查看: 3468|回复: 17
收起左侧

[转帖] ISMG对17家安全厂商的提问

[复制链接]
cdyism
发表于 2017-10-25 10:47:55 | 显示全部楼层 |阅读模式
本帖最后由 cdyism 于 2017-11-1 11:20 编辑

ISMG对17家防毒厂商提问了以下几个问题
    What steps do you take to secure suspicious file samples when they are transmitted from a user's PC to your researchers? For example, are all such communications encrypted?
    Could outside attackers eavesdrop on those communications, and if so, how? What defenses are in place to prevent this?
    Do you ever share copies of these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign?
    For a user, is sharing suspicious files with your researchers optional? If so, do users "opt in" - or must they "opt out"?
    Do you anonymize the source of suspicious files, and if so, how (and at which point in the submission chain)?
    Has your firm engaged in any marketing that suggests that Kaspersky Lab products are not reliable, and does it have any hard evidence - aside from U.S. media reports - that cite anonymous sources) to back up these assertions?

线上翻译:

1.从使用者的电脑回传可疑档案给你们的研究人员时,采取了那些安全措施?
2.外部攻击者可以窃听那些沟通过程吗?如果是,采取了那些预防措施?
3.曾经分享这些档案的副本到VirusTotal、执法机构、或是调查(情报)机构,无论国内或国外?
4.对于用户来说,与您的研究人员可选择共享可疑文件?如果是这样,用户是否“选择加入” - 或者他们“选择退出”?
5.你们会匿名这些可疑原始档吗?
6.您的公司是否从事任何营销活动,表明卡巴斯基实验室产品不可靠,除了美国媒体报导 - 引用匿名消息来源,它是否有任何硬性证据支持这些断言?

各家厂商回应
Avira's Response

Avira says it encrypts all communications between endpoints and its back-end systems, including encrypted file transfer to submit suspicious files for real-time analysis. Company spokeswoman Olivia Ciubotariu says all this analysis is done using "dedicated and secured networks for the analysis" because every file sample is presumed to be malicious, and that users can opt out of this analysis. Avira says it has never shared these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign, and that all user data is anonymized.

"We anonymize all personal information before sending them to our database," Ciubotariu says. "The only purpose of Avira Protection Cloud is to protect our customers against widespread threats, and without violating data privacy."

Avira表示加密端点与其后端系统之间的所有通信,包括加密的文件传输,以提交可疑文件进行实时分析。公司发言人Olivia Ciubotariu表示,所有这些分析都是使用“专用和安全网络进行分析”的,因为每个文件样本都被认为是恶意的,用户可以选择不采用此分析。 Avira表示,它从未与VirusTotal,执法机构或国内外情报机构共享这些文件,并且所有用户数据都被匿名化。

“我们将所有个人信息匿名发送到我们的数据库之前,”Ciubotariu说。 “Avira Protection Cloud的唯一目的是为了保护我们的客户免受广泛的威胁,并且不会违反数据隐私。

Bitdefender's Response

When users install anti-virus software from Bitdefender, the software asks if they want suspicious files to be sent to the vendor for review, Damase Tricart, global communications director at Bitdefender, tells ISMG. Unless users opt out, "the files are sent via a TLS link, using industry-grade encryption for all of the communication," he says, adding that "there is no known way to decrypt TLS traffic," at least to date.

Any files shared in this manner "are clearly labeled as NDA - do not distribute - in our internal malware zoo," he says."Bitdefender does not - nor have we ever - shared suspicious files originating from customers with third parties."

All collected information gets anonymized so it cannot be traced back to a user. "Our entire telemetry is heavily anonymized before it is reported to the Bitdefender cloud," Tricart says. "For enterprise customers, the anonymization process is even more thorough, as they have the option to run the Bitdefender products completely segregated from the internet. The business solutions can get their intelligence from an update server deployed on the premises and updates are fed manually by the system administrators on a voluntary basis."

