Please restore (option for) client side virus scanning


#1

I can’t find definitive rationale for the switch to VirusTotal - i.e. cloud delivered virus scanning. Could you elaborate on the change and the expected benefit vs. the previous approach of client side scanning? I think kicking users out to a third party’s privacy and licensing agreement is kinda lazy and sucks…

At the very least can you clarify how to read and verify the new approach with VirusTotal e.g. a screenshot of the virus scanning process with VT clarifying what exactly the interface is communicating?

Thanks!


#2

@gwacct

I believe the old version of GlassWire used the Windows Defender API to scan. The API wasn’t documented very well and people were always asking us questions which we couldn’t really answer due to limited documentation.

Since it didn’t work as well as we’d like we switched over to VirusTotal.

VirusTotal is optional and off by default.

The Privacy Policy for VirusTotal and the Terms of Service are available here:


VirusTotal only checks the files you choose to upload and it can’t see any other data from you. Also, we at GlassWire can’t see your network activity or data, and we can’t see your VirusTotal uploads.

https://www.glasswire.com/privacy/


#3

Thanks for taking time. You said, “Didn’t work as well as we’d like”? I’m not sure what this means…

This is how I think about Glasswire: I like Glasswire because of it’s simplicity and elegance - it’s a convenience product. Glasswire doesn’t provide new firewall or scanning functionality - instead it gathers existing functionality into a simple and elegant interface for firewall and virus scanning.

By default the 2.xx update turns off Virus Scanning from within the interface…now Glasswire is an elegant firewall frontend (arguably 50% of previous functionality)? Re-enabling virus scanning entails trusting and submitting samples to VT (Glasswire punts and asks me to sift through another privacy policy and terms of service to try and figure out what is being submitted - if it’s private? If VT assigns a unique ID to the submitting PC?). This is neither simple nor elegant…

I tried the new interface. The result was “0/66”. I assume this means 0 of 66 of the scan engines VT uses alerted to the file. Who knows though? Does it mean the file is at the front of a queue of files to be scanned? “0/66” is pretty cryptic.

Glasswire can do better. Please start by communicating changes more clearly. My default preference is client side scanning until convinced otherwise.


#4

@gwacct

Thanks for your feedback. We’ll consider adding more scanning options in the future if we get similar feedback from other GlassWire customers.

To see more details about 0/66 click the “i” button when mousing over it and it shows details.


#5

Uhh, do you actually mean REimplementing client-side virus scanning. Glasswire made the decision to drop support for this feature in 2.xx .

Now “cloud delivered” virus scanning (via Virus Total) is opt in - I imagine because VT’s privacy policy raises legitimate concerns. From Virus Total’s privacy policy, the service appears to utilize LSOs (Super Cookies) when their web interface is used. Does this apply when utilizing VT via Glasswire?


#6

FWIW, I agree with gwacct’s comments and request for alternatives, like the old functionality. I will readily admit I didn’t know much about what the old version’s scanning was really doing, and how, who, or what was doing it - but at least I could understand the results better. This discussion has helped. After mousing around a bit and looking at the analysis results, I got a better idea of what VT is doing, but I remain unsure exactly how it does it, and how to use the results.

With respect to how it does it, exactly what does it “send” to VT? File names and hashes? The whole file? Perhaps with user configuration, data, or information embedded in or with it? Better understanding of exactly what and how Glasswire & VT interact and deal with the applicable software/data/etc., and how VT protects files from mutation or compromise as it reviews them, would be nice to know. Perhaps critical in some circumstances. For example, are exe files, if sent to VT, encrypted during transit? If the file in question is simply analyzed by a resident scanner already on my computer, few of these questions are relevant - unless of course, the scanner does the same thing VT is doing. This certainly suggests to me that some alternatives, including use of scanners already on a user’s machine, might be preferable.

