Should You Buy Kaspersky Security Products?

As the war in Ukraine intensifies, both in the physical and cyber arenas, many Western companies are cutting ties with Russia in protest. You can’t watch Netflix in Novgorod, buy Intel chips in Irkutsk, or dine at McDonalds in Moscow. Major credit card providers have suspended operations in Russia, and global banking exchange Swift has cut off Russian banks. Why, then, would anyone consider buying antivirus protection from (as one reader put it) “a goddamn Russian company” like Kaspersky?

Kaspersky's situation continues to worsen, with additional US government agencies, as well as overseas agencies, blacklisting the company. Even bug bounty and report clearinghouse HackerOne has banned Kaspersky. These bans, blacklistings, and censures still don't come with any hard evidence of inappropriate behavior, but their sheer volume begins to add up.

This isn’t the first time Kaspersky has come under fire for its Russian origins. In September of 2019, the Federal Acquisition Regulation Council put forth a policy forbidding federal agencies(Opens in a new window) to purchase Kaspersky products. The policy didn’t come with a list of justifications, and it affected only government entities. Kaspersky remained fully available to you, me, and any other American individuals. Prior to this policy, in 2017, the Department of Homeland Security issued a Binding Operational Directive instructing federal agencies to discontinue all use of Kaspersky(Opens in a new window) products.

Around that time there was an incident, cited by some as evidence of malfeasance by Kaspersky, involving a secret NSA document. An NSA consultant, against protocol, copied the document to his own laptop, which was protected by Kaspersky Anti-Virus. Like most antivirus tools, Kaspersky forwards suspicious files to the cloud for analysis, including this sensitive file. When the company’s researchers realized what they had received, they immediately deleted it. End of story. Neither the NSA nor any other US agency took further action because it’s not against the law to obtain classified data by accident.

Kaspersky has recently taken flak for protecting Russian government websites(Opens in a new window) and sites belonging to assets such as TASS, GazPromBank, and the state-owned TV network. Critics point out that IP addresses for websites such as the Russian military’s mil.ru point to servers owned by Kaspersky. That’s true. Kaspersky’s Business branch offers a service to protect client websites against DDoS attacks and other web-based dangers, and the Russian government is one such client.

It's true that the evidence here doesn’t prove more than a business relationship. The well-known security company CloudFlare offers a similar service, mostly for Western companies. In addition, CloudFlare has declined requests from Ukraine(Opens in a new window) to stop working with Russian companies. It's hard to blame Kaspersky for failing to disengage when CloudFlare won't.

Taking a page from the US government's playbook, Germany's cyber authority has advised citizens and organizations to stop using Kaspersky's products. This advice doesn't come with any evidence of wrongdoing, just a suspicion that Kaspersky might be forced into letting its products become conduits for cyberattacks, a suspicion that Kaspersky vigorously denies(Opens in a new window).

The FCC maintains a "Covered List" of companies "that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons." Kaspersky is among the latest additions to this list, along with a few Chinese telecom carriers. The FCC reports basing this action on the earlier DHS ban on Kaspersky, not on new evidence, but it's always possible these agencies have evidence that they just can't share. Certainly, identifying Kaspersky as a risk to national security is a strong statement.

Government agencies aren't the only ones cutting ties. Kaspersky has long been a big supporter of HackerOne, an international company coordinating vulnerability reports and bug bounties, to the point of co-sponsoring HackerOne events at security conferences. Recently, HackerOne suspended its connection with companies in "regions subject to payment sanctions," including Kaspersky. Kaspersky riposted, pointing out that it's an international company, not a Russian company. Until things settle, if you discover a bug in a Kaspersky product you can report it directly to the company(Opens in a new window).

There’s no doubt that Kaspersky’s founding in 1997 took place in Russia, nor that its co-founder and CEO Eugene (Евгений) Kaspersky is a Russian national. The company maintains a headquarters division in Moscow. But is the modern Kaspersky a “Russian company?”

I asked my Kaspersky contact why American consumers shouldn’t avoid Kaspersky due to its Russian origins. He pointed out that the company is now a fully global entity, not limited to Russia or any country. “Kaspersky is a private, international company with its holding registered in the UK and its data processing infrastructure located in Switzerland. Our local businesses are run by local entities…The company operates in 200 countries and territories and has been in business for 25 years.”

As noted, Russian government agencies are among the company’s clients, but Kaspersky denies any deeper connection. “Kaspersky has no political ties to any government,” stated my contact, “and has customers in the private and public sector all over the world.” He went on to point out “Kaspersky’s global research and analysis team continues to generate research exposing the activity of advanced threat actors, including those related to the conflict in Ukraine.”