Tricart says privacy remains his business's paramount concern. "As a European Union company with our headquarters in the EU, consumer privacy surpasses any other business decision," he says. "We do not exchange customer information or threat intelligence received from the end users with commercial or government entities."

当用户从Bitdefender安装防病毒软件时,软件询问他们是否将可疑文件发送给供应商进行审核,Bitdefender全球通信总监Damase Tricart告诉ISMG。至少到目前为止,除非用户选择退出,否则文件将通过TLS链接发送,使用业界级加密进行所有通信。 “他补充说,”目前还没有已知的解密TLS流量的方法“。

他说:“我们内部的恶意软件动态园地都明确标有NDA - 不分发 - ”Bitdefender并没有 - 我们从来没有共享过来自第三方客户的可疑文件。 “

所有收集的信息都被匿名化,因此不能追溯到用户身上。 “我们的整个遥测在被报告给Bitdefender云之前是非常匿名的,”Tricart说。 “对于企业客户,匿名化过程更加彻底,因为他们可以选择将Bitdefender产品完全与互联网隔离开来,业务解决方案可以从部署在场所的更新服务器获取他们的智能,并且更新由手动系统管理员自愿“ 。

Tricart说隐私仍然是他的业务最重要的关注。他表示:“作为欧盟总部设在欧盟的欧盟公司,消费者隐私权超越了其他业务决策。” “我们不会从最终用户接收到商业或政府实体的客户信息或威胁情报。

Emsisoft's Response

Emsisoft says that by default, it does not transfer any suspicious files from a user's system to its cloud-based servers for analysis, but instead only transfers hashes of the file. This process is anonymous and active by default. "Any submissions of hashes are not linked with personal user information at any time, as the systems are separated," says Emsisoft's Holger Keller. "Users can opt out from participating in the Emsisoft Anti-Malware Network, which is our malware information cloud."

Users can, however, manually submit a suspicious file to Emsisoft, which triggers an SSL-only file transfer and creates a service ticket so that the company can respond to the user with its verdict on the file.

"[If] the user's computer is not compromised in the first place - i.e. with manipulated SSL certificate roots - we would consider transfers relatively safe," Keller tells ISMG. "Emsisoft intentionally does not make use of local SSL traffic interception, which seems to be a major security problem for a number of anti-virus vendors these days," he says (see Lenovo Slammed Over Superfish Adware).

File transfers are not anonymous, because Emsisoft needs to respond to the customer, although Keller says a user could provide fake contact details. "We have never shared any suspected malware files with any law enforcement or intelligence agencies," he adds.

Emsisoft的回应

Emsisoft表示,默认情况下,它不会将任何可疑文件从用户系统转移到其基于云的服务器进行分析,而只是传输文件的散列。默认情况下,此进程是匿名的和活动的。 Emsisoft的Holger Keller说:“随着系统的分离,任何散列的提交都不会随着个人用户信息而关联。 “用户可以选择不参与Emsisoft反恶意软件网络,这是我们的恶意软件信息云。”

然而,用户可以手动将可疑文件提交给Emsisoft,Emsisoft会触发仅SSL文件传输并创建服务凭单,以便公司可以对用户对该文件的判断进行回复。

“如果用户的计算机首先没有受到威胁,即使用SSL证书的根源,我们会考虑转移相对安全,”Keller告诉ISMG。他说:“Emsisoft有意不使用本地SSL流量拦截,这似乎是许多反病毒供应商的一个主要的安全问题,”他说(参见Lenovo Slammed Over superfish Adware)。

文件传输不是匿名的,因为Emsisoft需要响应客户,尽管Keller表示用户可以提供假的联系方式。 “我们从来没有与任何执法机构或情报机构分享任何可疑的恶意软件文件,”他补充说。

F-Secure's Response

F-Secure says it makes heavy use of encryption and anonymization. "All queries regarding file (hashes) or URL reputation made to our 'security cloud' are encrypted," Sean Sullivan, security adviser at F-Secure, tells ISMG. "Files/samples uploaded/submitted to us by our customers are also encrypted. All customer submissions are flagged as confidential in our sample management system. They are only re-categorized if we can see through our partnerships and threat intelligence that the files are in the wild."

