Kaspersky Internet Security 2016: Huge amount of browser AJAX requests

Today I installed Kaspersky Internet Security 2016 (KIS) on my desktop PC. After that I wanted to do some web development (APEX stuff to be more precisely).

I started Firefox and opened the Firebug console. What a suprise!
I saw repeating AJAX calls at least once a second. For other (non-APEX) webpages there were even like 5-20 AJAX calls per second!

kis_ajax_calls

01-11-2016 IMPORTANT UPDATE:
Please see Theo’s comment regarding a permanent solution you
can configure from inside KIS. Thanks Theo!

First thing I thought was that my Kaspersky security settings weren’t properly setup. So I started to disable things like Web-Antivirus, etc. No matter what I did, things did not get better.
Even removed the Kaspersky browser-addon, but that didn’t help either and removing was a challenge by itself!

Looking at their forum I learned that a lot of Web Developers complain about this strange behaviour. Because the javascript console gets filled-up with useless GET requests it’s hard
to keep a good overview. Now here is the best feature of it all: There’s no possibility in the KIS GUI to turn this behaviour off!

The only way to get rid of that rubbish is to end the running KIS instance. Ending KIS is not a good thing as it leaves you with no protection at all.

Apparently, Kaspersky has found a new way to protect your browser:

KIS seems to acts as a proxy. If you open a webpage in Firefox some piece of javascript code (main.js) is added to the page and starts doing funny things:

As far as I can tell it scans the DOM nodes, parsing URLs and the like and then starts doing AJAX GET requests in the format http://ff.kis.scr.kaspersky-labs.com/D40CE322-391C-4D4A-94C8-F533E3A8B77C/2130D62E-55A7-054C-8B6F-588219E92B05/from
These AJAX requests are then intercepted by KIS with a “200 Request has been forbidden by antivirus”.

So that’s a nice way how the browser communicates with KIS. You just have to love the good Kaspersky folks!

ok, how can you protect yourself against this?

1. KIS does not look into HTTPS traffic, only HTTP traffic
It’s a good idea to use HTTPS anyway, I propose you switch from HTTP to HTTPS whenever possible.

2. Deinstall Kaspersky Internet Security 2016 and get your money back!
If enough people do that, it will hopefully stimulate them to add a “disable” option to the KIS GUI. I hate it when software takes total control, without any possibility to turn things off.

3. Write some javascript self-defense code
As I find this kind of stuff interesting and it’s javascript anyway, I thought why not take a look and write a bit of javascript self-defense code.

Warning: The below is just a quick-and-dirty proof of concept. To make this fully work you’d probably have to test many edge-cases.
I verified the code against Firefox and Chrome.

The javascript code basically overwrites the window.setTimeout function with my own version that first checks the call stack.
If it detects kis.scr.kaspersky-labs.com somewhere along the call-chain, then the call is prevented. All other calls are allowed to pass through and get executed by calling the original window.setTimeout function.

Cheers
Filip

7 thoughts on “Kaspersky Internet Security 2016: Huge amount of browser AJAX requests”

  1. Hey, check this permanent solution performed from inside KIS.

    https://www.reddit.com/r/privacy/comments/3frjqw/psa_kaspersky_injects_remote_javascript_into_all/

    This worked for me:

    Kaspersky application
    Settings Page
    select “Additional” section on left side
    select “Network” settings

    Monitored Ports
    [ ] Monitor all network ports
    [X] Monitor selected ports only _Select…_

    Click the Select… link
    – Remove: HTTPS on port 443
    – Remove: HTTP on port 80
    – Remove: any/all other HTTP if you use those frequently
    – Bottom of the list, UNCHECK “Monitor all network ports…”

    Close the Network Ports window

    Close the settings window

    # re-open chrome or whatever
    # load webpage
    # view source (ctrl-U)
    # injection script should be gone.

  2. Hi Theo,

    I just tried the solution you mentioned and it works beautifully!
    I’ve updated my blog post to point people to your comment, so that they can activate the permanent solution from inside KIS.

    Thanks mate!

    Filip

  3. Thank you Theo, that worked a treat.

    It was twisting my melon using Firebug, the console kept filling up with logs of these ajax requests, all is good now and I can relax

  4. Maybe this can help (using GUI) for KIS version >16.0.1:

    Settings -> Additional -> Network -> Inject scripts into web traffic to interact with web pages.

Leave a Reply

Your email address will not be published. Required fields are marked *