Antivirus Software Blocks Viruses, but Could It Also Be Exposing Your Systems to Intrusion?
Antivirus software has become such a necessity in the modern era of cyber threats that more than 89%1 of desktop users rely upon it and 80%2 of laptop users have it installed, as well. This comes as no surprise, given that the sophistication of malware continues to evolve at an alarming rate, with 350,000+3 malware samples being released every day.
In our opinion, those statistics leave out one crucial bit of information. Many antivirus products behave in a way that infringes upon their users’ privacy. In some cases, this infringement could literally put a user and its organization at risk. Following are three antivirus activities that can create significant risk:
- Intercepting web traffic
- Selling browser history data
- Allowing backdoor access to unwanted programs
Much, if not all, of this activity can take place without any clear notification. To ensure the firm doesn’t run afoul of the FTC’s truth in advertising mandates, the policies are usually communicated to clients, but the warning may be buried in a Terms of Service that few business leaders or their users read.
At Carmichael Consulting Solutions, we are dismayed to discover that any reputable, responsible organization would take such an approach. In doing so they jeopardize the very thing their products are designed to protect: their clients’ data.
Following is a drill-down on these questionable antivirus activities.
- Decrypting encrypted web traffic
To scan and analyze the web traffic by which many viruses travel for site blocking purposes, these solutions must decrypt the communication, which would normally be secured during transfer via HTTPS (Hypertext Transfer Protocol Secure).
All well-rated browsers verify the authenticity of what is called an SSL certificate for every encrypted, secure site that users access. However, because the connection is encrypted, there’s no way for the antivirus software to know if the website is safe or malicious. To get around this restriction, most antivirus products intercept the HTTPS connection by installing a server “proxy” that creates fake SSL certificates. When the user visits an HTTPS website, their connection is routed through the antivirus’ proxy server.
The antivirus solution then decrypts and then re-encrypts the data being sent over encrypted connections. Even for those antivirus solutions that maintain security certificates to indicate they are a trusted authority, there is no “vetting process” to ensure the certificate was adequately secured.
- Breaking HTTP Public Key Pinning
Another problem is that antivirus activities can break what is known as HTTP Public Key Pinning (HPKP). This technology enables website operators to “remember” the public keys of browsers’ SSL certificates. HPKP offers real value — it can reduce the risk of several attack types. Unfortunately, HTTPS scanning and HPKP can’t work together, and if a computer running antivirus software scans a HPKP enabled website, HPKP access for that site will be disabled in the browser — often without notice to the user.
- Selling Data to Third Parties
As one might expect, antivirus firms must collect and maintain a diverse array of company and personnel information for the software to perform its tasks, from monitoring web traffic to analyzing and blocking suspicious files. It generally uploads the information to a database that performs the analysis.
Over time, antivirus software can collect, process and store a significant amount of personal data. Some antivirus firms make use of their users’ data only when it is absolutely necessary. Others may sell this information to third parties to generate extra revenue if the client organization does not inform them it wishes to prohibit this practice.
- Bypassing User Permission for Questionable Activities
Finally, and perhaps most disconcertingly, some antivirus programs act almost like malware, installing software program “bundles” without company or user permission. These programs are called PUPS — potentially unwanted programs. While they are not malicious, they can make edits to the system without the user’s permission, such as changing the user’s default search engine to that of a company with which the antivirus provider has a partnership.
1 https://dataprot.net/ (this is a news/review aggregation site, not a competitor who sells anti-virus)
3 https://www.av-test.org/en/statistics/malware/ (ditto – this is an independent IT security institute)