I will go on the record here and one-up them, warning against the use of any antivirus product. SO many vulns and gaping, smoking holes in that kind of software over the years, it's not even funny. Faux-security is what most vendors are peddling.
https://twitter.com/GossiTheDog/status/1427935182200492039 is one of my favourite bugs from recent years. I acknowledge this bug is not specific to an antivirus product (but of course, Fortigate offers that as an optional component for traffic inspection - and I keep wondering what that sub-component's code quality is like 8-)), but anyone who tries WILL find examples for grave problems aplenty.
Yes, basically this. On the one hand, being able to parse every protocol and file format under the sun in search for malware means high complexity and a lot of attack surface. On the other hand, being able to read every file, intercept all network traffic, or peek into any processes memory means pretty much highest system privilege level. Big attack surface and high privilege level are a bad combination.
And regarding the point that the BSI is trying to make here: A high privilege process with an auto-update channel back home (as modern software tends to have), is basically an extremely powerful backdoor. That's definitely not something you want to have installed across loads of systems across your countries industry and critical infrastructure.
It's funny that they apparently only realize this now. The same reasoning in the article can be used pretty much regardless of the AVs country of origin.
It's definitely reasonable at this point to just skip using AV. It won't protect users from bad security habits and it tends to make your system performance worse even if it doesn't have vulnerabilities.
I have Windows Defender enabled on my machines since it comes with the OS (and work policy requires it), but I definitely had to exclude most of my work folders to be able to get work done.
It would be nice to have software that specifically blocks ransomware by trying to detect it heuristically, but that would probably not be very effective and the right solution is just to have backups.
With the usual additional notes: unless you include an off-site, an off-line (or at least soft-offline) backup, and your backups get tested regularly enough, you don't have a backup system, you have aspirations & hopes!
----
For your valuable information anyway. For most individuals the core “it would really inconvenience my life if I lost it” data is surprisingly small¹, and the next layer (“losing it would really annoy me”) is only a few tens of Gb². For personal use everything else in the grand scheme of things can be reacquired or won't be massively missed, things are a bit different for businesses of course.
[1] password store, financial details & other officialdom, code & docs for personal projects that might come to something else
[2] meaningful digital photos & such
"With the usual additional notes: unless you include an off-site, an off-line (or at least soft-offline) backup, and your backups get tested regularly enough, you don't have a backup system, you have aspirations & hopes!"
This should be posted in every place where people are involved with IT operations.
It gets posted on HN EVERY SINGLE TIME. Usually the words "have backups" triggers multiple lectures on offsite backups and testing and multiple factors and ...
No matter how careful you are adding automated tests and test to verify those tests have run OK, and making them fail safe (fail with a warning in this case) where possible, it will always soon get to a point that there needs to be a manual “have we seen the everything is OK message recently?” or similar is by far more efficient than adding another tests to send a warning when the last layer of tests has failed.
First I skipped using Antivirus altogether, but now I opted for intermediate solution using Microsoft's native Antivirus Defender. At least this is fairly guaranteed to be compatible with Windows itself. Regarding firewall: I don't trust Windows anymore - using an external HW firewall on my router (opnsense).
A new [0] feature in Windows is "protected folders", which denies access to specific folders (user-configurable) by default to applications, and the user needs to actively allow them access. The downside is that it's all or nothing, meaning that a given app either has access to none of those folders or to all of them.
You can do something similar with SELinux and AppArmor, and I think recent versions of macOS also have something similar.
---
[0] new to me, I'm only an occasional Windows user, for gaming, so it may have been there for a long time
Protected folders has existed for a while, in practical terms is almost useless, because you can’t create groups of protected folders for different type of applications, thus protecting too many folders will have consequence of you need to allow almost every application you regularly use.
Therefore protected folders works best if either a) you only use a very limited set of approved applications, which of course is rarely the case if you are skilled enough to know what protected folders are, or b) you only protect one folder with text documents that you only read in notepad, but if you have that case it is better to put them in a encrypted storage.
If microsoft made the "shadow copy"/"previous versions"/"system restore" functionality a core part of the kernel that even someone with admin rights can't mess with (which it almost is already), then that could be used to roll the system back to 5 mins before ransomware infection easily.
