Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jberg712
Contributor
Jump to solution

Kaspersky Poses National Security Risk from FCC

Hi,

Lately because of the Russia/Ukraine ordeal going on, I've seen a couple of articles indicating Kaspersky  posing a National Security Risk.  This was indicated in an article by PCMag.com.  

I'd like to know what Check Point's response is to this new development since Kaspersky plays a part in the Anti-Malware blade of Endpoint Harmony.

Jonathan

2 Solutions

Accepted Solutions
_Val_
Admin
Admin

I understand the urgency, please allow me to answer some of your concerns.

We do investigate all vulnerabilities, once announced, especially those relevant to our products, one way or another. Log4j impact is huge, it is a critical CVE with lots of implications. Hence we did provide an immediate response to that one. There are also other similar cases, for each CVE that may affect our products. 

The issue with Kaspersky is, it does not have any actionable information security researches can work with. There are intelligence (as in military intelligence) and allegations that some of very specific Kaspersky products were used to gather intelligence on foreign governments and individuals. It is important to note, those allegations were maid about certain very specific Kaspersky own endpoint security products, and they do not mention any third party, Check Point, or otherwise. Such statements may and most probably do have merit, but all the articles I personally viewed over the last two years, those statements were made without body of proof. 

USA did flag Kaspersky based on the mentioned incidents/claims back in 2018 and also banned it from use in any of the federal offices. At the same time, acting on that concern, we started removing parts Kaspersky SKD based solutions from our own products. 

The last remaining product family with Kaspersky SDK is Harmony, and yet again, we do provide Kaspersky free alternative to those customers who do not want or are not allowed by law to use Kaspersky in any form.

I am glad you mentioned Log4j, because unlike that specific vulnerability, our researched do not have any technical actionable information that would indicate Kaspersky SKD use poses a security threat. I do stress the fact we review all third party code before using it in our products. That includes all parts of our offerings, and we take this very seriously. 

For that matter, we are unable to make any actual statement of Kaspersky to be a direct verifiable security threat. We just do not have the proof. But not just us, there are no actual CVEs that would indicate the code we use from them is a threat. 

This does not mean Kaspersky SDK is safe. It only means, there is no proof it is not. We did review it, and we did not find any sign of misuse or compromise, but there is always a room for a mistake. Because of that, we provide the only information we see 100% accurate, actionable and verifiable. 

If you want or need to have Kaspersky-free security products, the mentioned SKs are the information sources you are looking for. We do understand that security concerns should be addressed. Hence, EPS without Kaspersky can be easily provisioned for you through the official channels. 

Finally, if you search the community, you will find at least a dozen of discussions related to this topic, some of them years old, with the same SKs and reasonings as we mention today.

I hope this makes sense. If you need any additional assistance, let me know. 

View solution in original post

J_B
Collaborator

Hi, I found this statement that Check Point have on their website, so it might be what you're looking for?

Removing Kaspersky Components from Check Point Products - Check Point Software

I've highlighted one of the key points below.

If I do not disable or remove Kaspersky components from my Check Point products, am I at risk?
Check Point continuously and rigorously monitors and tests its entire product suite for vulnerabilities. To that extent, we have not found any evidence to suspect that Kaspersky code, or any other 3rd party code included in it, will compromise our customers’ security.

View solution in original post

11 Replies
Lzm
Collaborator

Please refer to sk178309

Chris_Atkinson
Employee
Employee

Alternatives have been available for some time.

A list of relevant resources has been gathered by a community member here:

https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-Kaspersky-free-client-version-availabl...

jberg712
Contributor

Thanks Chris,

We are aware that bit defender engine has been available for a couple of years or more and would require a request to get.  But what i'm really asking and want to know what is Check Point's response to this matter?  Are they going to be discontinuing use of Kaspersky?  Are they highly recommending a change from using the Kaspersky based Endpoint?  

If the situation with Kaserpsky is TRULY that serious, I figured I would be getting more notification from the Check Point Harmony team stating because of the state of things, we recommend such and such.

Is there anything like that or has Check Point made any statement?  Because I haven't seen any.  And it's not just Endpoint.  I believe the Anti-Malware engine on the gateway's still use Kaspersky unless the removal was done back in R77/R80 when that was available.

0 Kudos
_Val_
Admin
Admin

I am not sure what kind of statement you need. As mentioned, we do provide an alternative. Also, we do not use Kaspersky per se, we do you SDK of it, for static file analysis only, with certain EPS only, as the SK above clearly states.

We did use Kaspersky SDK in GW versions, yet those are out of support for a while now. Please check sk118539 for details.

Every third party product we use goes over security review, and the fact it was used at some point indicates we consider the code running in the products safe. 

If those SKs are not enough for you, or you need a legally binding document (which is not the case in this comment), please reach out to your local office or to TAC and ask for an official statement. 

jberg712
Contributor

Val,

I'm not necessarily looking for a legal document.  I'm looking for something that was similar to the article posted about the Apache Log4j vulnerability.  (sk176865).  It was in the news feed on the support center and spoke in general about the vulnerability since it was a big deal.  It may just be my opinion, but the Russian ordeal is quite a big deal and to have some sort of statement much like the Apache Log4J incident that explains the scenario and what the recommendation to customers is.  I'm essentially asking for it to be on the forefront of notifications since there is some involvement with the Kaspersky product.  I haven't received any security notification from Check Point nor have I seen an article being displayed on the news feed page with information pertaining to this. 

