[tor-talk] leak through Antivirus Webscanner possible?
Andrew Lewman
andrew at torproject.org
Sun Jan 29 22:28:57 UTC 2012
On Sun, 29 Jan 2012 18:52:07 -0000
proper at tormail.net wrote:
> Nowadays Antivirus software often includes a Webscanner, even free
> ones...
>
> The webscanner scans the tcp stream on the fly and may stop (or
> modify?) it. Perhaps he is sending back - over non anonymous channels
> - for "remote analysis"?
>
> Do you think legit Antivirus software may compromise anonymity? Any
> known examples yet?
I don't have a definitive answer, but here are my proto-thoughts,
likely yes. This answer is based on support calls and tickets. It seems
most anti-virus/anti-malware providers include some software that
intercepts and/or replaces 'localhost'. Their software generally does
one of two things:
1. scans for known malware/virus patterns locally, with this scan
database updated periodically;
2. intercepts and relays the traffic to a 'cloud' somewhere which
records lots of information about the user (ip address, program name,
timestamp, registration or serial number) and stuff all of this into a
database.
Over time, they get to learn a whole lot about your computer
usage and build a fantastic profile of it. I've seen documents,
executables, etc sent to the 'cloud' too, scanned, and returned to the
user. What they do with all of that data is unknown. My first thought
when working with a user and ESET scanner was 'who needs spyware, you
paid for your spying to boot'.
The typical support call is when the user's A-V system prompts them
with 'start-tor-browser.exe' is of unknown safety. do you really want
to run this?' It then repeats that question for tor.exe and
vidalia.exe. It seems when you click on some link for 'unsafe' or
'check the cloud', you go to the vendor's website and by default opt-in
to upload the aforementioned data.
If enough people tell the 'cloud' that the tor-related executables are
safe, it crosses some threshold and all 'cloud subscribers' no longer
get the warnings. However, every time there is a new tor release, the
cycle of approval starts anew.
All of this is gathered from working with users. A fine bit of data
privacy research may be to figure out what A-V companies are collecting
from your computer and storing.
--
Andrew
http://tpo.is/contact
pgp 0x74ED336B
More information about the tor-talk
mailing list