Ransomware usually has delayed activation built in, so that it's possible for it to spread or activate simultaneously once it's encrypted a bunch of machines, afaik
This is the case only for the first few hours. Sure, the new releases are checked against the current AV engines. But there's no magic that will prevent them from being detected in a week. And unless you're being actively targeted or extremely unlucky, that means AV will catch most things for you.
Agree, but doesn’t that mean that heuristic based AV is useless, only creates annoyance by flagging legit software , when a list of known malware would be good enough if response time to add to that list is high enough.
Heuristics are often good. The very basic one "has a significant number of users ever seen this file before" is both annoying for development and probably the best possible first line of defence for larger companies.
McAfee is a magical product indeed. Not only does it ensure your Intel CPU is always enjoying the benefits of TurboBoost, but it also provides a faithful emulation of a 5400 RPM drive when using tmpfs. Marvelous technology. (And if you have a kernel-level problem, don't worry - the enterprise support you're paying so much for won't answer your calls, because McAffe taints the kernel).
NSA: So we’ve figured out here is the internet-facing box. The web server that they’re using was not patched, wasn’t updated, so I was able to actually use the known exploit to gain the right access to that machine. [MUSIC] Once I did that, I put an implant down on that machine because it was pretty safe. It was actually a Linux server and the nice thing about Linux is no antivirus, right? I’m not super concerned. Especially because it’s a web server, I don’t worry about a user seeing the screen and using it and see something weird going on. But anyway, so I get down on that box, sit there for a little bit. Everything looks pretty good. There’s not much to see; it’s a web server and it’s got a website on it, got a database back end to it. Not a whole lot going on.
A Linux virus that Just Works... I don't see it happening. Maybe if your distro officially supports it otherwise there will be missing libraries or incorrect drivers.
It’s also part of Windows hardening standards that are then pulled into compliance frameworks.
My company installs at least 3 antimalware/security management products that cripple, I mean, protect endpoint systems. 2 vendors. None of them are integrated with each other. So files and executables are all scanned 3x. Git runs abysmally slow because of all the processes involved and tiny files.
One of the reasons I run the paperwork gauntlet to run a Mac. Windows is crippled, Linux is banned on endpoints, so Mac it is. I have to run 1 AV, but it doesn’t do a lot. And I love apple kicking everyone out of the kernel over time (except VirtualBox, that’s annoying).
Luckily it’s mostly an application-level concern on Linux. Scanning files and such on file-servers, mail gateways, etc. ultimately protecting windows systems w/ normal user processes not all up in my kernel, and on limited systems. It actually kinda makes sense.
Now, commercial IDS/IPS, I don’t even want to know how those are architected. I haven’t touched an OSS one (Snort) in years.
If I won the lottery, it would be kind of fun to just sit and find horrific exploits in these things.
You must work where I work. Symantec Endpoint Protection (of course set to scan at any access), CarbonBlack, Avecto, etc etc etc. And because the people complain about it they install stuff like Nexthink to diagnose performance issues.
Eventually you end with a system that has so much latency on every I/O operation and over 60 ETW traces running you can't even run or finish a WPR trace.
That's bad advice. It's a trade-off. Installing antivirus opens some security holes and closes others. It also adds heuristic analysis. It seems to me that the security world has come to the consensus that AV is better than no AV.
Any links? If you really care about security of your OS, consider security through compartmentalization approach, which actually works. See also: https://qubes-os.org.
Security and convenience are on a spectrum. Often security works against itself by being too inconvenient, leading to human attacks as people work around the security features. If someone wants more security, it doesn't mean that they "really care about security" and want 100% bulletproof coverage. There are grey areas.
Often sold under the marking terms "antivirus" or "personal firewall" or "cloud cyber security". Known side effects of this treatment are high CPU load, high RAM consumption, drain of battery power. Sometimes they also consume your money or looking at your data. So far I would consider other counter measures, like applying user rights, proper package management and re-consider your decision using this random stuff from the internet? If you're forced to use Windows the one with the least known side effects is Microsoft Security Essentials but even this has several drawbacks.
If you're already using Linux or some kind of BSD you probably applied already these measures accordingly.
