0

In an attempt to understand the topic further, the following posts were reviewed.

The posts however don't touch on how the antivirus software proxies all traffic.

My understanding is that antivirus software such as those from Symantec, Kasperksy, etc install root certificates on the operating system and client e.g. web browser.

It isn't clear as how the antivirus software proxies all traffic. It suggests that the antivirus software is hijacking and/or injecting the browser process.

  • If yes, how does it achieve hijacking and/or injecting a browser process? What are the risks?
  • If no, how does it direct all traffic from a browser? I have
    assumed that it does not change DNS configurations or install proxy
    configuration files.
Motivated
  • 1,493
  • 1
  • 14
  • 25

1 Answers1

3

Based on your question I assume that you understand how SSL interception works in general, i.e. that the SSL intercepting process (the antivirus in this case) essentially replaces the original end-to-end encrypted connection with an encrypted connection from proxy to server and with another connection from client to proxy - where the last one does not use the original server certificate but a certificate created by the proxy and issued by a proxy-specific CA trusted by the client.

The question remains then how the local AV can put its proxy into the path of the traffic. One way would be to explicitly configure the proxy in the browser. A more transparent way on Windows is to use the Windows Filtering Platform (WFP) which is explicitly designed for this kind of traffic interception. To cite from Porting Packet-Processing Drivers and Apps to WFP:

Windows Filtering Platform (WFP) enables TCP/IP packet filtering, inspection, and modification, connection monitoring or authorization, IPsec rules and processing, and RPC filtering ...

In other words: no injection into the client is needed. Instead WFP defines a supported interface how application traffic can be intercepted and modified. Given that all traffic between an application and the remote communication peer will ultimately pass through the network stack of the OS WFP essentially provides supported hooks into this network stack and allows interception and modification without changing the application. This kind of hooks are also used by libraries like WinDivert which allow traffic interception and modification from user mode.

The documentation of ESET AV also confirms that they are using WFP. To cite:

Starting with Windows Vista Service Pack 1, Windows 7 and Windows Server 2008, the new Windows Filtering Platform (WFP) architecture is used to check network communication. ...

There are also other ways to do similar things even before WFP was available, for example with NDIS filter drivers. And there are more ways, including injecting a DLL into the application. For some information see Comparison of User Mode and Kernel Mode Applications for Modifying HTTP Traffic.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks. Since the antivirus product is interrogating the available operating system APIs, would these calls be secure i.e. can these be hijacked? if yes, how? Additionally, how would this compromise the intended traffic monitoring by the antivirus software? – Motivated Nov 03 '18 at 04:31
  • @Motivated: I'm not sure what you mean with *"calls be secure"* or *"hijacked"* in this case. Essentially the API provides a way for applications to intercept and modify traffic. This is not limited to AV but any application with the relevant permissions can use this functionality, including malicious applications. – Steffen Ullrich Nov 03 '18 at 04:56
  • I am assuming the API exposes methods in which applications can call it. If so, would the communication to the API be secure? Can this be intercepted and/or hijacked? When you say permissions, what would these be? – Motivated Nov 03 '18 at 05:02
  • @Motivated: I don't know about the inner details but I assume that the API can be intercepted like other API's too and that one needs a privileged access to insert such filters. Anyway, these questions are already outside from your original question (*"If no, how does it direct all traffic from a browser?"*) so you might better ask these as a new question. – Steffen Ullrich Nov 03 '18 at 05:12