Should antivirus vendors block state malware?
The question was raised by security firm F-Secure after the news that documents found in the recently raided Headquarters of the Egyptian State Security revealed that its Investigation Department had received offers for a spying software framework and tools by a German company.
It is still unknown if the documents are legitimate, and if they are, whether the offer was accepted by the Egyptian State Security.
Setting that aside for a moment, F-Secure’s Mikko Hypponen poses equally important questions such as: do the company AV solutions detect FinFisher (the software in question)? Would they knowingly add detection for it?
Since they don’t have a sample of the offending software, the answer to the first question is that they don’t know. Although, he admits that it’s perfectly possible that they have already received a sample of FinFisher or some similar tools from their customers, but that they were unable to distinguish them from “normal” criminal trojans.
The answer to the second question is a resounding “Yes”. “We are in the business of selling protection. We’re selling products to protect our customers from attack programs — regardless of the source of such programs,” explains Hypponen.
“It’s easy to imagine a case where our customer would be innocent of any wrongdoing, but would be suspected for a crime he didn’t commit. In such a situation he would have full expectation of his antivirus protecting him against trojans, even if those trojans would be coming from the government. This would be even more relevant if the customer lives in a totalitarian state. Like some of our customers do.”
So far, he says, they haven’t received a similar request from law enforcement or intelligence agencies around the world, but say the answer would be negative. To prove that this is not just his personal take on things, he points the readers to the F-Secure Corporation’s policy on detecting spying programs developed by various governments.