Jump to content

Recommended Posts

Open a support ticket via my.kaspersky.com as only KL knows about the correct answer. We are just a power users helping users here.

Share this post


Link to post

I already have had. In short the current ticket state is: "We are now working with our escalation team on your query. Please wait for our reply."

Share this post


Link to post

And I just received the totally irrelevant answer from the support :-(

Quote

We have checked that out of the 3 IP addresses, only the first and third belongs to Kaspersky. The IP address 180.87.4.128 belongs to a server used for Kaspersky Security Network (KSN) services, and 66.110.49.0 is used for Kaspersky Cloud services.

The IP address 38.113.165.0 belongs to an organisation called ISP PSINet, Inc. You may access the “whois” information by accessing the link below:

https://rdpguard.com/free-whois.aspx?ip=38.113.165.0#

Not only it does not address the question in any way, but the engineer does not know how to use whois service, jeez.

Edited by zerkms

Share this post


Link to post

Also, You can't pretend that Kaspersky reveals information here or even by pm about their cloud technology and how it works :)

Do You ask Microsoft about the huge amount of info is constantly sending to their servers by their telemetry? or even any of current security applications running today?

You can check a Data Transmission Report (from 2014): https://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf

Share this post


Link to post
16 minutes ago, harlan4096 said:

Also, You can't pretend that Kaspersky reveals information here or even by pm about their cloud technology and how it works :)

Do You ask Microsoft about the huge amount of info is constantly sending to their servers by their telemetry? or even any of current security applications running today?

You can check a Data Transmission Report (from 2014): https://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf

I'm not sure how MS is relevant to my very question, since this is the Kaspersky products support forum. When I have questions to MS or Google - I contact their support correspondingly.

It is okay if nobody knows it here (given the developers don't participate in discussions).

It is not okay if Kaspersky will decide to not answer my question - it would be suspicious. And it already is - they obfuscate traffic, for some reason...

If this is a natural and essential process - there should be totally no problem in revealing what kind of data is being collected and sent. It also should not be a problem to explain, why, if it's an essential to function the application DOES NOT warn us if the traffic to those networks is blocked (it also is suspicious).

 

I can totally understand though that not all people share my concerns and don't care that some their data is being constantly sent from their computers.

Edited by zerkms

Share this post


Link to post

Cloud/KSN is a very important part of protection in Kaspersky products, and yes (in order to protect us) suspicious activities and info of our systems info is being constantly and automatically sent to KSN servers to be processed, I personally don't mind if KSN protects me as soon as possible against a 0 day attack, ransomware, etc...

Also, in the last years Kaspersky has been modifying the way of some of protection modules work, for example, it uses many times cloud signatures, which are not stored in our systems, Anti-Spam module also uses cloud system, the product also can be managed (start some remote actions and check the status of modules, license, etc.) via "My Kaspersky" web service, and so on...

So You can block those Kaspersky IP remote servers/traffic, but probably You will be limiting Kaspersky protection :)

Share this post


Link to post

As it was mentioned by me and other people in this thread - it's not KSN: the traffic exists with KSN disabled.

I do not state KSN is useless, I just state that it's not KSN.

You're currently speculating. I can also make million assumptions what it MIGHT BE, but it does not make any of us any close to answering the question for sure.

Please don't take personally, but if you don't know what exactly that traffic carries - could you please not guess? (it would save all of us a lot of time and won't spoil the thread)

Edited by zerkms

Share this post


Link to post

I also mentioned different cloud services, not related directly with KSN... also even if You disable KSN, still the product may detect attacks and malware via UDS (Urgent Detection System) and also some PDM detections (System Watcher -> PDM:Trojan.Win32.Bazon.x) via online rules/signatures...

Share this post


Link to post

Also its best practice to secure traffic with HTTPS,  and there is nothing suspicious about it. Also by reading the EULA (http://products.kaspersky-labs.com/english/homeuser/kis2018/for_reg_/eula_en.txt) we can get sone clues.  Also this support article provides some further information (https://support.kaspersky.com/7270) regarding the subject matter. Apart from that KL support is your best bet to get this answered.

Share this post


Link to post

I tend to agree with what Harlan is saying about KSN, UDS and PDM sending traffic for the purpose of analysis for better security protection, but I think what Zerkms is concerned about is if a user is compromising privacy for improved security.  Such as what files (sensitive or non-sensitive) with malware attached are being sent to Kaspersky Labs for analysis and what privacy protections are in place that will protect sensitive data from being analyzed along with the suspected malware.  

I think this is a complicated question that is probably not going to be answered accurately on a forum or tech support given the recent news.     

