This assessment presents the inherent information security concerns and security ramifications associated with the use of any commercial-off-the-shelf (COTS) antivirus solution in devices with access to a federal network. It also addresses specific risks presented by Kaspersky-branded products, solutions, and services (collectively, “Kaspersky-branded products”).
Many organizations deploy antivirus software solutions to user workstations as a base layer of security to detect and remove the most common threats, including Trojans, malware, worms, and adware. Antivirus solutions have become a default part of cyber hygiene at the workstation level, though security experts recommend antivirus software be deployed alongside a full security stack to more robustly protect the network, a practice referred to as layered security or “defense-indepth.”
Antivirus solutions usually employ one or more of three signature detection methods: file scanning, heuristics, and emulation. File scanning leverages full content inspection in order to detect malicious code in files downloaded, emailed, or transferred to the computer. Heuristic scanning monitors all processes and establishes baselines for a workstation’s patterns of behavior in order to detect deviations from those baselines. Emulators use sandboxed virtual machines to test run suspicious or encrypted executables. Monitoring changes in the sandbox allows the antivirus software to make a determination of whether the suspicious process is safe to execute on the host system or if the process is deemed unsafe and should be deleted or quarantined.
In order to perform these functions and protect the workstation, antivirus software requires the highest level of system privileges, particularly to combat any malicious software that might try to remove the antivirus or interrupt kernel-level system calls as part of its attack kill-chain. Each antivirus product operates off an antivirus engine—the main kernel programmed to search for malicious activity using the methods described above. Multiple antivirus products from different antivirus companies may share the same antivirus engine if an antivirus company does not have the resources to build its own engine.
Based on publicly available information, Kaspersky-branded antivirus software and other Kaspersky-branded products and solutions that contain antivirus functionality appear to present the general antivirus software risks identified above. For example, the default installation of Kaspersky Internet Security scans all encrypted HTTPS connections using the interception technique described above in order to detect malicious activity.
Additionally, Kaspersky customers may participate in the Kaspersky Security Network (KSN). KSN is a cloud-based network to which a wide range of data from customer devices may be transferred for the purpose of additional analysis. A list of such data is available in the KSN Statement, which users must agree to in order to participate. Under the terms of the agreement, the information subject to transfer includes highly sensitive data collected from a user’s device, such as information about the computer’s hardware and software, files downloaded, certain websites visited, running applications, and user account names—essentially the full spectrum of forensic data a device produces. Furthermore, Kaspersky notes in the KSN Statement that it reserves the right to disclose any of the information processed “under confidentiality and licensing agreements with certain third parties which assist [Kaspersky] in developing, operating, and maintaining the Kaspersky Security Network.” These third parties may be trusted partners of Kaspersky, but that does not mean they are subject to the same vetting and rigorous suitability scrutiny as other companies with which the U.S. Government has entrusted its data.