PS: This doesn't mean you shouldn't make sane use of software looking expectantly for malware. If your are a server admin and hosting a mail server which faces random stuff from the internet it makes sense to filter out bad stuff. And it won't spin up the fan of your laptop or drain its battery.
The only "correct" approach is telling Adobe that they need to provide native ports of their software or switching to other software. Regarding laptops, buy business laptops (Lenovo ThinkPad, Dell Developer Edition) or laptops made from vendors with a focus on Linux (Purism, System 76, Tuxedo) and stick with internals from AMD or Intel. So it boils down to knowing things before and giving the right companies your money. It worked somehow, Intel provided first good support, than AMD, Atheros and others followed. On the ugly side we have still ARM, Qualcomm (yep - now Atheros) and of course Nvidia.
Actually the "stickers" with the Windows logo from Microsoft are the proof that the hardware runs good enough with the pre-installed version of Windows. And that the manufacturer has spend 80 $/€ or more for this. Some person also name this stickers "tax labels", nasty persons "protection money". Not that I want to encourage the Linux Foundation...
Lenovo gets a lot of love from linux users for their laptops, but they've repeatedly shipped malware infested systems. Sometimes they did it in exchange for money, sometimes they wrote the malware themselves. I wouldn't recommend anyone go near them. I mean, hardware that'll play nice with linux is nice, but we're not lacking for alternatives these days.
If a company who acts as horribly as Lenovo does can still be recommended even in tech circles it makes me wonder what a company would have to do before their reputation suffers for the general public.
Yes. That was bad. The thing is that Lenovos ThinkPads are still good.
Honestly, we just accept what Apple, Google and Xiaomi are doing every day. Maybe they note it somewhere in the terms or not. The difference is, that we've access to the BIOS and higher expectations to Lenovo. On the other side "What Aboutism" doesn't help :(
Actually it's not. Just add an exclusiun for C:/ - it still hogs some memory but the i/o drawbacks are gone. There is probably also a way to let it scan Downloads only but I didn't found it yet. In this configuration it still scans USB drives.
Intellij Idea recommends to exclude directories related to project and IDE from MSE. I think that's a reasonable compromise between performance and security.
At the same those folders are probably the biggest backdoor into your system if you are a software developer, software developers are smart enough to not download crap from the internet, but they will gladly run npm install with full user privileges.
They once setup here the scanners to prevent modification of executable files. The linker called by GNU's GCC was...well...surprised.
Not a problem if you build the Windows stuff also on Linux.
Anti virus can be very helpful in corporate environments if set up right and managed by knowledgeable people. Those people are expensive, but they're life savers when John from marketing clicks the "enable editing" button in a spreadsheet he just received from a spoofed email address.
The problem with corporate security is that security vendors often try to shovel as much crap onto your network as possible, rather than set you up with the security system you need. It's not hard to set up a company wide system that shows all green checkmarks and has tons of tray icons running to assure upper management that everyone's computer is now secure, especially with duplicate features and multiple daemons that a talkative sales rep might try to slip in for that sweet commission money. You also need someone competent to look through logs, keep checks on what's going on, and not get fired or demoted if they don't report anything new (because if you're lucky, there's nothing new to report).
For smaller businesses, the best you can do is hope for the best, really. Keep your consumer AV running and try to stick to common security advice, because there's no way you'll be able to get much use out of common business AV products if you don't have someone in your company who knows how to use those tools.
For consumers, Windows defender is often a decent balance. It's pretty good at detecting viruses, doesn't get in your face all the time, and although there's definitely a performance impact, it's low enough that office work shouldn't be affected by it too much. As a dev, I hate how much it gets in the way of many applications (especially those accessing many small files, like compilers), but I realise that this isn't exactly the most common workload for AV.
Will be difficult. Most people are trained in a way that . "Antivirus" means "Ass covering successfully applied. I'm no longer responsible!".
The "antivirus" was sold as solution to the MBA people for thirty years and computer magazines told the consumers the same wrong story. I've seen arguments like "ISO27001 requires us to install an antivirus on that application servers". Suddenly you see "undefined behavior" on the same application server. Guess how get's blamed? Not the responsible people.
When we see weird issues on customers systems "Please turn off antivirus" is in a high number of times the solution, suddenly defined behavior. The problem with antivirus software is that it is the actual implementation of undefined behavior.
