Author: David Max MA DPhil (2021-10-01)
Remote IP address connections listed using Wireshark, with and without AVG Antivirus Free
- Wireshark
- Outline of study: a "before and after" experiment
- R scripts for data analysis
- Results
- Comments
- References
Wireshark
Wireshark was used here to build a list of the remote servers being reached by a local machine, with and without AVG Antivirus Free software installed.
Outline of study: a "before and after" experiment
Wireshark is a remarkable packet analyzer utility.[1]
Data transmission between local and remote machines can be investigated in great detail using Wireshark.
The local machine used to run the tests was an old Pentium-D machine running Windows XP, now retired.
AVG Antivirus Free was installed on this machine from around 2015.
Wireshark was set up to monitor data connections between the test machine and remote servers from initial boot. (A batch file was placed in the Windows StartUp folder).
At the beginning of the study, AVG Antivirus Free ran on the test machine. AVG was then uninstalled on March 13th, 2021.
The test machine was then allowed to run on a few days until early May while Wireshark continued to monitor data transmission.
The test duration with AVG running was 101.6 hours. A further 42.4 hours of Wireshark monitoring were clocked up after AVG was uninstalled.
R scripts for data analysis
Wireshark collected data on communications with each IP address contacted.
Information about the various servers involved was then obtained using the Linux utility whois.
This stage and the subsequent analysis of data transfer to and from each IP address, creation of plots, etc., were automated using R.
(R can be used to run system commands, for example file copying tasks.)
The key step in analysis of the data here uses the R function tapply().
Results
Overall data transfer rates were lower after AVG Antivirus Free was uninstalled, and the local machine ceased to contact Avast-owned servers.
- With AVG running, outgoing data transfer rate to Avast servers (77.9 bytes/second) exceeded incoming (40.3 bytes/sec.).
- After AVG was uninstalled, the local machine no longer connected to Avast servers, at least, not directly.
- The outgoing transfer rate to non-Avast addresses was similar with and without AVG running.
- Incoming data transfer from non-Avast servers dropped after AVG was uninstalled.
| AVG | remote servers | data direction | mean bytes/sec |
|---|---|---|---|
| installed | Avast servers | outgoing | 77.9 |
| installed | non-Avast servers | outgoing | 14.3 |
| installed | Avast servers | incoming | 40.3 |
| installed | non-Avast servers | incoming | 122.5 |
| uninstalled | Avast servers | outgoing | 0.0 |
| uninstalled | non-Avast servers | outgoing | 11.6 |
| uninstalled | Avast servers | incoming | 0.0 |
| uninstalled | non-Avast servers | incoming | 52.8 |
| AVG | remote servers | data direction | bytes | duration (seconds) | mean bytes/second |
|---|---|---|---|---|---|
| installed | Avast servers | outgoing | 28487712 | 365822 | 77.9 |
| installed | non-Avast servers | outgoing | 5230757 | 365822 | 14.3 |
| installed | Avast servers | incoming | 14736127 | 365822 | 40.3 |
| installed | non-Avast servers | incoming | 44812390 | 365822 | 122.5 |
| uninstalled | Avast servers | outgoing | 0 | 152580 | 0.0 |
| uninstalled | non-Avast servers | outgoing | 1768410 | 152580 | 11.6 |
| uninstalled | Avast servers | incoming | 0 | 152580 | 0.0 |
| uninstalled | non-Avast servers | incoming | 8057257 | 152580 | 52.8 |
Comments
Background
AVG announced in 2015 that it would supply website visit data to commerical partners, a statement that appears to have unsettled users at the time.[3]
Later AVG came under criticism for being difficult (or perhaps impossible) to remove completely from a machine.
A file overseer.exe was found by some users to have been left behind after uninstalling AVG Free.[2]
Data transfer as revealed by Wireshark in this study
The present study indicates that Avast servers were no longer being contacted by the local machine after AVG was uninstalled.
(However, communication with servers of various other companies, such as Amazon, did continue.)
Subsequent to uninstallation, the file overseer.exe could not be found on the test machine.
It’s worth pointing out that AVG scores highly in recent antivirus tests. During the time AVG was running on the local machine, no trouble with malware was encountered. However that does not prove that some kind of malware had not been present at some time, operating covertly and undetected.
References
[1] https://www.wireshark.org/ (home of Wireshark)
[2] https://www.file.net/process/overseer.exe.html
[3] Beuth, Patrick. "Antivirensoftware benimmt sich künftig wie Spyware". ZEIT ONLINE.