Data Transmission in Internet Security Products

Speakers:

Philipp Kratzer

Peter Stelzhammer

www.av-comparatives.org November 2014

ww

w.a

v-c

om

pa

ra

tiv

es

.org

Page 2

What we do:

Independent Tests of

IT Security Software

Our goal

- independent, detailed, high-

quality test results

- free of charge for the end user

http://www.av-comparatives.org

• About Us

– Founded 1999

– Independent Testing Organization

– Leader in Security Software Testing

• People

12 in Innsbruck, Austria

3 in Chennai, India; 2 in Beijing, China

More than 30 volunteers worldwide

• Equipment

More than 600 Servers - more than 500 TB of data,

located in our datacenters in Innsbruck and Munich

More than 120 malware and spam honey pots

worldwide, also in Japan and in China

Malware

We stopped counting at 250 Million samples

Independent Tests of

Anti-Virus Software

ww

w.a

v-c

om

pa

rati

ve

s.o

rg

• Academic Partner

University of Innsbruck – Faculty of

Computer Science and Quality Engineering

Partner of Laura Bassi Centre of Expertise

University of Hongkong

Brandeis University

Polytech Montreal

• Misceallanous

Frequent Speaker at Security Conferences

Alliances: AMTSO, AVAR, EICAR, IEEE

Independent Tests of

Anti-Virus Software

ww

w.a

v-c

om

pa

rati

ve

s.o

rg

Malware evolves – so does Anti-Malware

Page 6

Changing

From file-based

distribution to

distribution via

Internet

New Vectors

Websites

Spam

but still files

New Devices

Smartphones

Tablets

Hybrids

Evolution of Anti-Malware Technologies

Page 7

Signature

detection

Heuristic/

EmulationBehaviour/

HIPS...

Cloud/

Reputation+ + + +

Malware Protection Moving to The CloudExample: F-Secure File Reputation Service

Page 8

Real-time Protection Network

DNS LOAD BALANCER

A

Report user’s action and submit the

sample (if permitted) back to Real-

time Protection Network

If Unknown, automatic binary

analysis and update of all

data centers

M

If Automation cannot

decide, submit to Malware

Analyst

DeepGuard

Malware attempts to enter host

Signature-based scan reports as

Unknown

2

If Unknown, request user’s approval for

program execution and permission for

sample submission

If Unknown, get status from

Real-time Protection

Network:

• Block Known Bad

• Allow Known Good

• Unknown, continue

Signature-based detection

3

5

1

4

Check cache for predefined action

If the file has been executed once

earlier, the results are cached (entries

in cache have lifetime)DeepGuard behaviour analysis:

• Block Bad Behavior

• Allow Good Behavior

• Unknown, continue

No Connection – No Protection

Page 9

Cloud Servives

Better Protection

with Datasending

Whitelisting

Blacklisting

Reputation Service

Local Protection

Heuristics

Behaviour

Signatures

Best Practice

Combination of

Cloud- and

Localprotection

Transmit only as

less data as needed

Page 10

What can be done?

Tracking

- Browsing Behaviour – they know where you go – and when!

- Data Transmission of Files and Hashes

(not only PE, also Documents like Excel, Word)

your personal or business data could be inside)

Cross-Device Tracking by User-ID

- Like Google-Analytics, but on the user-side

Misuse by Government

- Combination of AV-Vendor, Provider and Government

- Dragnet Investigation

Qihoo 360 496 million users for its Internet Security products

641 million users for its Mobile Antivirus products as of in June 2014

Now some details by Philipp Kratzer

Page 11

Datatransmission Test

21 Products have been tested with following methods:

1. Analysing networktraffic while performing different actions

- On-Demand Scan

- On-Access Scan

- Scan of unknown binary

- Detection

- Updates

- Browsing the Internet

2. Review of End User License Agreement (EULA)

3. Questionnaire for each Manufacturer

Page 12

Product Information and License

Czech USA USASouth

KoreaUSA India

License Information & Version yes yes yes yes yes yes

Unique Identifier yes yes yes yes no no

Statistics for product usage no yes yes no no no

Sample of transmitted data

Page 13

serial=100XXXXXXX

licType=Reg

licExpDays=439

licFeature=64c042de-XXXX-XXXX-XXXX-XXXXXXXXXXXX

licIssuedDate=1390548864

licExpirationDate=1453620864

version=10.0.2208

part.program=2208,2208,0,0

part.setup=2208,2208,0,0

part.vps=336662784,336662784,1,1

part.jrog2=3048,3048,1,1

guid=7e89bf6c-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Page 14

Example of EULA

“Other details about Your Device, which may include, without

limitation, Your Device's operating system, type and carrier (for

mobile devices), Your usage of the Vendor Solution (e.g., features

used and session length), program files or file extracts (used for

malware research and analysis), username of logged-in operating

system user, registry keys, language, Software report log(s), running

processes, temporary Internet files, Internet search history,

applications using ports, and other data pertaining to the contents of

Your default folder custom folders, and/or downloaded program files

directory.”