I'm not a network admin! John from marketing should be in an isolated VLAN or something like that? Only access to an departed internal file server? Because it will fail. Maybe there is JavaScript in the next spreadsheet and Microsoft Security Essentials is happy "JavaScript? Let me see. I want put my nose inside!": https://docs.microsoft.com/en-us/security-updates/SecurityAd...
Failure will happen in general computing and the systems need to be resilient about that. The other approach is what we see in mission critical systems? Multiple parallel instances if possible, no unchecked updates, no random software, only input through defined interfaces.
Working on a large corporation, I liken our AV deployments and endpoint security as the invisible hand of productivity destruction.
I’m not saying these products don’t block malware, I’m not disagreeing with you at all.
It should be stated that, with a high degree of confidence, deploying these measures against your internal employees personal systems and cloud deployments WILL invariably lead to the destruction of employee output and system performance, when things inevitably do go wrong and whole operating systems are hosed if not obliterated.
Back up your data folks +Your environments +Your passwords.
It can take weeks to get back up to full speed when your system dies to AV or anything else.
When the AV killed here the first laptop I was surprised about how. It turned out that this "special" product sneaks into the hardware disk encryption (which is actually reliable) and rendered it useless.
IT department shrugged and bought the next laptop...
Spreadsheets don't have to have access to admin to cause serious issues. Company financials, shared drives, contact lists with hierarchy, email history, password managers, etc. live on restricted user accounts. As usual there's an XKCD for it: https://xkcd.com/1200/
Though actually I installed kapersky free edition on an older comouter because it was fairly light and well behaved. Has a good reputation for catching things too. But yes I should really think about removing it now and I'm sure we all have sympathy for the trusting victims who paid to upgrade their bundled mccafee/Norton/sympatec and were worse off for paying extra....
I agree with the snake oil sentiment, and wanting a tool to monitor connections on a per application basis but being dissatisfied with everything I found, I wrote my own (https://elesiuta.github.io/picosnitch/).
Only then did I discover that creating any sort of tool that is running on the same machine it is supposed to protect, if malware is also on said machine, is basically a fool's errand.
I tried to overcome as many of the pitfalls as I reasonably could, but reached a point now where the best approach is to just document any remaining limitations and some of the other counter measures you can use.
There's a lot of anti-antivirus sentiment in these comments, and while I, too, hate AV and have grown up with it being nothing but snake oil, I wonder if that's still correct in the current era of "zero trust".
I think we've learned that corporate firewalls and VPNs don't really work all that well. In other words, if you can't rely on a safe boundary to the outside world, how do you ensure individual corporate machines are not compromised? What about newer software like Crowdstrike?
What do the big tech companies like Google, Microsoft, Meta, etc do on their employees computers? Do none of them use antivirus?
I feel traditional antivirus software is the very opposite of zero trust. It runs at a very high level of permissions and intercepts almost everything.
Kaspersky is indeed FSB controlled, lot of proofs of that in last 10 years, but of course they will not just upload all your data or brick PC in revenge for sanctions (well may be they will if told nuclear war has been started). They will behave according to the agreement, and just let FSB peek a bit for data they legitimately getting. Same as Microsoft / Google / Apple / Amazon etc. relationship with multiple US spying agencies.
The DeepL translation (deepl.com) seems to be a bit better:
# BSI warns against the use of Kaspersky antivirus products
The Federal Office for Information Security (BSI) warns against the use of antivirus software from the Russian manufacturer Kaspersky in accordance with §7 of the BSI Act. The BSI recommends replacing applications from Kaspersky's portfolio of antivirus software with alternative products.
Antivirus software, including the associated real-time cloud services, has extensive system permissions and must maintain a permanent, encrypted and unauditable connection to the manufacturer's servers for system-related reasons (at least for updates). Therefore, trust in a manufacturer's reliability and self-protection, as well as its authentic ability to act, is critical to the secure use of such systems. If there are doubts about the manufacturer's reliability, antivirus software poses a particular risk to an IT infrastructure that is to be protected.
