41

I'm a complete noob when it comes to these subjects. But here goes...

Let's say someone is using a VPN, TOR, or some other tool to enhance their privacy. As I understand it, you are discouraged from using plugins, various apps, and other things as it may compromise your privacy. Does this extend to anti-virus/virus protection as well? If someone such as a hacker or the NSA didn't want to try to crack through your VPN or anything to get your info, could they target your anti-virus/virus protection to get to your info.

If not, then is it safe to use anti-virus/virus protection if you are concerned with your privacy and also use VPN/TOR?

Lancadin
  • 509
  • 4
  • 7
  • 9
    If you are going for a VPN TOR privacy paranoid system design then you could run it all without anti-virus in a virtual machine, and then often restart it to a known good configuration. This gives an alternative way to get rid of worms or malware but it wouldn't alert you as it happens like anti virus programs do. – daniel Apr 24 '17 at 09:16
  • https://en.wikipedia.org/wiki/Shut_Up_and_Dance_(Black_Mirror) – paj28 Apr 24 '17 at 10:18
  • I cannot find the source anymore, but some weeks ago a read about a research paper on abusing anti-virus software. They implanted virus signatures into e-mail and HTTP(?) headers, which resulted in the anti-virus software identifying log files and e-mail archive files on the user's computer as malware and deleting them, which could be used to cover up other malware activity or just annoy users. – Dubu Apr 24 '17 at 10:36
  • 8
    @Dubu: you are probably referring to [Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks](https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf). – Steffen Ullrich Apr 24 '17 at 11:03
  • 2
    Any software can be malicious. ANY software. Your OS, your browser, your firewall, your antivirus. And even non-malicious software can be exploited by other, malicious software. Unless all your software is open-source (few people stick to this fully) and bug-free (it's not), and you're an incredible programmer (maybe) who's inspected and verified all of it (you haven't), you'll never know till it's too late. We all accept some level of risk, though. – Matthew Read Apr 25 '17 at 14:25
  • 2
    It was the antivirus companies that discovered some zero day viruses set up by governments so we can feel at least a little safer that not every antivirus company collaborates with governments. I recommend watching 'zero days' documentary about this subject. – papakias Apr 25 '17 at 15:16
  • Most certainly, yes. Google and other big players have publicly criticized a lot of antivirus/security providers for intercepting ssl, for example. It's a huge security breach - potentially. And ironically. http://www.zdnet.com/article/project-zero-calls-out-kaspersky-av-for-ssl-interception-practices/ – cbll Apr 25 '17 at 15:43

3 Answers3

66

Any software you install on your system can compromise the system and thus affect security and privacy. This can be done either willingly or because of bugs in the software. And this is doubly true for software which runs with elevated privileges, like Antivirus usually do.

And while Antivirus might like to protect you they often have critical bugs which might make your system actually less secure. For more information read High-severity bugs in 25 Symantec/Norton products imperils millions from 2016, Critical flaw in ESET products shows why spy groups are interested in antivirus programs from 2015, Google bod exposes Sophos Antivirus' gaping holes from 2012 or Google researcher blasts Trend Micro for massive Antivirus security hole from 2016, just to name a few.

Apart from that many Antivirus inspect HTTPS connections since encrypted connections are also used to transfer malware. And sometimes they implement this inspection in a wrong way and thus make man in the middle attacks possible which were not possible before. Read The Security Impact of HTTPS Interception for more details.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 21
    And corporate logging of AV will also inform your corporate IT of scan results if it matters to you. – Andrew Russell Apr 24 '17 at 05:59
  • 14
    It's not just bugs in AV that are a direct hazard. They also regularly throw monkey wrenches in browser developers attempts to improve their baseline security levels. Recent "wins" from the AV industry have included delaying flash sandboxing in Chrome by over a year and preventing Firefox from using ASLR by injecting plugins that won't work with it enabled. https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/ – Dan Is Fiddling By Firelight Apr 24 '17 at 15:12
  • Quite True. Any software at all could possibly spy on you, even the operating system. It's a matter of how much you trust the software and whether the software can make you more vulnerable to malware. – Kevin Peter Apr 25 '17 at 17:02
  • Today's news: "An antivirus service used by tens of thousands of businesses and millions of home users shut down an untold number of computers around the world Monday after it mistakenly identified core parts of Microsoft Windows as threats, the company confirmed." Link to article: http://www.nbcnews.com/tech/tech-news/popular-antivirus-program-mistakenly-ids-windows-threat-creating-chaos-n750521 – SDsolar Apr 25 '17 at 17:45
4

Using anti-virus and other security programs can certainly spy on you. Depending on what you consider spying even reputable software send diagnostic information to their manufacturers and don't always notify you of this.

There are also several malicious security tools in existence (see here). These might include nasty surprises like key loggers, back doors and such to compromise your security. It might sound a bit paranoid but the attacker could even watch your screen and webcam while you use use VPN/TOR. It is not uncommon for bogus anti-virus software to be able to disable reputable anti-virus products.

There is an ongoing discussion about the security of anti-virus software in general. I'd summarize the different arguments this way:

  • There is no financial sense to spy (too much) on customers. There is too great a risk for an information leak by a distraught former employee or subcontractor.
  • The company might be persuaded (or infiltrated) by a government agency. Information gathering can be 'piggybacked' to large transfers like virus definition updates.

The hackers (or some agency) could indeed target the anti-virus software's vulnerable features. Essentially every non-trivial program is vulnerable in some aspect, and your security is still only as strong as its weakest link. For example, the attacker could gain access to functionality designed to track a stolen computer (essentially a back door that you've authorized). Whatever they do then is usually not in any way visible to the user of the computer.

1

Several antivirus packages also install some kind of web filter by default - while these are conservatively set and rarely interfere with a users action, some of them will query an online database of suspect URLs. Even if the query traffic is encrypted and/or hashed, anyone gaining access to it could get a detailed list of URLs visited.

rackandboneman
  • 975
  • 4
  • 9