With respect to how to use the results, this question pops up primarily because they leave interpretation up to the user. For example, on one file I scanned, Panda says “generic suspicious”, and 67 other services/scanners/whatever say it is OK. At least they don’t say it is malware. So is it OK? It is up to me, and how much I trust Panda. There don’t seem to be any guidelines on how to make the judgement. And when I ask for a “scan” it sometimes says “queued to analyze”, but never completes - it just goes away and leaves the app as “unscanned”.

So, it appears to me that VT is a good service for experts to use, but leaves a lot of interpretation and learning up to the user, unless the user is already an expert. Which is why a simpler alternative, like your prior approach, might be good to use for more routine checks.

There are a million other questions and comments that could follow from these meager thoughts. I will spare those who have read this far from any more. Suffice it to say I think gwacct has a worthwhile point, and it has led me to ask for more information on what and how Glasswire interfaces with VT and how to use the results, as well as consideration of alternatives.

Thanks to all who might have read this far, for your consideration and/or suggestions.


#7

This is an interesting topic! Here are my two cents worth.

  1. VirusTotal is a very reputable service. It has been run by Google since 2012. I have been using it for quite a long time with Microsoft Sysinternals utilities, Process Explorer and Autoruns. Those allow you to scan via VirusTotal every running process, startup program, service, driver, scheduled task, etc. on your system against 60+ antivirus engines, just by submitting a file hash of the scanned files.

  2. 60+ AV engines is certainly way more powerful than just relying on Windows Defender, or your one AV of choice, trusting them to have the latest up to date signatures for all the malware. Crowd-sourcing at its best! 0/60 means that none of the AV engines detected anything. Sometime you will see one or 2 hits, but they would usually be false positives, especially with the lesser known AV engines.

In my opinion, your local AV has already scanned the files on your PC, so why not get a second opinion from 60+ of the worlds finest scanning engines? What is there to lose?


#8

I think you crystallized the big issues for me. Is Virus Total slurping data in exchange for virus scanning services? VT’s section on “Information we collect to provide you with the services includes:” gives pause with talk of unique identifiers, local storage, etc…

If I’ve paid for a product - e.g. Glasswire, I don’t expect data to be slurped. The exchange is money for software, not data to be monetized for software.

Glasswire advertises “Privacy & Security Features” on it’s splash page. Privacy and Security are hard to get right. Glasswire has been sloppy with this decision and this version upgrade. Is GW’s priority my personal privacy & security or are they angling to sell the product and move along?

For me, it’s an uninstall and moving along…


#9

Right, I understand that point of view regarding data collection and respect that.

But we are talking about an OPTIONAL feature in Glasswire, that you can disable with one click.

Implementing a scan in GW with your local antivirus is redundant, because your local AV should have real-time scanning enabled by default. All executables on your local system will have already been scanned on file access, so really no point in scanning again when they access the network. That is not really the job of a firewall anyway, it’s just a second opinion scan in this case.

But anyway, there are probably many users such as myself that consider VirusTotal scanning a bonus feature, but since it can be disabled, it should not be an issue for anyone. Uninstalling it appears to be unnecessary overkill. If you otherwise like the program, just customize to fit your requirements. :grinning:


#10

You are correct, VirusTotal is optional.

Just to be clear, VirusTotal is off by default and must be turned on under the top left GlassWire menu under “settings”. Even if VirusTotal is on it will only use your data if you manually analyze something, or if you turn on the “automatically analyze” feature. The “automatically analyze” feature will only analyze network related apps that access the network.

VirusTotal does not want to use much data because it will waste their own bandwidth, so it almost always uses and checks hashes (a small string of numbers). VirusTotal will very rarely need to upload an entire file, but we put a notice on the settings window that GlassWire will use some data.

On top of this VirusTotal can only be turned on by the admin of the PC and it is locked off by default.

This screenshot below is from someone who has turned VirusTotal on (I did). Please note VirusTotal is off by default with GlassWire and with the settings shown below you have to manually click “analyze” to use the feature at all with one file at a time.