[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Fwd: Re: leak through Antivirus Webscanner possible?

Disclaimer: I have worked for a well-known AV company as virus analyst for a some time, quit due to "corporate-ish culture". (BTW they had nearly intelligence-agency-level physical security and procedures, but still achieved to use 6-char passwords on a few accounts in practice.)

Do you think legit Antivirus software may compromise anonymity? Any
known examples yet?
I don't have a definitive answer, but here are my proto-thoughts,
likely yes. This answer is based on support calls and tickets. It seems
most anti-virus/anti-malware providers include some software that
intercepts and/or replaces 'localhost'. Their software generally does
one of two things:


True. Specifically, AV software employs various OS hooks to inspect traffic (meaning it is *very* likely it will leak identifying information). Webscanners will be limited, but proxying traffic through them will enable profiling.

While having a decent AV software on Windows is generally a good thing, it will interfere with privacy. Tails live CD or using WinUSB to create "live windows" would be most likely better option.

Over time, they get to learn a whole lot about your computer
usage and build a fantastic profile of it. I've seen documents,
executables, etc sent to the 'cloud' too, scanned, and returned to the
user. What they do with all of that data is unknown. My first thought
when working with a user and ESET scanner was 'who needs spyware, you
paid for your spying to boot'.

I can confirm that it's a real threat.

The typical support call is when the user's A-V system prompts them
with 'start-tor-browser.exe' is of unknown safety. do you really want
to run this?'  It then repeats that question for tor.exe and
vidalia.exe.  It seems when you click on some link for 'unsafe' or
'check the cloud', you go to the vendor's website and by default opt-in
to upload the aforementioned data.

If enough people tell the 'cloud' that the tor-related executables are
safe, it crosses some threshold and all 'cloud subscribers' no longer
get the warnings. However, every time there is a new tor release, the
cycle of approval starts anew.

In theory, would Microsoft's code signing program help here? Cost aside, would that benefit users?

tor-talk mailing list