Re: Turning it off
Ok, so you've made a great big zip file with your source and your binaries of the NSA tools. You've taken them home in a single lump for convenience. As a result this single archive, which probably runs to hundreds of meg if not gigabytes, matches a known signature.
Actually most malware isn't very big. You can have a few hundred samples in a couple of MB. We are not told how many samples were in the zip file so you can have your terrabytes of data, I'll say it was 2 samples and 2 bits of source, totally 100kb, zipped down to 50kb. It's probably somewhere a bit more than my guess but far less than yours. Let's go for 10mb, the upper limit Google will allow for email. That's not really big, but you can fit a ton of text in there. I have a full height 5mb MFM HDD sitting around somewhere, for it's original owner they probably had OS, programs and data on there, and probably paid several $hundred for it as well.
10Mb wouldn't be much. For many people with today's HDD sizes and internet speeds, 100Mb wouldn't be much - I can (when at a mates) download HD movies faster than I can watch them, and we don't notice much. On ADSL 2 people can stream HD movies. 100Mb is nothing by today's standards. Shall we go for a full series? I have a copy of Babylon 5 (all eps, movies and also the Crusades series) that is a little over 50Gb - took a couple of days for that to come down over ADSL.
So you are stating that it's ok for Kaspersky to upload this file to their servers without asking? Does it do this for ALL files that match signatures or just those that match NSA signatures?
If you knew anything about standards for AV you'd know that yes, for any new variant of a known strain, or something that is a heuristic match (Thunderbyte AV did heuristic matching back when 386's were still quite common) but does not match known malware, then yes, it is standard practice for a sample to be sent off to the AV company. If that file is part of a larger archive, then the entire archive is suspect and thus is sent (how can they tell it's not a largely suspect archive unless they look deeper?). You can turn this off, but IME it is the default setting for normal AV software. Kaspy does it, MSSE/WD does it, I think I can safely assume Symantec products do it. In fact I can say with some assurance that Avast, AVG, ESET, Fortinet, Kaspersky Lab, McAfee, Microsoft, Sophos, Symantec, Trend Micro, Vipre, and Webroot all send data up to home base, and some don't allow you to opt out (I do have an issue with doing it without giving you the chance to say no, but I don't have a problem with it being the default - users should be notified of this behaviour during installation I agree).
This is how new threats are detected so outbreaks can (hopefully) be stopped sooner, perhaps so the AV company can be "first" to find it, etc. Without samples of new strains, the AV companies cannot a) work out what they do and b) work on a way to stop/clean/prevent infection. If you stop the AV companies getting samples of new malware you stop the AV companies.
My point was that just because they identify binaries that match signatures, it gives them no right to upload unrelated items. Or upload anything without asking. Makes no difference if it's in an archive or as separate files on the file system
If you don't want them to have that right, don't ask them to run on your system. It's pretty simple that even someone like yourself has at least a slim chance of grasping the concept.
However I do have a dim view of all anti-virus software companies and refuse to use them.
Going off your posts, I have to wonder if "dim" is the operative word? Run an online Windows? You need protection.
Biting the hand that feeds IT