Sullivan says F-Secure does not submit files to VirusTotal, although it does share samples with "trusted partners," but only for samples "which are classified as nonconfidential." Information on a suspect file on a PC, meanwhile, pings the company's cloud security gateway, which will respond if the required information is in its cache. If not, a database handling ID gets dispatched and a back-end query made, thus obscuring the origin of the request.

Sullivan says that in general, one must "opt out" of sharing data with F-Secure, but says this is possible with all products, including its free online scanner. He also says the company does not save IP addresses, but discards this information immediately, localizing to the country level, to help analysts trace malware outbreaks and infection counts at a regional level. Before files get submitted, path names get normalized, usernames changed to "username" or the equivalent and file path metadata cleaned.

Some intelligence and analysis does get shared with CERT-FI - the computer emergency response team for Finland - that may disseminate the information to law enforcement agencies Sullivan says. "To my best knowledge, law enforcement agencies share with us, seeking our analysis, not the other way around," Sullivan says. He adds that says any information shared with CERT-FI is anonymized and tends to focus on malware command-and-control information and "analysis of malware targeting specific targets within a country," rather than sample sharing.

F-Secure的回应

F-Secure表示,它大量使用加密和匿名化。 F-Secure的安全顾问Sean Sullivan向ISMG表示:“关于对我们的”安全云“提供的文件(散列)或URL信誉的所有查询都将被加密。 “我们的客户上传/提交给我们的文件/样品也是加密的,所有客户提交的样品在我们的样品管理系统中被标记为机密,只有通过我们的合作伙伴关系和威胁情报,文件才能被看到野外“。

Sullivan表示,F-Secure不会将文件提交给VirusTotal,尽管它与“受信任的合作伙伴”共享样本,但仅提供被归类为非保密的样本。在PC上的可疑文件信息,同时ping了公司的云安全网关,如果所需的信息在缓存中,它将作出响应。如果没有,则调度数据库处理ID并进行后端查询,从而掩盖请求的来源。

Sullivan表示,一般来说,必须“选择退出”与F-Secure共享数据,但是所有产品(包括其免费的在线扫描仪)都可以这样做。他还表示,该公司不保存IP地址,但立即丢弃此信息,本地化到国家层面,以帮助分析师在区域级别跟踪恶意软件爆发和感染计数。在提交文件之前,路径名称被归一化,用户名被更改为“用户名”,或清除等效文件路径元数据。

有些情报和分析确实与CERT-FI(芬兰的计算机应急小组)共享,Sullivan说可能将这些信息传播给执法机构。 “据我所知,执法机构与我们分享,寻求分析,而不是相反,”沙利文说。他补充说,任何与CERT-FI共享的信息都是匿名的,并且往往侧重于恶意软件命令和控制信息以及“分析针对某个国家/地区内的特定目标的恶意软件”,而不是分析样本。

Panda's Response

Panda says it makes extensive use of encryption, which should block any attempt to eavesdrop on communications with endpoints. "The information sent is encrypted, and all communications are encrypted (HTTPS)," says Luis Corrons, technical director of PandaLabs, the firm's anti-malware laboratory.

Customers can opt out of sharing malware samples. "It is important to mention that we only send files that are capable of being executed - i.e. we won't send Word, Excel or PDF files," Corrons tells ISMG. "Most of them are PE [portable executable] files and then scripts," including Visual Basic, JavaScript and batch files.

"We only share malware files with other security companies, but that does not include files that have been found at a customer," Corrons says. "We do not have any share agreements with law enforcement or any intelligence agencies."