Here's a thought. Kaspersky operates in "200 countries and territories." What if the company pulled out of just one country—Russia? There's no changing history, but stepping away from having headquarters in Moscow would surely be a positive move.

There’s no doubt that Kaspersky’s research team has exposed many threats and threat actors, including the notorious NotPetya attack(Opens in a new window) in 2017. This one’s especially significant because Kaspersky’s experts determined it was designed to disrupt online activities of the Ukrainian government.

Kaspersky’s technical experts also reported in detail on HermeticWiper and associated attacks(Opens in a new window) that coincided with Russia’s physical invasion of Ukraine. Kaspersky’s report points out that these malicious tools were “used in recent cyberattacks in Ukraine.” However, it doesn’t finger Russia as the perpetrator.

Note, though, that failing to ID Russia as the perp here is not necessarily a bad thing. Peace officers can match a bullet to a gun with ballistics, and forensic experts can even determine the origin of a poison gas, but malware isn’t physical, and needn’t retain characteristics identifying its origin. Security giant ESET is headquartered in Slovakia, which shares a small border with Ukraine. This company’s researchers, despite heroic efforts, could not find any proof to attribute HermeticWiper and the related attacks to Russia, or to any specific threat actor.

My Kaspersky contact made sure to point out that “Kaspersky regularly partners with law enforcement authorities…aiding investigations with technical consultation or expert analysis of malicious programs. We also collaborate with international law enforcement agencies in the ongoing fight against cybercrime.” Indeed, from the Simda botnet takedown(Opens in a new window) in 2015 to the more recent group effort wiping out Emotet(Opens in a new window), Kaspersky has been a major player in international cybersafety cooperatives.

All this discussion would be less relevant to consumers if Kaspersky published crummy or even mediocre software. However, experts worldwide agree that Kaspersky’s antivirus and security suite products do an excellent job. In my reviews of antivirus products, I reference test results from four antivirus labs around the world. Kaspersky’s technology routinely takes perfect or near perfect scores. For example, for the last five years (except for one blip in 2017) Kaspersky has earned either a perfect 18 points or a near-perfect 17.5 in every test by AV-Test Institute(Opens in a new window), based in Magdeburg, Germany.

Austrian lab AV-Comparatives(Opens in a new window) assigns Standard certification to products that pass its tests. Those that go beyond the minimum passing score can earn Advanced or Advanced+ certification. Looking at the tests that I follow from this lab over the last five years, Kaspersky has earned Advanced+ in about seven of every eight, and Advanced in the others.

Out of five possible certification levels from London-based SE Labs(Opens in a new window), Kaspersky has always received the top AAA-level certification. MRG-Effitas(Opens in a new window), also based in London, puts products through grueling tests in which passing requires near-perfect scores. Kaspersky, unlike many competitors, has passed all of these.

We at PCMag pay attention to these impressive scores. Adding our own hands-on testing and analysis, we’ve seen fit to award several Kaspersky security products our Editors’ Choice imprimatur.

In theory, there’s always a possibility that the clever, helpful antivirus utility conceals a backdoor or some other malicious code. In practice, that would be nearly impossible, because the competition would expose such chicanery.

Keeping a security product viable requires a research team, to stay ahead of the malware coders. In addition to looking for new trends in malicious software, teams from every major security company put legitimate software to the test. If Kaspersky’s antivirus software included any backdoors or illicit behaviors, the competition wouldn’t hesitate to shine a light on it. Independent testing labs also put security products through rigorous analysis, beyond measure its efficacy against malware. Some labs, like Google’s Project Zero, are devoted entirely to finding security flaws in products of all kinds. If Kaspersky’s products contained any poison code, we’d almost certainly know it.

While the modern, global Kaspersky may not truly be a Russian company, it certainly doesn’t qualify for any “made in America” awards. On the other hand, security companies perceived as American, such as McAfee, Norton, and Webroot, all have research labs and branch offices around the world. Webroot prides itself on its US-based tech support, but call tech support for most security companies and you’ll get an offshore call center. I’d be hard-pressed to point to a security company that’s all-American.

It's true that Kaspersky employees located in Russia could be fined or even locked up for saying anything that remotely discredits the Russian military(Opens in a new window). But the key phrase here is "located in Russia." That Moscow headquarters puts a drag on Kaspersky's ability to distance itself from Russia the way Apple, AMD, Intel, and dozens of other tech companies have.

At PCMag, our expertise lies in evaluating products, not international relations. Based on their merits, we still give high marks to Kaspersky’s security products. However, with the increasing censure and criticism of Kaspersky by US government agencies, foreign agencies, and informed third parties, we can no longer recommend that you buy Kaspersky’s products. Please, make another selection—we’ve evaluated dozens and dozens of products in the security realm.