If you’ve been paying any attention to geopolitical news of late, you might have heard about the storm around Kaspersky. The Russia-based antivirus firm has been responding to allegations that it collected top secret NSA files from a customer machine and shared them with Russian intelligence agencies. For its part, Kaspersky maintains its innocence. They contend that they collected the files as part of normal operations, but then deleted said files from their systems at the direction of the CEO.
The issue has prompted questions about antivirus vendors in general. We’ve received and answered some of these questions ourselves. Why does antivirus collect files from customer machines? What happens to those files and how are they protected?
We asked our own Mikko Hypponen, Chief Research Officer at F-Secure, many of these questions in the first episode of our brand new podcast, Cyber Security Sauna. Be sure to listen as Mikko explains how and why we handle customer data and files, and why it’s important to trust your vendor.
In addition, here are some of the questions we’ve been getting, along with our answers.
This is the way most antivirus software operates today. Components on the customer machine are able to perform a fairly exhaustive structural analysis of malware. However, performing deep analysis of malicious files requires steps like detonating the sample in a controlled sandbox environment. These sorts of things can’t be done on the customer end.
To describe the process simply, if our software encounters a suspicious sample on a customer’s system we’ve never seen before, and if the software on its own cannot reach a verdict about whether the file is malicious or not, that sample may be uploaded to our cloud for further analysis.
Cloud technology enables better, faster protection because once the security cloud determines the suspicious file is in fact malicous, it can then instantaneously protect all our other customers as well.
Encryption. We use HTTPS with certificate pinning to protect from man-in-the-middle attacks. And we anonymize everything. So although we have a particular file, we won’t know whose machine it’s from. All queries regarding files (hashes) or URL reputation made to our “security cloud” are also encrypted and anonymized.
It depends on the product and the settings used. You can find out more information about what data we collect in our data declaration document (stay tuned for an updated version of this document, in progress). You can also read our privacy principles.
Assuming the customer is using our most modern solutions with the proper settings, that is, getting the full benefit of our security cloud, we get the following:
We do NOT get:
We normalize and anonymize as much data as possible on the client before sending it to our back end.
Files uploaded for analysis are first processed in a cloud-based virtual environment. In most cases, this processing yields a verdict that is relayed back to the client that uploaded the file. At this point, the sample is discarded by our systems. If analysis in the cloud-based virtual environment doesn’t yield a definitive verdict, the sample may be forwarded for further analysis. In these cases, the file will be kept in our backend for a limited time while it is processed. Any files arriving in our backend via this mechanism receive special “confidential” flags that enforce limited access and prevent the sample from being shared with other systems. Once analysis is complete, the sample is discarded.
Only executable files samples are uploaded for further analysis in this way.
All customer file submissions are expressly categorized as confidential, meaning we do not share these with anyone. A file is only re-categorized if we find that it’s also out there in the wild – it’s not unique to one customer’s machine.
We do not submit files to VirusTotal. We do share samples with trusted partners, but only samples which are classified as non-confidential. Law enforcement agencies share with us, seeking our analysis, not the other way around. We share some threat intelligence with organizations such as CERT-FI (for example, C&C information or analysis of malware targeting specific targets within a country), which might then be forwarded on to the appropriate law enforcement agency. In summary: info sharing, not sample sharing. Sample requests might occur, but only non-confidential samples are shared.
Installing our product involves “opt in” to some extent. We take care to link our customers to our privacy policies and principles. Our security cloud is something that consumers can opt out of, though this reduces the effectiveness of our our products. In summary: opt in to antivirus software, opt out of particular features. We even provide a data use collection opt out option with our free online scanner.
Thirty-two countries compete in the World Cup every four years, but there’s a global battle…
July 13, 2018
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
July 12, 2018