Page 15

Machine Information

Czech USA USASouth

KoreaUSA India

OS Version yes yes yes yes yes no

Computername yes yes yes no no no

Information about third party

Applicationsyes yes yes no no no

Information about hardware yes yes ND no no no

Information about running processes no no yes no no no

Local IP address yes yes yes no no no

Event- or errorlogs of the OS yes yes yes no no no

Display resolution yes yes ND no no no

Sample Data transmitted

Page 16

lan_addr=User-PC

lan_ip=10.1.1.124

dotNet2=2.0.50727.4927,2

dotNet3=3.0.30729.4926,2

dotNet3.5=3.5.30729.4926,1

dotNet4=4.5.51641,0

Silverlight=5.1.20513.0

os=win,6,3,2,9600,0,AMD64

mid=C87AEC9D3400XXXXXXXXXXXXXXXXXXXX

cpu_name=Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz,4

cpu=I9,4;ntel,306e4

ram_mb=4095

Page 17

Example of EULA

“In order to better understand the usage of updating infrastructure,

the software also collects information about all updates to the

Vendor software (including automatic updates), including certain

information about your computer hardware and software

configuration and/or network connection, as well as certain

information about the installation and operation of the Vendor

software and errors or problems that are encountered.”

Page 18

Personal Information

Czech USA USASouth

KoreaUSA India

Visited URLS (malicious and non-

malicious)yes yes yes no yes yes

Referer (Previous page with link to

malicious website)yes yes yes no no no

Country / Region of the OS yes yes yes no no no

Language of the OS yes yes yes no no no

Windows Username no yes yes no no no

Sample Data transmitted (Malware)

Page 19

"content-length": "68",

"content-type": "application/octet-stream",

"gmid": "1957ade46a35XXXXXXXXXXXXXXXXXXX",

"method": "GET",

"ppath": "c:\\\\program files (x86)\\\\internet

explorer\\\\iexplore.exe",

"referer": "http://www.eicar.org/85-0-Download.html",

"status-code": "200",

"url": "http://www.eicar.org/download/eicar.com"

Sample Data transmitted (Clean)

Page 20

"JSVersion": "J1",

"fipr": "33HM4iMLMmK…aqk3C07xGhHMbsCHBXpnMb3",

"prod": "XXXX v1.0.0",

"ql": "XXXX",

"sh": "false",

"url": "http://www.av-comparatives.org/corporate-

reviews/",

"vers": "2.13.6.18195",

"zoom": "2"

Samplepart of EULA of Product

Page 21

From time to time, the Software and Services may collect certain

information from the device on which it is installed, which may

include:

…

URLs of websites visited as well as search keywords and search

results only if the browser toolbar feature is enabled. This

information is collected by Vendor for the purpose of evaluating

and advising You regarding potential threats and risks that may

be associated with a particular Web site before You view it. This

information will not be correlated with any personally identifiable

information.

Page 22

File related information (clean & malicious)

Czech USA USASouth

KoreaUSA India

Hashes of Files or Hashes of parts of

Filesyes yes yes yes no yes

Detection name yes yes yes no yes no

Name and path of files yes yes yes no no no

Suspicious: Executable files

transmittedyes yes yes no yes yes

Suspicious: Non-executable files

transmittedyes ND ND no yes no

User can Opt-Out of sending files yes yes no N/A yes yes

Sample Data transmitted

Page 23

threatid="2147519003" sigseq="00000555dc2dddb0"

originalsha1="3395856ce81f2b7382dee72602f798b642f14140

" iscloudsignature="0" filename="eicar.com"

filesystem="NTFS" filedevicetype="7"

filedevicecharacteristics="393248" size="68"

md5="44d88612fea8a8f36de82e1278abb02f"

sha1="3395856ce81f2b7382dee72602f798b642f14140"

sha256="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2

a2c4538aabf651fd0f"

ctph="3:a+JraNvsgzsVqSwHq9:tJuOgzsko"

creationtime="130601911677365297"

lastaccessedtime="130601911677365297"

lastmodifiedtime="130580097081340570"

Sample of EULA of Product

Page 24

“The Non-Personally Identifiable Information Vendor may collect …

data concerning potential malware threats to your device and the

target of those threats, including file names, cryptographic hash,

vendor, size, date stamps, information about your devices

checkpoints, which may include path, file and application names,

copies of applications that are deemed malicious or infected

including information on behavior of such applications, their settings

and configurations, such as associated registry keys …”

Summary

AV Software transmits personal and environmental data

Users have to trust the vendor. But what about the

government?

Users accept transmission by accepting EULA

Give up privacy for more protection?

Page 25

Whishlist

Page 26

In an ideal world…

• Users should be asked each time before a file is sent to the

vendor

• Users should be informed where the collected information is being

sent and how long it will be stored.

• A single, clear privacy statement should be easy to find on the

vendor’s website and within the product itself.

• We would like to see vendors providing users with a short, clear

explanation of which data is collected

• It should be possible to opt out of data sending without losing or

compromising protection or usability.

• Security products should not include third-party toolbars or other

add-ons that collect data separately from the AV vendor. We

would find such add-ins especially inappropriate in paid-for

products.

• Vendors claim that any data which could personally identify the

user is anonymised after collection; we feel that it would be better

to anonymise the data before sending.

Discussion

www.av-comparatives.org ww

w.a

v-c

om

pa

ra

tiv

es

.org