[tor-talk] Fwd: Re: leak through Antivirus Webscanner possible?

regrowth regrowth at tormail.net
Mon Jan 30 01:46:54 UTC 2012


Disclaimer: I have worked for a well-known AV company as virus analyst 
for a some time, quit due to "corporate-ish culture". (BTW they had 
nearly intelligence-agency-level physical security and procedures, but 
still achieved to use 6-char passwords on a few accounts in practice.)

>> Do you think legit Antivirus software may compromise anonymity? Any
>> known examples yet?
> I don't have a definitive answer, but here are my proto-thoughts,
> likely yes. This answer is based on support calls and tickets. It 
> seems
> most anti-virus/anti-malware providers include some software that
> intercepts and/or replaces 'localhost'. Their software generally does
> one of two things:

[snip]

True. Specifically, AV software employs various OS hooks to inspect 
traffic (meaning it is *very* likely it will leak identifying 
information). Webscanners will be limited, but proxying traffic through 
them will enable profiling.

While having a decent AV software on Windows is generally a good thing, 
it will interfere with privacy. Tails live CD or using WinUSB to create 
"live windows" would be most likely better option.

> Over time, they get to learn a whole lot about your computer
> usage and build a fantastic profile of it. I've seen documents,
> executables, etc sent to the 'cloud' too, scanned, and returned to 
> the
> user. What they do with all of that data is unknown. My first thought
> when working with a user and ESET scanner was 'who needs spyware, you
> paid for your spying to boot'.

I can confirm that it's a real threat.

> The typical support call is when the user's A-V system prompts them
> with 'start-tor-browser.exe' is of unknown safety. do you really want
> to run this?'  It then repeats that question for tor.exe and
> vidalia.exe.  It seems when you click on some link for 'unsafe' or
> 'check the cloud', you go to the vendor's website and by default 
> opt-in
> to upload the aforementioned data.
>
> If enough people tell the 'cloud' that the tor-related executables 
> are
> safe, it crosses some threshold and all 'cloud subscribers' no longer
> get the warnings. However, every time there is a new tor release, the
> cycle of approval starts anew.
>

In theory, would Microsoft's code signing program help here? Cost 
aside, would that benefit users?



More information about the tor-talk mailing list