Avast even does some browser trickery to then be able to inspect tls/ssl packets.
Not sure how I noticed that on a windows machine, but the owner was glad to uninstall it. As said on other comments, the built-in windows 10 defender AV is the least evil software to have enabled for somewhat a protected endpoint.
The situation is desperate for AV publishers, they treat customers like sheeps, the parallel with mafia ain't too far possible to make.
It sorts of reminds me 20 years back when it was common discussion to have on how AV publishers first deployed a number of viruses to create a market.
The war for a decent form of cyber security and privacy is being lost. It's getting worse every year. More money (billions) is poured into it. To no avail.
I think we got to seriously show the example and reject closed source solutions all together, stay away from centralized providers, question everything we consume.
The crowed will eventually follow.
I was forced to install this by my company on my mac. Avast breaks ssl/tls certification, and in a browser with avast, every website is reported as having an Avast cert. They basically mitm all browser traffic.
I see your Avast and raise you McAfee protection on everything. Thankfully we were able to remove it. It was literally destroying the machine (do anything it considers a risky process and it would crank the CPU to 99% and start to melt the thing) and rendering it unusable.
Jumpshot (https://www.jumpshot.com/) is created, owned and operated by Avast (same people sitting in the same offices using same data/servers). 100% of data use for the analytics is provided by that browser plugin. Nothing is anonymized. They (Jumpshot) have unique user/hardware id, url, referrer, IP all browser information and others so they can create their reports. I'm surprised that it surprises anyone after the years of them doing that. They (Avast) are not a nice company.
Yes, according to the Avast privacy policy the data is "anonymized or pseudonymized." As I already speculated in https://palant.de/2019/10/28/avast-online-security-and-avast..., they likely went for pseudonymization in this particular case - meaning that they simply left the data as it is. The unique user ID being sent there is technically a pseudonym, meaning that it isn't directly tied to your identity. That this "clickstream data" is easily deanonymized - so far there is no indication that Avast cared.
It's not tied to your identity, but if you go frequently to some social sites with the same user id in the url (LinkedIn and others) it's possible to match that an HW id to a real name. Also when you buy coupon or goods which are tied to you just by unique ID the data science team could see that in the clickstream and it they were evil enough they could just use that (holiday coupon for example) for themselves. Or private photos shared by unique ID in url. Basically they (employees) could see everything from navigation bar and try to find out who it belongs to.
Source: Jumpshot/Avast employees
Funny example: They (developers) could see a man from Alaska (IP based) looking for an info about yeti and then going to buy a rifle in the same session.
Yes, there is research about finding out the name behind pseudonymized browsing history data - they had success rates in the area of 90%, despite having far less detailed data than what Avast is collecting.
Since I'm currently looking through Avast investor reports: no, Avast didn't sell Jumpshot. In fact, Jumpshot is one of their biggest growth areas. So they closed a strategic partnership with Ascential who should help Jumpshot's business grow even further. In return, Ascential was given the right to buy 35% of Jumpshot. The remaining 65% stay with Avast and Avast is continuing to supply them with data.
I don't even understand why people use antivirus software. Sure, if you're on an ancient version of your OS, like Windows XP, then it might serve some purpose, but assuming modern versions of these operating systems, antivirus software does more harm than good.
Worried about browser extensions?
Another problem is that popular antivirus software are also installing their own root certificate so they can MITM secure HTTPS connections.
For example Bitdefender is able to inspect and modify your Google search result without installing a browser extension. And this is a common practice. See for example:
> I don't even understand why people use antivirus software.
I don't understand how you can be even the littlest bit technically literate and not know several answers to this question
1) legitimate software you normally use gets compromised. See ccleaner
2) in the IoT era, there are multiple ingress and lateral move pivot points in networks, like smart tvs
3) aside from malware, there are lots of PUPs that get bundled and eventually end up on computers
4) phishing is still a thing. Legitimate email accounts get compromised (database breaches, eg) and _people you know_ can send you viruses that look barely out of the ordinary. It happened to my users today
Even if you have gateway/hardware antivirus, defense in depth is still a thing. Dont ever tell people not to have anti-virus, thats terrible advice
If you are computer savvy, you understand the danger of opening "free_netflix.exe" from an ad you clicked, but the majority of people do not. There are still good 3rd party antivirus that stay out of the way, as an example I have been running Panda Antivirus (free edition) for a few years and often forget it's installed until I pop in an infected USB or try to open a questionable exe (such as a game mod patcher). If you have lots of click-happy family members, 3rd party antivirus is a must. Just stay away from the big names (Norton, Kaspersky, Avast, AVG, McAfee, etc). I used to run NOD32 but it started becoming a memory hog in ~2015.