The actions of military and/or intelligence forces in Russia, as well as the threats made by the Russian side against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict, are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer may itself carry out offensive operations, be forced to attack target systems against its will, or itself be spied upon as a victim of a cyber operation without its knowledge, or be misused as a tool for attacks against its own customers.
All users of antivirus software can be affected by such operations. Companies and public authorities with special security interests and operators of critical infrastructures are particularly at risk. They have the option of seeking advice from the BSI or the relevant constitutional protection authorities.
Companies and other organizations should carefully plan and implement the replacement of essential components of their IT security infrastructure. If IT security products and, in particular, antivirus software were to be switched off without preparation, they might be left defenseless against attacks from the Internet. Switching to other products involves temporary losses in convenience, functionality and security. The BSI recommends that an individual evaluation and consideration of the current situation be carried out and, if necessary, that BSI-certified IT security service providers be consulted.
Press contact:
Federal Office for Information Security Press Office
Tel.: 0228-999582-5777
E-mail: presse@bsi.bund.de
Website: www.bsi.bund.de
Deepl is an amazing translation service. So much so, that i have seen sdveral peolle blindly writing into it...exposing all sorts of pii, both theirs and other persons.
I often wonder what happens to it.
And, tbh, being more circumspect, i haven't been bothered enough to try and find out.
It's curious to look on at this situation from Linux. Perhaps I shouldn't be too comfortable but it's really a different world. I suppose that one should take care which distribution one uses as that is also an effective entry point for software from the outside but at least a bit more obvious and open than some AV company.
I'm anxious to see what the Steam Deck, one of the first popular, user accessible Linux computers, will do to the Linux landscape.
For ages now, Linux has been relatively virus free because let's be honest, Linux is either used by just a few nerds (who are often just a tad harder to trick than the tech illiterate) or by servers, for which entirely different classes of malware exists.
With effectively no antivirus protection, either because of a lack of options or because the outdated mantra that "you don't need it" because of some peculiarities that Apple used for years to deny the existence of macOS malware, Linux users are bound to run into viruses sooner rather than later. Hackers that are after Steam accounts will definitely try their hardest to infect Linux desktop users.
My best hope is that the way Linux distributions are woefully incompatible with each other will protect the hardcore Linux users somewhat from the viruses that will inevitably be spread across the "common" Linux environment. I'm sure we'll see Flatpak/Snap viruses down the line, but for a short while, we'll hopefully still have time to see where the Linux landscape is headed.
The biggest benefit to being "virus free" (even though it's not), is the package management. On windows, most software installs, updates, etc., rely on you executing a random .exe file, downloaded from some random page online, while on linux, you trust the team of maintainers (who usually know what they're doing) to keep repositories relatively safe.
The same idea came for apple and google, and their software stores, but google mostly fucked it up by allowing a "flashlight app" to access your contacts and gps location, and apple fucked up by not allowing you to sideload a program at all, even when you know what you're doing and trust the software.
Did apple really fuck up or are they actually succeeding with iOS being the most "safe" mainstream end-user operating system by far.
Arguably they fucked up by bungling the Mac App Store so running executables downloaded from the web and software updating itself is still common.
I mean... sometimes you want to install 3rd party, non-appstore software, and not having that possibility is a fuck-up for me (and a reason not to buy apple).
I've the users act right and use the package management and Steam, they will be fine. If the users decided to "save money" with warez, cracks and black market software they will suffer.
And Antivirus software is available for Linux but only competent administrators use it, were needed.
You don't need warez at all. For example, people might want to run Microsoft Office on the deck if they hook it up to a dock (which Valve will sell later).
You can't run Office on Linux, of course, but there are plenty of scripts you can download to set up a VM and do some remote desktop trickery (I've just recently gotten cassowary running on my laptop for exactly this use case).
It's the small touches like these that are the problem. Linux on the desktop, and especially Arch based Linux as is running on the Deck, eventually needs some kind of shell script to work around some kind of issue or lacking feature that people have come to expect from Windows.
Hell, even the "official" software stores will eventually become polluted because let's be honest, nobody guards Flatpak against malware and promising to make games run faster combined with a YouTube/Tiktok campaign will probably get enough installs to get plenty of hacked Steam accounts.
