Running a sniffer on an AV program

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Has anyone out there run a sniffer on popular AV programs to determine what  
data is actually being sent in file, web, email and other scans? How do we  
know it's not password files instead of av protection, for example?

Re: Running a sniffer on an AV program

notdapope presented the following explanation :
Quoted text here. Click to load it

Yes, IMO it is not at all likely that nobody has ever checked out the  
traffic between the AV client program and the vendor.

Quoted text here. Click to load it

We don't, but we also don't really know if there is a built-in  
trapdoor. Same goes for the OS and to some extent the firmware. You  
can't get away with trust issues that easily. "Well, someone else has  
looked at it so it must be okay" just doesn't wash. You just have to be  
satisfied with the fact that nobody has reported "BOZO Internet  
Security" as spyware yet.

--
Apologies to Bozo



Running a sniffer on an AV program

+ User FidoNet address: 1:3634/12.71
On Thu, 21 Nov 2013, FromTheRafters wrote to All:


 F> notdapope presented the following explanation :
Quoted text here. Click to load it

 F> Yes, IMO it is not at all likely that nobody has ever checked out
 F> the  traffic between the AV client program and the vendor.

agreed! :)

IDS/IPS check all traffic... tcpdump can capture all traffic... network span
ports are set up specifically to mirror all traffic for analysis... you can be
sure that someone somewhere is and has looked at traffic from AV software to AV
vendor...

Quoted text here. Click to load it

 F> We don't, but we also don't really know if there is a built-in  
 F> trapdoor. Same goes for the OS and to some extent the firmware. You  
 F> can't get away with trust issues that easily. "Well, someone else
 F> has  looked at it so it must be okay" just doesn't wash. You just
 F> have to be  satisfied with the fact that nobody has reported "BOZO
 F> Internet  Security" as spyware yet.

exactly :)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


Re: Running a sniffer on an AV program


Quoted text here. Click to load it

I'm not sure what you mean by "sent". A-V programs don't typically
send data anywhere, they receive it. Password data could be sent by
almost any program at any time, especially while the computer is idle
and you're not moving the mouse and banging on the keyboard.

But sniffing the wire is too late in the game to be of use. A program
that was interested in stealing your confidential information would be
using encryption to encapsulate it and sniffing can't see into SSL or
other encrypted frames to tell you what's inside. You will have to
peer deep inside the program and disassemble it to know what it's
really doing. I doubt anyone has dedicated the resources to checking
out every A-V product out there. The expense and time would be
enormous and the effort would be invalidated on the very next release
of a new version of the program.

Re: Running a sniffer on an AV program

Geoff submitted this idea :
Quoted text here. Click to load it

That may not be the case anymore with the so-called cloud antivirus  
'solutions'.

"Cloud antivirus skeptics argue that this approach to malware  
protection lacks some essential components for security and  
performance. One concern is the potential invasion of privacy because  
of the collected data from your computer. Some products may be a bigger  
threat in this respect than others. Panda assures its users that their  
files never leave their computers, and that only certain executables  
are checked against the cloud data, which excludes files that could  
contain personal information. Before you decide on any cloud antivirus  
product, be sure to find out what data from your computer could become  
part of its collective database."

http://computer.howstuffworks.com/cloud-computing/cloud-antivirus3.htm



Re: Running a sniffer on an AV program

On Fri, 22 Nov 2013 11:09:38 -0500, FromTheRafters

Quoted text here. Click to load it

Anyone so paranoid as to question whether his computer is talking to
nefarious endpoints will have no interest in a cloud solution. A cloud
A-V checks "executables" which would seem to preclude "data" but
"metadata" files like .PDF or .XLS files are both data and executable
content and you end up in the same dilemma of trustworthiness of both
the data and the source/repository.

Unplug your computer! It's a trap!

Running a sniffer on an AV program

+ User FidoNet address: 1:3634/12.71
On Fri, 22 Nov 2013, notdapope wrote to All:


 n> Has anyone out there run a sniffer on popular AV programs to  
 n> determine what  data is actually being sent in file, web, email and  
 n> other scans?

what do you mean "being sent"?? AV software sends no data during a scan other
than maybe statistical data (eg: critterX found Y times)... try it... unplug
the wire and turn off the wifi and see what gets sent... no connection means no
transmission ;)

 n> How do we  know it's not password files instead of av protection,  
 n> for example?

you don't... but that also begs the question of why would you use that software
if you can't trust it?

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


Site Timeline