I'd lie suggesting that a Linux Desktop is more secure than a Windows Desktop, but my solution with my father's just been installing a Linux distro and helping him there instead, considering there's no market to make consumer viruses for Linux.
I've recently started looking at "Neverware CloudReady" (ChromeOS for regular machines), i think that'd be the perfect OS for my father, considering almost everything he does is done through the browser, but still has a few applications that needs local execution. (And they seem to support the Crostini Linux app beta thingy that Google is working so hard on for ChromeOS).
While people can avoid a lot of problems with a little common sense, infections don't just come from click happy users. Malware in ads can infect users just for browsing to a site and popular sites like CNN and yahoo have infected users in the past that way. I've managed to convince most of my family and friends to install ad-blockers but some of them still don't. I've tried to encourage the more tech savvy among them to disable javascript by default as well, but most have not.
Modern antivirus software, to me, feels like a virus. Norton and McAffee are especially guilty of this. They install browsers toolbar, do search engine hijacking, constant nagging. They became the software they were supposed to protect us against. I finally convinced my dad not to renew his Norton subscription.
I would like to have a low power ARM box just for scanning files, like PiHole but for AV but I think it would be limited only to Clam AV; does any other AV support linux on ARM(not android)?
Could you try qemu-i386 (or ExaGear with patching licensing... as it's dead) with https://github.com/taviso/loadlibrary (see the Windows Defender section)?
Yeah it's hacky, but might work well for your usecase.
Windows Defender is a performant alternative to all the junk antivirus companies put out. At this point it's fairly well documented that having a third-party antivirus product running on your Windows device often exposes you to security issues, even if the antivirus doesn't spy on you.
"Windows Defender is a performant alternative ..."
No it's not really [1]. You can check by yourself running `npm install` of any medium sized project or if you are a gamer, launch Steam with/out Defender.
Even IntelliJ warns you about Defender performance impact in the IDE.
I've got Symantec endpoint protection on my work laptop, using WSL and doing an npm install causes the laptop to Blue Screen everytime.
The bsod error indicates it's Symantec.
My solution is that it seems to be because it's creating so many files so quickly, so I made a power profile that sets the max cpu frequency as 5%, it takes longer but doesn't break the computer.
In comparison windows defender is slow but works. Haha.
I have the same problem. Makes WSL completely unusable for all practical purposes. Might try your mitigation, but it feels a bit like cutting off a leg to get out of a bear trap.
I can confirm that McAfee and Trend Micro do the same thing. McAfee even goes so far as to lock files in your AppData and Tmp folders until it's finished checking them. This causes havoc with a lot of apps and makes certain ones completely unusable.
Agreed, I have seen several workloads getting stalled by a single core being occupied by defender. They should make it async. If the file is not going to be executed, just written to disk, then there's no reason to stall the writing thread.
How does Defender compare against other antivirus options? Perhaps it's the least bad? Obviously running more software will have a performance hit over not running software. Especially when it almost requires constantly inspecting the system.
For me the main advantage of Windows Defender is the business model. It's in Microsoft's best interest to keep Windows virus-free as much as possible. It's in commercial anti-virus vendors interest to keep machines as virus ridden as possible.
Avira and Bitdefender manage to rank in the top tier of performance impact and protection every time I check. Both offer free products, and Bitdefender Free is considerably less annoying, in my past experiences. Free antivirus is actually one of the places where market competition forced a bunch of them to clean up their acts and offer a good non invasive product. Avira still has ads, but if you wanted one product on your pc and one on a home server, it might make sense to use two vendors products.
https://www.bitdefender.com/solutions/free.htmlhttps://www.avira.com/en/free-antivirus-windows
For one off system scans, besides the two mentioned above; ESET, F-Secure, Kaspersky, Panda (and Emsisoft which has Avira and Bitdefender built in) all offer great spot check products. ADWCleaner is indispensable.
