So, we’ve all been hearing researchers talk about how AV’s can both make us more vulnerable (Joxean Koret: http://www.slideshare.net/akmalhisyam/breaking-av-software-33148796) and how AV’s and their use of clouds to check file samples can potentially be used to compromise us (Gunter Ollmann: http://www.darkreading.com/attacks-breaches/confidential-submission-to-the-antivirus-cloud/d/d-id/1140369?). Free AV’s (ad-based?) might be collecting personal information on us and our Internet usage via the AV clients and selling this to the highest bidders. So, potentially, AV’s are making us more vulnerable AND betraying us to the highest bidder at the same time. Doesn’t sound very trust-building in my ears.
There’s also the aspect of waiting for the AV to update, and while many AV-vendors claim that their AV doesnt impact performance while updating, this simply doesnt always hold true. So the amount of time it takes to update, which depends in part on the amount of data being up/downloaded, is important in this respect. Up/downloads also matter for sample-uploading.
Do we know how AV’s perform these steps? Not in detail, no comparable methods exist. We trust. Trust is hard though, these days, and that’s 1 of the main reasons why I think it’s so awesome that F-Secure have just published this: http://www.f-secure.com/static/doc/labs_global/Public%20Information/IS2014%20Data%20transfer%20declaration.pdf
What does this tell us? Well, the split into 3 ID’s makes it unlikely that F-secure is betraying us to the highest bidder. Combined with the removed IP’s it means that any breach of the AV-vendor’s Systems/DBs will more than likely not yield the attacker a way of compromising my systems. They also show that any transmitted information is transmitted securely. Another PLUS.
There is also bandwidth data, which can be used for comparison/baseline purposes, as soon as more vendors DO THIS.
Congratulatons to F-Secure for a “first” and for doing the right thing.
Claus Cramon Houmann | IT Security Consultant | @ClausHoumann