I've never seen an offering for Linux AV that doesn't require some kind of endpoint server setup. Most Linux viruses attack servers, and those seem to be the target of the Linux AV industry. ClamAV exists, but that's probably all you can say about that, it's not exactly difficult to evade.
The "I want it like Windows" people are an issue. Actually they were always? Old and bad behavior patterns. This hits the responsible people themselves. I'm feeling myself bad regarding using plugins from Github which aren't packaged by my distribution. And these plugin managers make it to easy :(
Regarding Flatpak (which I wish success) and Steam (which already has a lot success) I'm feeling more worried. They want grow and add stuff but actually must be a reliable source.
I'm just glad that Microsoft eventually decided to bring antivirus in-house, and I don't ever again have to mess with 3rd-party security products for my Windows box
The potential issue I see on Linux is the spread of third party distribution channels, like npm / pip / etc, which also tend to undergo much less scrutiny than official packages.
Sure, if someone gets root on my Linux PC, they could do a lot of damage. But my most important things are parked in my home folder, which any old script running as my user can access without any problem. No need for privilege escalation or other fancy things.
AppArmor and SELinux can probably mitigate this, but I don't think they see particular widespread use in "default deny" mode.
Linux is very secure by default, if you stick to open-source software and install it from the distro package managers. What I worry about is when Linux becomes more popular, and commercial software is ported over, and people start pirating it. The door is wide open when people start typing their root passwords into keygens. I expect the Linux world will have a revelation where they discover the power of AV.
With the fast moving legal landscape in Russia this seems like a smart move.
Given the new laws getting added in Russia now, a law coercing Kaspersky to help the Russian government attacking its customers that Kremlin sees as enemies. Do not seem that far fetched.
This is interesting news but I think it's more about sanctions/politial pressure than an actual threat to general businesses and people.
Once a zero day or backdoor has been used its burnt forever, nation state intelligent services need to be incredibly careful about when and where they use them. If one was to be placed in a Kaspersky product and used, that's Kaspersky burnt as a business forever, and with it the ability to use it as a vector for high value targets. They are not going to use a backdoor in a Kaspersky product for a general attack on people and business, at least not at this point. Realistically any high value target in the west isn't using Kaspersky anyway.
You seem to be assuming a lot of things, like that Kaspersky couldn't deploy certain updates to targeted customers? That malware will leave behind trails of how it got on the computer? That plausible deniability is impossible?
What happens when a definition update "reduces false positives" but actually lets in a Russian cyberweapon that is delivered independently?
I'm reading this as I am giving a class on Stuxnet this morning.
We're doing worms and multi-stage malware. But inevitably the
conversation turns to national boundaries, cyberwar, collateral damage
(to individuals, hospitals, power plants, companies..). My students
want to understand the relations between companies like Microsoft and
the NSA, what happened to Siemens from the economic fallout, why the
Iranians would be running Windows? Who paid to clean up the tens of
millions of infected machines out there? I keep getting questions that
begin "Bit surely....?"
We've been through an unprecedented period of human history in which
the internet brought us together. That time is over.
The fact that a Russian company could trade freely in the world such
that American companies, only within a decade of the Cold War, would
use Kaspersky (which I believe is an a good product) is absolutely
remarkable.
It's what Richard Buckland called "A miracle of interoperability" that
allowed a movie made in Hollywood to be recorded on a DVD manufactured
in China to run on a player assembled in India, according to standards
designed in Nederlands and Japan, playing in a home in Australia.
That level of trust and cooperation has to run both ways. It's at
least as remarkable as Russians, Chinese and Iranians running
Microsoft Windows. The internet delivered on much of its promise to
unite the world. But what I've seen in the past 5-10 years is so much
effort by everyone to _undo_ that trust. Greed and surveillance
capitalism has played as much a part as gobernment intelligence
over-reach and economic warmongering. All parties have abused trust
and now we are withdrawing into silos again.
From a business perspective, maybe we'll need to reckon with a future
more centred around domestic sales and use. Perhaps the "splinternet"
is just the beginning of a global divergence at the protocol level.
How can we (proponents of a true INTER-net) avoid this?
> [...] "A miracle of interoperability" that allowed a movie made in Hollywood to be recorded on a DVD manufactured in China to run on a player assembled in India, according to standards designed in Nederlands and Japan, playing in a home in Australia.