It's interesting that "anti-virus" has now become the free component in suites. You pay for things like VPN, password management, and home network security. Kaspersky goes a step further and offers VPN and password management in a free tier. https://usa.kaspersky.com/free-antivirus
The reason I no longer use Bitdefender is because they forced MITM httpS in the browser. It wasn't optional in free product and I don't know if it is in paid. Has that changed?
My understanding was that web attack prevention could be disabled, but then the program icon showed you as "unprotected." It wasnt so much forced MITM as misleading representation of your current state. If the user doesnt want web protection, dont keep scolding them for it.
Not so much the Steam users, but I would hope that developers would have enough knowledge to add their project and build directories to the anti-virus on-scan exclusions.
As with any security, it's a balance against convenience/speed.
If you're on your company-provided system you probably don't have the ability to change any anti-virus settings. Corporate IT admin rarely trust us to not just turn it off because it's annoying.
haven't had to install an anti-virus or deal with a virus in like forever. windows 10 kept nagging me about scanning, and often doesn't find much. i may not know what new tricks malwares and viruses are using right now.
They also will often install their own trusted root certificate and then MITM all HTTP/HTTPS connections. Often, this MITM will significantly reduce the cryptographic security of the connection over the public internet [1].
“Modern” ?
Antiviruses have been doing all those things you listed for the past 15 years, these tactics are as old as the hill.
I can’t remember a point when antivirus software didn’t do all that and just did the one job you wanted it to do. Since my school years I’ve always had to switch all that crap off
I never understood why this was a problem MS never felt they needed to address in the OS itself (architecturally). At this point, AV software should be obsolete. But, here we are.
They do and have done it for many years. But it’s hard (impossible) to stop a user from (being tricked into) downloading some random crap and insisting on running it despite warnings about untrusted executables and warnings about the executable asking for administrator permissions.
The problem is a lot of legit programs cause the same terrifying popups in windows to the point where they become more of an annoyance than something you actually pay attention to.
The problem is that the same legit programs are doing things like using administrator permissions when they don’t need them and not signing their code, so the structural “protect users from themselves” features can’t kick in.
Fundamentally power users want freedom over guard rails and casual users need those guard rails present (though in my experience there are plenty of power users who think they’re security savvy), so there’s not a one size fits all solution. At the moment I think Windows 10 S mode is a promising approach to give both groups what they want, which is also the kind of architectural solution you asked about.
I have long said that Microsoft could make a big difference just be having office check on startup for administrator privileges, and refuse to start if found. Nobody with administrator rights needs to run Office. You should have a second non-administrator login for that type of thing.
Also, Microsoft has been bundling AV as an OS feature for a while now. A lot of damage was done by the US anti-trust judgment declaring AV to not be an OS feature, and for Microsoft needing to wait for that judgment to expire to bundle the feature (which is why it was a separate download for Windows XP, and why so many people still don't realize Windows 10 has AV built-in and 3rd Party options are unnecessary at best [and can be scams at worst]).
I think Microsoft's engineers would love to, and do wherever possible. But Windows' #1 selling point is backwards-compatibility. It's possible that there's types of security hardening that simply can't be done without breaking large swathes of legacy business software.
An apparent incompatibility between the mandated antivirus and Windows Subsystem for Linux means that I can't run WSL on my work machine. Something to do with the on-write virus scanning means running rsync in WSL will reliably BSOD the machine.
The above message was actually posted after. They were probably written at the same time.
Please take into account that comments on Hacker News are ordered by votes, not published dates.
> Modern antivirus software, to me, feels like a virus.
Malware can be loosely defined as any software which tries to modify the system to inject capabilities not previously present. With that definition, antivirus is malware that tries to prevent other malware from doing what it did.
No; ordinary software doesn't modify the operating system. To see the distinction, narrow it down for a second to "modify the system to inject capabilities not previously present into system calls".
That's true, but AV tends to use the same sketchy and unreliable techniques to hook itself in that malware uses. Having benevolent intent doesn't make the software less buggy or less harmful.
(I used to lead Mozilla's efforts to extricate buggy third-party AV code from Firefox's processes)
I would say that AV could be generously described as snake-oil pretty much since its inception. It has always caused more trouble than it ever prevented and was only capable of catching common low-effort malware, and even then only if said malware wasn't a "product" of some ad company that had a relationship with the AV vendor. Meanwhile it caused issues for legitimate software, slowed things down, and sometimes just acted as a new attack vector.