Panda说它广泛使用加密,这应该阻止任何企图窃取与端点的通信。 该公司的反恶意软件实验室的PandaLabs技术总监Luis Corrons说:“发送的信息是加密的,所有的通信都是加密的(HTTPS)。

客户可以选择不共享恶意软件样本。 “提到我们只发送能够被执行的文件 - 即我们不会发送Word,Excel或PDF文件,”Corrons告诉ISMG是非常重要的。 “他们大多是PE(便携式可执行文件,然后脚本),包括Visual Basic,JavaScript和批处理文件。

Corrons说:“我们只与其他安全公司共享恶意软件文件,但不包括客户发现的文件。 “我们与执法机构或任何情报机构没有任何共享协议。”

Kaspersky Lab's Response

A Kaspersky Lab spokeswoman tells ISMG that its Kaspersky Security Network is "an advanced cloud-based system that automatically processes cyber threat-related data received from millions of devices owned by Kaspersky Lab users across the world, who have voluntarily opted to use this system." It says this cloud-based approach is the one typically taken by larger IT security vendors.

"All communications between clients and Kaspersky Lab infrastructure are reliably encrypted," the spokeswoman says. "The company uses strong encryption, including algorithm RSA 2048 handshake and AES 256 data encryption."

The company says it makes extensive use of encryption, digital certificates, segregated storage and strict data access policies. Anonymization is widespread. "Actions to achieve this include deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses, etc." The company says it regularly reviews these practices to ensure they comply with legal rules and privacy regulations, such as the EU's General Data Protection Regulation.

Users can opt out of at least some types of information sharing. "Depending on the product, users have the option to switch it off (for corporate solutions) or to limit the amount of data sent through the security cloud (for home solutions)," Kaspersky Lab says.

From a privacy standpoint, the security firm says that for any collected information:

    "The information is used in the form of aggregated statistics;
    "Logins and passwords are filtered out from transmitted URLs, even if they are stored in the initial browser request from the user;
    "When we process possible threat data, by default we do not use the suspicious file. Instead we use hash-sum, which is a one-way math function that provides a unique file identifier;
    "Where possible, we obscure IP addresses and device information from the data received;
    "The data is stored on separated servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted."

Kaspersky Lab says it "routinely assists law enforcement agencies and governments by providing technical expertise on malware and cyberattacks," and it may share malware samples gathered by KSN with law enforcement agencies, at their request. "The sharing of samples with law enforcement agencies is dictated by the local laws by which Kaspersky Lab strictly abides," it says. "We don't share user data with any third party; the industrywide exchange is limited to malicious samples and aggregated statistics."

卡巴斯基实验室的回应

卡巴斯基实验室的一位发言人告诉ISMG,其卡巴斯基安全网络是“一个先进的基于云的系统,可以自动处理全球各地拥有的数百万台卡巴斯基实验室用户拥有的网络威胁相关数据,这些用户自愿选择使用该系统。 “它表示这种基于云的方法是更大的IT安全厂商通常采用的方法。

发言人说:“客户与卡巴斯基实验室基础设施之间的所有通信都可靠地加密。 “该公司采用强大的加密方式,包括算法RSA 2048握手和AES 256数据加密。”

该公司表示,它广泛使用加密,数字证书,隔离存储和严格的数据访问策略。匿名化是普遍的。 “实现此目的的操作包括从传输的URL中删除帐户详细信息,获取威胁的哈希和,而不是确切的文件,遮蔽用户IP地址等。”该公司表示,它会定期审查这些做法,以确保他们遵守法律规则和隐私法规,如欧盟的“一般数据保护条例”。

用户可以选择退出至少一些类型的信息共享。卡巴斯基实验室说:“根据产品,用户可以选择将其关闭(用于公司解决方案)或限制通过安全云发送的数据量(用于家庭解决方案)。

从隐私的角度来看,安全公司说,对于任何收集的信息:

    “信息以汇总统计的形式使用;
    “登录和密码从传输的URL过滤掉,即使它们存储在用户的初始浏览器请求中;
    “当我们处理可能的威胁数据时,默认情况下我们不使用可疑文件,而是使用hash-sum,这是一个提供唯一文件标识符的单向数学函数;
    “在可能的情况下,我们从收到的数据中遮蔽IP地址和设备信息;
    “数据存储在分离的服务器上,具有关于访问权限的严格策略,并且用户和云之间传输的所有信息都被安全地加密。

