Hard Sell.