The modern products sold under the Norton brand are a slur on the name of Peter Norton, a real dude who made some excellent software products and wrote some important books back in the day.
How did we end up here? Antimalware companies turning into spyware ones? And how is this even legal? Just the fact that they add privacy policy makes it legal?
Everybody (except, unfortunately for the moment, our government it seems) has realized just how valuable personal data is. That's turning not only antimalware companies into spyware companies but also search engines, TV manufactuers, etc... I don't think it's really going to change much until we as consumers really start to push back.
Sadly, I don't see that happening anytime soon because anytime I mention it to non-techical family and friends the reply I get back is a near unanimous shrug and some mumbling about their not having anything to hide. Of course, inevitably this evolves into them complaining incredulously about their phone listening to them "because so and so talked about such and such product the other day and I NEVER talk about that but when I got home all I saw were ads for that product and how dare they?!" My forehead hurts from frustratedly banging it against the wall.
What's with all of these unethical antivirus companies infringing privacy for a profit? Surely they're becoming exactly what they're trying to combat..
It's possible that they're trying to reach new markets. The environment nowadays is much safer than it was 10 years ago. Java applets are dead, Flash is dying, and adblocks are common. Outside of few specific security holes, Javascript sandbox is working well and protecting users from drive-by attacks.
USB/CDs are not as common as in the past, so people don't spread viruses from one machine to another. P2P networks and torrents are also less popular because of the wide availability of legal content at low prices.
SimilarWeb have similar extensions doing essentially the same thing. this stuff has been going on for well over 5 years but Google has done nothing about it.
I wonder, that many people are scared of websites doing something they don't want them to do, but nobody is scared of extensions.
Extensions have much bigger permissions than websites. I never used any extension in my browser. I think it is already enough, that each website knows what I do on it, what I click etc. I don't need some third party to know, what I do on all websites.
Many years ago, I remember that avast was one of the antivirus software recommended over norton/mcafee/etc. Seems like all the idealistic and "good" tech/software eventually goes bad. Is it money that ultimately corrupts? From google to avast, they all seem to go from saints to sinners. Maybe I was just naive back then and they weren't saints to begin with.
At this point I think the only options are using the built in OS security for personal use, and endpoint protection like fieldeffect.com or crowdstrike.com for businesses.
I had an incident at a client recently where their employees' (macOS) machines would have issues connecting to services on Localhost. The client's request would arrive to the server just fine, but the client would immediately get a connection reset ("empty reply from server" in curl) without getting the response from the server. Eventually we tracked it down to a BitDefender update.
Mozilla's mission is to build a better internet. In my opinion, they should totally use legal measures to do that. I would take part in crowdfunding it.
This is great. There's some interesting info about progress of ongoing projects in the projects section:
When relying on consent as a legal basis to process personal data, companies need to comply with the stringent requirements contained in the GDPR. In May 2018, noyb filed four complaints; in France against Google, in Austria against Facebook, in Belgium against Instagram and in Germany against Whatsapp. The reason was that these major companies adopted a “take it or leave it” approach, forcing their users to consent to both their privacy policies and terms in full in order to keep using their services.
In January 2019, following our complaint the French supervisory authority (CNIL) imposed a 50 million euro fine on Google over the company’s invalid consent mechanisms. The sanction was appealed and a hearing date before the French Conseil d’Etat is yet to be set. All three other complaints (Facebook, Instagram and WhatsApp) triggered the European cooperation mechanism and are still being investigated today. We are carefully monitoring the cooperation between the Irish DPC and its counterparts and are hoping to hear back from our latest submissions in the near future.
The situation is desperate for AV publishers, they treat customers like sheeps, the parallel with mafia ain't too far possible to make.
It sorts of reminds me 20 years back when it was common discussion to have on how AV publishers first deployed a number of viruses to create a market.
The war for a decent form of cyber security and privacy is being lost. It's getting worse every year. More money (billions) is poured into it. To no avail.
I think we got to seriously show the example and reject closed source solutions all together, stay away from centralized providers, question everything we consume. The crowed will eventually follow.