卡巴斯基实验室表示,“通过提供恶意软件和网络攻击方面的专业知识,帮助执法机构和政府”,并可根据要求将KSN收集的恶意软件样本与执法机构共享。 “与执法机构分享样本是由卡巴斯基实验室严格遵守的当地法律规定的。” “我们不与任何第三方共享用户数据;全行业的交易仅限于恶意抽样和汇总统计数据。

10/27新增ESET的回應
ESET says that by default, its products don't send any user files to the cloud for scanning, but instead send hashes of suspect files. "However, if the user decides to send files/items for analysis, this option is also available in our products," a spokesman tells ISMG. "In such cases all of the processed information is encrypted, including metadata."

Users can opt in to sharing suspect files during software installation. Even so, only suspicious files will be submitted, and numerous files types, including documents, "are excluded from submission by default," ESET says. All suspicious files are submitted to ESET anonymously and are not connected to any license information, it says.

The company says it does not share files with VirusTotal, or for that matter law-enforcement agencies or intelligence agencies, but notes that "in the case of a legitimate request we follow standard procedures required by [EU or national] legislation."

ESET说,默认情况下,其产品不会将任何用户文件发送到云端进行扫描,而是发送可疑文件的哈希值。 “但是,如果用户决定发送文件/项目进行分析,此选项也可在我们的产品中使用。”发言人告诉ISMG。 “在这种情况下,所有被处理的信息都被加密,包括元数据。”

用户可以选择在软件安装过程中共享可疑文件。 即使如此,只有可疑文件将被提交,许多文件类型(包括文档)“默认排除在提交之外,”ESET说。 它说,所有可疑文件都以匿名方式提交给ESET,并没有连接到任何许可证信息。

该公司表示,它不与VirusTotal或执法机构或情报机构共享文件,但指出“在合法请求的情况下,我们遵循[欧盟或国家]法规要求的标准程序。


尚未回应:
  • Avast (Czech Republic)
  • Bullguard (United Kingdom)
  • Malwarebytes (United States)
  • McAfee (United States)
  • Sophos (United Kingdom)
  • Symantec (United States)
  • VIPRE (United States)


拒绝回应:
Trend Micro (Japan)
Webroot (United States)
Microsoft (United States)<-10/26新增!

Meanwhile, Trend Micro (Japan) declined to field the questions. So did Webroot (United States), with the company saying that doing so would involve "giving away sensitive and competitive information or commenting on competitors in the space." But Chad Bacher, Webroot's senior vice president of product and technology alliances, lauded market competition. "All endpoint security companies utilize different approaches to keep their customers safe, which benefits consumers by bringing a healthy competition to the market."

老实讲上面的精确意思没看懂


这斜线是怎么回事
文章來源:https://www.bankinfosecurity.com ... y-practices-a-10393

如有侵权,请私讯本人,本人愿意立刻撤下本文,感激不尽!




fireherman
发表于 2017-10-25 10:58:57 | 显示全部楼层
本帖最后由 fireherman 于 2017-10-25 18:08 编辑



论坛默认使用【所见即所得】的编辑方式,你需要去掉 s (删除线)这个标识符。

-------------------------------------------------//-------------------------------------------------
如(删除线):

  1. [s]卡饭论坛[/s]
复制代码


效果:

卡饭论坛
-------------------------------------------------//-------------------------------------------------
如(加粗):

  1. [b]卡饭论坛[/b]
复制代码


效果:

卡饭论坛
-------------------------------------------------//-------------------------------------------------
如(斜体):

  1. [i]卡饭论坛[/i]
复制代码


效果:

卡饭论坛
-------------------------------------------------//-------------------------------------------------
如(颜色代码(标识码/十六进制码)):

同样是【红色】:

  1. [color=Red]卡饭论坛[/color]
复制代码

  1. [color=#ff0000]卡饭论坛[/color]
复制代码


效果:

