Antivirus software protects computers and devices in many ways. For example, it prevents users from visiting malicous websites, terminates maliciously behaving processes, prevents applications from being exploited, and detects and removes malicious files.
In order to make sure these protection mechanisms are able to stop threats in their tracks, security vendors need access to threat intelligence – information that helps them better understand the current and future threat landscape. Collection and analysis of malicious samples is one form of threat intelligence gathering. At F-Secure, we occasionally collect suspicious samples and metadata associated with them from customer environments, in order to improve our threat intelligence.
To describe the process simply, if our software encounters a suspicious sample on a customer’s system we’ve never seen before, and if the software on its own cannot reach a verdict, that sample may be uploaded to our cloud for further analysis.
This is the way most antivirus software works today. Cloud technology enables better, faster protection because once the security cloud determines the suspicious file is in fact malicous, it can then instantaneously protect all our other customers as well.
The hot seat
This practice of sending data from host machines back to the vendor has put antivirus software under a bit of scrutiny of late. We as a company have been fielding questions related to how we protect our customers in this process – questions that have arisen in the wake of the current storm around Kaspersky.
To recap, Kaspersky is facing allegations that it collected top secret NSA files from a customer machine and shared them with Russian intelligence agencies. Kaspersky maintains its innocence – they did collect the files as part of normal operations, they contend, but they deleted the files from their systems.
The situation has naturally prompted inquiries about antivirus companies in general. So we’ve taken these questions and posed them to our Chief Research Officer Mikko Hypponen in the very first episode of our brand new podcast, Cyber Security Sauna.
Listen as Mikko explains:
- Why antivirus products send data back to the antivirus vendor
- What sort of data F-Secure antivirus transmits from customer machines
- How we secure files transmitted from our customers to us
- Which third parties we share data with, and why
- Why you should choose your security vendor carefully
- Why it’s important to know your threat model
- Why data is a liability
You’ll also get Mikko’s take on:
- Whether there really are links between Kaspersky and Russian intelligence agencies
- Whether Kaspersky was hacked, infiltrated, or willingly cooperated