 

   

Share this post


Link to post
7 hours ago, Whizard said:

Also its best practice to secure traffic with HTTPS,  and there is nothing suspicious about it. Also by reading the EULA (http://products.kaspersky-labs.com/english/homeuser/kis2018/for_reg_/eula_en.txt) we can get sone clues.  Also this support article provides some further information (https://support.kaspersky.com/7270) regarding the subject matter. Apart from that KL support is your best bet to get this answered.

Unless their traffic is NOT https, while it still connects to a tcp 443 (I mentioned it already few days ago).

4 hours ago, Allsop said:

I tend to agree with what Harlan is saying about KSN, UDS and PDM sending traffic for the purpose of analysis for better security protection, but I think what Zerkms is concerned about is if a user is compromising privacy for improved security.  Such as what files (sensitive or non-sensitive) with malware attached are being sent to Kaspersky Labs for analysis and what privacy protections are in place that will protect sensitive data from being analyzed along with the suspected malware.  

I think this is a complicated question that is probably not going to be answered accurately on a forum or tech support given the recent news.     

 

   

That's a good summary :-) I expected the opposite though - given the recent news it's in their interest to be as transparent as possible. Otherwise, well, somebody could write an article that the kaspersky lab products send something non-stop back to the kaspersky lab networks and the support cannot explain what exactly is being sent. And that article would be 100% accurate and correct.

Edited by zerkms

Share this post


Link to post
16 hours ago, zerkms said:

Unless their traffic is NOT https, while it still connects to a tcp 443 (I mentioned it already few days ago).

That's a good summary :-) I expected the opposite though - given the recent news it's in their interest to be as transparent as possible. Otherwise, well, somebody could write an article that the kaspersky lab products send something non-stop back to the kaspersky lab networks and the support cannot explain what exactly is being sent. And that article would be 100% accurate and correct.

Hello,

As you can see I also agree your point. KL need a Main Switch related to all connection to KL server. If a user switch off this Main Switch. AVP shouldn't create a network connect to KL servers. such as load HIPS rule, KSN, UDS, Browser websocket, PDM, etc and work in local state.

Now, The boundary is blurred. this boundary is at the center of the controversy, so I think the discussion will not be create a conclusion, and whether the future KL will add this switch is also an unknown quantity.

Regards.

Share this post


Link to post
3 hours ago, Wesly.Zhang said:

Main Switch

kaspersky is turning to a cloud based antivirus with very much smaller databases than 2 years ago.

I think Protection will be much reduced if kaspersky can not connect to its server in realtime.(I believe there are cloud based signature detection not only simple MD5 query)

Such swich is good idea but KL should warn users about the risks. And do more transparent actions to regain user's confidence/

Share this post


Link to post
14 hours ago, xzz123 said:

kaspersky is turning to a cloud based antivirus with very much smaller databases than 2 years ago.

I think Protection will be much reduced if kaspersky can not connect to its server in realtime.(I believe there are cloud based signature detection not only simple MD5 query)

Such swich is good idea but KL should warn users about the risks. And do more transparent actions to regain user's confidence/

Hi,

Yeah~ The detection rate will reduce and false alarm will increase in local workaround. There are always some people in this world who are going against The Times. I also understand what these people think.

Share this post


Link to post

As mentioned with my previous replies its a standard practice to encrypt traffic with TLS/SSL and transmit via HTTPS. You would not want your bank transmitting your PIN in clear text now would you? Same here. The information transmitted is outlined with the EULA I had linked to. All the other speculation is just spreading fear and deception.  FYI, the KL had recently won a platinum Gartner Customer Choice award (https://eugene.kaspersky.com/2017/10/26/kl-wins-gartner-platinum-award), despite whatever the media news outlets are spreading around.

Share this post


Link to post
3 hours ago, Whizard said:

The information transmitted is outlined with the EULA I had linked to. All the other speculation is just spreading fear and deception.

Given it's that simple - it is especially surprising that for the support it takes 2 escalations and more than a week to answer it.

And given it is that simple - there was no an answer here yet, that exactly answers the original question (there only were guesses and now your reference to EULA without any further details).

I have an amazing suggestion: let's not spread our assumptions and guesses. If somebody has something to add - please provide some kind of evidence. Eg: if you refer to EULA, please quote its part that denotes the exact data to be transferred.

I will repeat the question for clarity: the KAV is constantly sends something with the 2KB/s speed. What data is EXACTLY being sent.

If you don't know for sure - please don't share your guesses or assumptions, don't waste your and our time.

Thanks.

PS: It's cool they were awarded, but it still does not answer the question asked.

Edited by zerkms

Share this post


Link to post

As you know KSN  is checking on known and unknown  objects that could harm your system, so if  you don't like it please disable this option. 

 

Share this post


Link to post
6 minutes ago, Berny said:

As you know KSN  is checking on known and unknown  objects that could harm your system, so if  you don't like it please disable this option. 