My concern is this, that because I've seen articles on other sites with concerns being posted about Kaspersky and I'm getting notified about, I would hope to see that the security product I use that has some involvement with this product in question would be putting things out on the forefront and notifying customers of the situation at hand.  I would hope also that Check Point would be the first to notify customers or at least give some sort of indication to let everyone know about any developments with the involvement of a product or component in question/concern, and not have to find out from 3rd party sources which seems to be the case.

I could be wrong and I apologize if I am, or there could be a technical issue with my subscriptions, but I do subscribe to get notifications of security issues/incidents from Check Point.  I have yet to hear, receive, or see anything on the Kaspersky ordeal without digging into Check Mates... does that make sense?

_Val_
Admin
Admin

I understand the urgency, please allow me to answer some of your concerns.

We do investigate all vulnerabilities, once announced, especially those relevant to our products, one way or another. Log4j impact is huge, it is a critical CVE with lots of implications. Hence we did provide an immediate response to that one. There are also other similar cases, for each CVE that may affect our products. 

The issue with Kaspersky is, it does not have any actionable information security researches can work with. There are intelligence (as in military intelligence) and allegations that some of very specific Kaspersky products were used to gather intelligence on foreign governments and individuals. It is important to note, those allegations were maid about certain very specific Kaspersky own endpoint security products, and they do not mention any third party, Check Point, or otherwise. Such statements may and most probably do have merit, but all the articles I personally viewed over the last two years, those statements were made without body of proof. 

USA did flag Kaspersky based on the mentioned incidents/claims back in 2018 and also banned it from use in any of the federal offices. At the same time, acting on that concern, we started removing parts Kaspersky SKD based solutions from our own products. 

The last remaining product family with Kaspersky SDK is Harmony, and yet again, we do provide Kaspersky free alternative to those customers who do not want or are not allowed by law to use Kaspersky in any form.

I am glad you mentioned Log4j, because unlike that specific vulnerability, our researched do not have any technical actionable information that would indicate Kaspersky SKD use poses a security threat. I do stress the fact we review all third party code before using it in our products. That includes all parts of our offerings, and we take this very seriously. 

For that matter, we are unable to make any actual statement of Kaspersky to be a direct verifiable security threat. We just do not have the proof. But not just us, there are no actual CVEs that would indicate the code we use from them is a threat. 

This does not mean Kaspersky SDK is safe. It only means, there is no proof it is not. We did review it, and we did not find any sign of misuse or compromise, but there is always a room for a mistake. Because of that, we provide the only information we see 100% accurate, actionable and verifiable. 

If you want or need to have Kaspersky-free security products, the mentioned SKs are the information sources you are looking for. We do understand that security concerns should be addressed. Hence, EPS without Kaspersky can be easily provisioned for you through the official channels. 

Finally, if you search the community, you will find at least a dozen of discussions related to this topic, some of them years old, with the same SKs and reasonings as we mention today.

I hope this makes sense. If you need any additional assistance, let me know. 

jberg712
Contributor

Val,

What you wrote right there, in my opinion, is right on the money.  I would honestly love to see Check Point put that statement in a news article, sk article, email notification, etc to inform customers based on the recent developments.  And I would point out that a publication like this would be based more on the timing of the situation at hand more than anything else.  

In response to that and your statement, I would base my reasoning on that what i'm reading that it was only just very recent that the Kaspersky free products were offered on the web for download.  Initially it always had to be requested from TAC for the updated version.  Obviously in regards to the recent changes, to have some sort of publication or notification to customers while we are getting wind from other sources more and more about Kaspersky I believe would be appropriate.  Also a recommendation and information about what would happen going forward in light of the ongoing situation I would also believe to be appropriate at this time.  Yes I do know that this was an option back in 2018 and has been available for sometime, but I feel like there hasn't been much weight in providing adequate information.  I say that because it was just now that I've been hearing about this and the recent article published in PCmag that I've felt the urge to seek out something more decisive that would need to be done.  In the past when I've inquired about this from TAC, the info I would get the Kaspersky based clients would be the better option to stick with.  I was never informed of the 2019 SK article nor did it present itself in any of my previous searches about the DHS compliance.  If there was more weight placed on that for certain organizations/customers OR a bigger recommendation made/push, then I probably wouldn't be writing this post to put more weight on the subject.  Because from some of your comments, it still feels like this is just 'an option' and not a recommendation.  I feel like based off of the circumstances and the timing a full on recommendation would be presented.  If not, then at least the explanation you gave above to be presented to customers on the the timing of these developments would suffice.

Thanks,

JB

0 Kudos
_Val_
Admin
Admin

The explanation I gave is not SK format. Ask your account manager to issue an official statement.

0 Kudos
J_B
Collaborator

Hi, I found this statement that Check Point have on their website, so it might be what you're looking for?

Removing Kaspersky Components from Check Point Products - Check Point Software

I've highlighted one of the key points below.

If I do not disable or remove Kaspersky components from my Check Point products, am I at risk?
Check Point continuously and rigorously monitors and tests its entire product suite for vulnerabilities. To that extent, we have not found any evidence to suspect that Kaspersky code, or any other 3rd party code included in it, will compromise our customers’ security.

jberg712
Contributor

Thank you J_B.  This is more what I was looking for.  Even though this is for what happened back in 2017, this is still and even more relevant from the recent developments.  

0 Kudos
the_rock
Legend
Legend

Good point @jberg712 . I read the article, but for anyone interested, its below:

https://www.pcmag.com/news/fcc-warns-that-kaspersky-poses-national-security-risk

Andy