Well, it can be played in Australia only if its DVD region code is 4, and it cannot be played in any other countries you mentioned, which are all in different regions (USA: 1; China: 6; India: 5; the Netherlands and Japan: 2). So there's that. "A miracle of interoperability."
There are people who make things. And people who break things. Each
have their time. We are living in an age where the latter have the
upper-hand. But it will pass and we will build new monuments on their
bones.
Decentralization from meshnets up. The user agent needs to handle the entire electronic presence, establish the identity of it's user, and keep watch on its friends like a herd.
I am not an IT professional but a bit confused by how many completely negative views there are here on AV use. I have a NOD32 license and at least twice per month a url is blocked while browsing in an unobtrusive way by the software, which makes sense as may have contained malicious JS or something. Maybe it would've been caught by ublock afterwards, or may have been caught by MS defender as well, but I like the assurance provided. You can argue that I'm browsing in an unsafe manner but I doubt many of you restrict your browsing to strictly "safe" chunks of the internet.
The point is that the AV does not do much here. The security model should be proper sandboxing within the browser, along with block lists that get used by ublock origin if you wish. A third party program running alongside your browser, inspecting the URLs you visit (possibly then via TLS certificate MITM?), is just a weird way to think about security in my opinion. Not even talking about the potential new attack surface that may be introduced in some way.
The illusion of cybersecurity is finally being questioned.
AV scanning emails has been a phishing scam for decades which benefits the criminals.
Because so many people have worked on so many parts of a computer beit the hardware or software, who do you trust when you dont trust random strangers in the street and people like to gossip and spread rumours? Is this a classic case of cognitive dissonance or just shows giving money for something makes someone/something instantly trustworthy when their own survival comes before yours?
The same warning obviously applies to all the American AV vendors, given what we have learned in the last years. And this is not idle speculation and baseless accusations, it's right from the inside part of the NSA and CIA leaks.
So what is one to do? Where is the free open-source AV the world needs, which has the same number of highly skilled full-time developers and researchers as Kaspersky does?
There really needs to be a global AV effort and software, funded by governments, but open and transparent, and based in a country which does not sit in the shadows of over-reaching spying agencies. But what will it take for this to happen?
Why would that be a problem? The source is open, there are public builds by f-droid that are definetly not tempered with. I trust the fdroid maintainers.
It’s been interesting to note how Kaspersky has been responding to the scrutiny. It’s almost always the same - ”we have been audited a huge amount of times and no-one has ever found anything!”
It’s suspicious because as someone who is a vendor of risk management, they’re leaving out the gaping hole fact which is that software is updateable and oftentimes AV will do so automatically. Potent risk is pretty huge.
But this applies to any software that has auto-updates. Can we be sure that Microsoft/Google/Apple don't sign backdoor updates for the NSA for specific targets? As far as I know these national security orders are non-public and we don't even know if it's happening.
But Russia used Ukraine in the past as "playground" for cyber attacks: Some mandated tax software auto-update was hackend and delivered a ransomware trojan without any chance to pay i.e. pure data destruction.
No, it doesn't. Because not all software companies can be a) under influence of a foreign government potentially hostile towards yours and b) software has varying degrees of replacement difficulty.
Example - building an entire smart city network on top of Huawei network gear. It would be very difficult to rip it out and replace on a whim if China suddenly decided to side with Russia in a war against the West, which is literally a possibility floating in the air right now. End state - you have a hostile actor who has access & control of your critical infrastructure. ¯\_(ツ)_/¯
How else should they respond? And almost all software today is updateable, and many do so automatically per default. What is your argument here exactly?
The point here is - don't build critical functionality via companies that are under the thumb of foreign superpowers.
"But what about USA??" I don't expect Europe as it is now to be in hostile terms with USA. But the principle would of course apply if that started being true.
We supply servers running some proprietary control software and a school district put Kaspersky on it after receiving it. We mentioned to them we can't be involved with that product anywhere because of our companies involvement with DFARS, and frankly we are surprised they were able to get away with using it being a government organization. Still there though, guess they just don't care.
I feel like browser translation widgets have gotten good enough that if half of HN is reading the article as a translation, they'll still be worlds ahead of the half of HN who doesn't read the article before commenting.