 

It was stated 4 times that IT IS NOT KSN: the traffic is there even with KSN disabled. Any chance everybody that comments here checks all the comments so that we did not need to repeat the same things more than 4 times? (I made it red and bold to make it even more explicit)

And as I suggested in my previous comments: unless you know what you're speaking for sure (say you're a KAV developer) - please refrain from posting assumptions or guesses.

Thank you.

Edited by zerkms

Share this post


Link to post

I received another response from the support: they claim it's KSN, even though I have KSN disabled.

It looks like even the support has no clue how KAV operates.

Share this post


Link to post
27 minutes ago, zerkms said:

I received another response from the support: they claim it's KSN, even though I have KSN disabled.

It looks like even the support has no clue how KAV operates.

It seems more likely that we customers have no clue how the product works.  It would not surprise me if some part of KSN remains active even when the KSN option is turned off.  We may not like it (and the US federal government certainly does not like it) but the product probably sends data to the KSN server whether KSN is active or not.

Regarding the encrypted data:  If a security package is going to send security-related information across the network, and if there is no way to keep it from doing that, would you rather have it sent in the clear so that anybody can read it?  Having it encrypted at least limits the audience to Kaspersky.

Share this post


Link to post
15 minutes ago, pokeefe0001 said:

It seems more likely that we customers have no clue how the product works.  It would not surprise me if some part of KSN remains active even when the KSN option is turned off.  We may not like it (and the US federal government certainly does not like it) but the product probably sends data to the KSN server whether KSN is active or not.

Regarding the encrypted data:  If a security package is going to send security-related information across the network, and if there is no way to keep it from doing that, would you rather have it sent in the clear so that anybody can read it?  Having it encrypted at least limits the audience to Kaspersky.

Yep, but KSN requires a separate explicit grant since it comes with a separate user agreement. It must not send anything unless it's explicitly enabled.

As of encrypted data: it surely must be encrypted. My point was only that it's not https, even though it connects to tcp 443. And that is confusing.

Edited by zerkms

Share this post


Link to post

Ok, ask for Support to escalate your case. We are just power users who will be unable to provide you with more information that you currently seek. Of course the protocol is custom and not HTTPS, it's simply uses an encrypted port to communicate. 

Share this post


Link to post
Quote

Thank you for your continued support. My apologies for the late response.

We've just received a reply from our Escalation Team with the following information stating that the Kaspersky Secure Network works in a way that it collectively collects data from consumer's system to determine the behaviour of the programs and how they interact, to remain up-to-date and protect other consumer's too.

In an instance you disable Kaspersky Secure Network, then the product only downloads the updates from Kaspersky Secure Network, an article relevant to that can be found on the link below and the EULA(End User License Agreement) terms and conditions while installing our program:

- https://support.kaspersky.com/12741

- https://help.kaspersky.com/KIS/2018/en-US/144976.htm

Furthermore, the Kaspersky sends some information about the program to ensure that the system remains protected. However, if the customer agrees to participate in the KSN, you also agree to provide additional information which is automatically gathered and uploaded to the system. (KSN Statement can be found in the following path: Open Kaspersky Application > Settings - Additional - Additional protection and management tools - KSN statement link)

Another response from the support. And again - their explanation does not align with the observations... I start thinking they don't want to explain what they send from our computers.

KAV sends the same amounts of data regardless whether KSN is enabled or not.

 

Edited by zerkms

Share this post


Link to post
18 minutes ago, zerkms said:

Another response from the support. And again - their explanation does not align with the observations... I start thinking they don't want to explain what they send from our computers.

KAV sends the same amounts of data regardless whether KSN is enabled or not.

 

Even on an escalated ticket which should be answered by a person with more expertise they are still lying. Either it is by incompetence or trying to hide something, it's just weird.

I've been meaning to try a deeper analysis of the packets but I just have had a lot of work, I'll post anything I find when I do.

Share this post


Link to post

The correct link is https://help.kaspersky.com/KIS/2018/en-US/144978.htm

Quote
Data provision during application operation

Report files can contain personal data obtained during operation of protection components, such as File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, Anti-Spam, and Parental Control.

Report files can contain the following personal data:

  • IP address of the user's device
  • Online browsing history
  • Blocked links
  • Messaging history in social networks
  • Key words specified in Parental Control settings
  • Versions of the browser and operating system
  • Names of cookies and other files and paths to them
  • Email address, sender, message subject, message text, user names, and list of contacts

Report files are stored locally on your computer. Path to report files: %allusersprofile%\Kaspersky Lab\AVP18.0.0\Report\Database.

Reports are stored in the following files:

  • reports.db
  • reports.db-wal
  • reports.db-shm (does not contain any personal data)

Report files are protected against unauthorized access if self-defense is enabled in Kaspersky Internet Security. If self-defense is disabled, report files are not protected.

Edited by Enrico Bj

Share this post


Link to post
Guest
This topic is now closed to further replies.

×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.