卡饭论坛

卡饭论坛
-------------------------------------------------//-------------------------------------------------
嵌套使用时,必须要【模块化】,不能【跨界嵌套/交叉嵌套】;(就像俄罗斯套娃)

如(颜色代码+加粗+下划线):

正确:
  1. [color=#ff0000]   [b]   [u]   卡饭论坛   [/u]   [/b]   [/color]
复制代码


效果:

卡饭论坛


错误:
  1. [color=#ff0000]   [b]   [u]   卡饭论坛   [/b]   [/color]   [/u]
复制代码


-------------------------------------------------//-------------------------------------------------

评分

参与人数 1人气 +1 收起 理由
qftest + 1 感谢解答: )

查看全部评分

cdyism
 楼主| 发表于 2017-10-25 11:05:32 | 显示全部楼层
fireherman 发表于 2017-10-25 10:58
论坛默认使用【所见即所得】的编辑方式,你需要去掉 s (删除线)这个标识符。

------------------- ...

已處理,謝謝指導
B100D1E55
发表于 2017-10-25 12:40:26 | 显示全部楼层
本帖最后由 B100D1E55 于 2017-10-25 13:07 编辑

最后一段的大致意思是:TrendMicro和Webroot拒绝回答。Webroot认为回应这个问题可能会泄露公司敏感信息或对竞争对手有利地信息,并且不可避免地要评价同行。但随后webroot那个vp又强调安全业界百花齐放百家争鸣是极好的
cemiko 该用户已被删除
发表于 2017-10-25 13:35:24 | 显示全部楼层
未回复的那几个usa中,不知道有几个棱镜门成员,我猜他们的回复会非常有意思
cdyism
 楼主| 发表于 2017-10-25 14:12:18 | 显示全部楼层
B100D1E55 发表于 2017-10-25 12:40
最后一段的大致意思是:TrendMicro和Webroot拒绝回答。Webroot认为回应这个问题可能会泄露公司敏感信息或对 ...

謝謝您的說明
tihs
发表于 2017-10-25 16:39:13 | 显示全部楼层
卡巴的UDS应该是与VT有点联系的,一个样本从未在VT扫描,然后上传VT扫描之后,本地的卡巴会在一段时间后报UDS,不过我感觉是好事。
cdyism
 楼主| 发表于 2017-10-25 16:54:50 | 显示全部楼层
本帖最后由 cdyism 于 2017-10-26 17:07 编辑
tihs 发表于 2017-10-25 16:39
卡巴的UDS应该是与VT有点联系的,一个样本从未在VT扫描,然后上传VT扫描之后,本地的卡巴会在一段时间后报U ...

編輯掉
FUZE
发表于 2017-10-25 21:42:10 | 显示全部楼层
B100D1E55 发表于 2017-10-25 12:40
最后一段的大致意思是:TrendMicro和Webroot拒绝回答。Webroot认为回应这个问题可能会泄露公司敏感信息或对 ...

无可奉告(
ccboxes
发表于 2017-10-26 15:48:42 | 显示全部楼层
本帖最后由 ccboxes 于 2017-10-26 15:50 编辑
tihs 发表于 2017-10-25 16:39
卡巴的UDS应该是与VT有点联系的,一个样本从未在VT扫描,然后上传VT扫描之后,本地的卡巴会在一段时间后报U ...

有的样本上传VT后不久就被卡巴杀是因为卡巴的云端自动分析处理速度在业界是领先的,收到VT的发来的样本后很快就能鉴定完毕并分类,而不是卡巴去查询VT的结果。


实际上能比卡巴响应快的基本全是机器学习引擎,要是卡巴跟着他们报,误报早就上天了。

这个杂志问的关于VT的问题其实没啥意义,VT是单向的,会把用户上传的所有文件都发送给所有加入VT的厂商,要不然你以为这么多厂商加入VT是为了什么?当然是为了收集样本。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-29 18:15 , Processed in 0.134510 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表