AVG Response

AVG is doing some interesting things. I think that my own perceptions of what they are up to are biased by my own interest in web analytics - after all, regular users of the software really don't care what their AV is doing.

Useragent filtering

The web analytics platform that I am most used to is Unica Affinium NetInsight, both in the on-premise (and possibily logfile based) and on-demand (hosted, and thus most likely to be JavaScript pagetag based) versions.

Due to the logfile-based nature (at least historically) of NetInsight it has always had the need to filter out Robots/Spiders, monitoring agents and all sorts of other garbage that litters the data. As such it's trivial to segment away or exclude the current AVG useragent, either in your own installation or, with a brief request to the on-demand team, from your hosted install.

Of course, this is already broken - AVG already seem to be altering the useragent string to something that looks completely real, and thus impossible to block all by itself.

Understanding AVG

The main thing that I would like to know about right now is the sort of environment that AVG presents to JavaScript - what sort of screen resolution, locale, plugin list, cookies etc.

If the above presents a recognisable fingerprint it would then be possible to filter based on these multiple criteria.

Of course, it may be the case that it presents the actual environment of the host, which would make things much harder to work with, although I don't think that this is likely to be the case.

How AVG executes

JavaScript pagetags typically create the URL that they are going to request from a complex block of code. I propose (and I stand to be corrected, as AV isn't my thing) there are four main options for how AVG can function.

• Static analysis of the JavaScript
• Sandboxed execution of JavaScript
• Sandboxed execution of JavaScript that allows the tag to 'fire' to the outside world
• Actual execution of JavaScript

Now - I don't *think* it's doing static analysis, although I have colleagues that know about such things - I'll have a word on Monday.

I hope (for the sake of AVG) that it isn't executing the code for real - that would open-up the opportunity for malicious exploitation - although we may be able to exploit it ourselves. :-)

Which leaves some form of sandbox. This should be easy enough to implement as JavaScript runs in one anyway. AVG would just need a separate instance. The real question is what does the sandbox provide for an environment and how is it allowed to interact with the rest of the world - at least we know that it allows extra requests to be made.

References - further reading

http://www.grisoft.com/ww.72

http://www.grisoft.com/ww.faq.num-1066#faq_1066

http://www.grisoft.com/ww.faq.num-1188#faq_1188

Disclaimer

All this is pure speculation, but it almost makes me want to sign-up to see what it does.

All for now. Comments/thoughts via usual channels