Aside from avoiding Kaspersky on important division in western world is practical, I wish Kaspersky survive. They are great about detection and analysis and not based on western world.
Bitdefender is the most recommended other option. Sophos and F Secure are good too, so is Emsisoft and G Data. Depends on who you want to share your data with and how much you are willing to spend. Emsisoft is the least bloated option, they don't include all the password and vpn nonsense.
I always recommend Kaspersky, as it's one of the best AV suites out there, and because there is still no proof whatsoever that the Russian government is "inside" KAV.
Germany is one of the oldest NATO countries. Of course the US did supposedly intercept the Chancellor's phonecalls or emails or something, but it seems like not much ill-will was generated as a result.
Not supposedly, definitely. And I think the fact that they actually did something like this is very concerning and shows two things: they are very deep inside EU computer and network systems, and that they do not truly consider the EU as an ally.
> it seems like not much ill-will was generated as a result
That's because any ill-will at a government level would have been futile and disproportionate. There was public outrage at the wiretapping but largely the general assumption seems to have been that the US intelligence operates freely in Germany. That US intelligence services engage in surveillance against even close allies was an open secret and most likely widely known among German intelligence agencies and possibly the government too.
Historically, Germany post-WW2 existed at the whim of the US, France and UK. The governments of the occupation forces in the territory of West Germany had special legal rights based on contracts pre-dating and superceding the German constitution. Officially most of those special provisions expired but there's nothing in the original contracts requiring any successor contracts to be publicly acknowledged so depending on how much you like tinfoil hats, it's entirely possible that the US still holds a legal wildcard in German law.
And even if the US had no special legal exemptions, what would that ill-will translate to? Germans opposed the invasions of Afghanistan and Iraq but the German government continued to operate as usual, to the point of participating in "peacekeeping" during the military occupation following the regime changes.
Sanctioning the US would be economic suicide. Despite the outrage about human rights abuses, Germany still isn't sanctioning China. Russia got away with various abuses and even political assassinations without actual consequences because Russian gas was an important import. And the US not only dominates large parts of the German economy but also its culture.
So they basically say Russia can spy on you if using Kaspersky (but the German government, or its "allies", can't). Then, I guess that using Kaspersky is a wise decision unless you happen to live in Russia or Ukraine. Dowloading ;-)
Seeing that the west just killed off payments in the Moscow metro, stopped security patches for Cisco networking equipment etc. etc. There is a bit of projection going on: We fear that Russia might do to us, what we just did to them.
But what is the end result of this? Any "potential enemy of the west" will have to do their own tech, and we will only use our own stuff. Sounds like a bad trade for us; instead of selling all this stuff we have already made for a nice buck, we now insists that everyone makes their own.
I mean: you didn't mention who else was involved. And I’m not going to deny the evidence - I understand there are not so many “clean” players in this league.
Little bit worried about Jetbrains products as well. I think they have development centers in Russia? Not worried about company, but rather some disgruntled employee, for example put this USB stick to your computer or otherwise we will prosecute you or your close one for participating in protests or some fabricated accusation.
Their headquarters is Czech, but many of their developers are or at least were based in Russia.
> They have suspended their sales and R&D activities in Russia and Belarus two weeks ago
"R&D activities" is a funny phrase. Does that mean they've stopped all development in Russia (i.e. there are no longer Russian employees working in Russia with commit access) or not?
Sorry, but there is no such information. Some employees have moved out of Russia - JB help to them is not mentioned. I hope I just misunderstood it and JB do help their employees to move out of Russia.
I’m worried about JetBrains too. From what I can tell, only a small portion of their team (including the founders) are located outside Russia. That’s a lot of people left inside Russia to be pressured, manipulated, and abused into compliance.
Jetbrains was already banned at the department of defense and many other companies in the wake of
previous hacks where they were suspected as the entry point.
https://twitter.com/GossiTheDog/status/1427935182200492039 is one of my favourite bugs from recent years. I acknowledge this bug is not specific to an antivirus product (but of course, Fortigate offers that as an optional component for traffic inspection - and I keep wondering what that sub-component's code quality is like 8-)), but anyone who tries WILL find examples for grave problems aplenty.