How antivirus vendors handle state-sponsored malware
Last month, an international coalition of civil rights organizations and academic experts asked antivirus software vendors how they handled state-sponsored malware. Some of them already responded and the responses are interesting.
The letter, drafted by Bits of Freedom and signed by organisations such as EDRi, several EDRi-members and security experts such as Bruce Schneier, was sent to various antivirus companies (see below for a complete list). The coalition writes in the letter that these companies have a vital position in providing security and maintaining the trust of internet users engaging in sensitive activities such as electronic banking. Therefore, they were asked to answer four questions:
1) If they have ever detected the use of state sponsored software for the purpose of surveillance;
2) If they have ever been approached with a request by a government to not detect such software or, if detected to not notify the user of their software;
3) If they have ever granted such request;
4) How they would respond to such a request in the future.
Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.
Furthermore, this means that several vendors did not respond to the letter before the deadline. The letter was sent to: Agnitum, Ahnlab, Avira operations GmbH & Co. KG, AVG, AVAST software a.s., Bullguard Ltd, Bitdefender SRL, F-Secure Corporation, Kaspersky Lab, McAfee Inc, Norman Shark, Microsoft Corporation, ESET spol. S r.o., Panda Security S.L., Symantec Corporation and Trend Micro Incorporated.