Kaspersky deletes itself, installs UltraAV antivirus without warning

#####

######

####

Kaspersky deletes itself, installs UltraAV antivirus without warning

Starting Thursday, Russian cybersecurity company Kaspersky deleted its anti-malware software from customers’ computers across the United States and automatically replaced it with UltraAV’s antivirus solution.

This comes after Kaspersky decided to shut down its U.S. operations and lay off U.S.-based employees in response to the U.S. government adding Kaspersky to the Entity List, a catalog of “foreign individuals, companies, and organizations deemed a national security concern” in June.

On June 20, the Biden administration also announced a ban on sales and software updates for Kaspersky antivirus software in the United States starting September 29, 2024, over potential national security risks.

In July, Kaspersky told BleepingComputer that it would begin closing its business and lay off the staff on July 20 because of the sales and distribution ban.

In early September, Kaspersky also emailed customers, assuring them they would continue receiving “reliable cybersecurity protection” from UltraAV (owned by Pango Group) after Kaspersky stopped selling software and updates for U.S. customers.

However, those emails failed to inform users that Kaspersky’s products would be abruptly deleted from their computers and replaced with UltraAV without warning.

UltraAV force-installed on Kaspersky users’ PCs

According to many online customer reports, including BleepingComputer’s forums, UltraAV’s software was installed on their computers without any prior notification, with many concerned that their devices had been infected with malware.

“I woke up and saw this new antivirus system on my desktop and I tried opening kaspersky but it was gone. So I had to look up what happened because I was literally having a mini heart attack that my desktop somehow had a virus which uninstalled kaspersky somehow,” one user said.

To make things worse, while some users could uninstall UltraAV using the software’s uninstaller, those who tried removing it using uninstall apps saw it reinstalled after a reboot, causing further concerns about a potential malware infection.

Some also found UltraVPN installed, likely because they had a Kaspersky VPN subscription.

Not much is known about UltraAV besides being part of Pango Group, which controls multiple VPN brands (e.g., Hotspot Shield, UltraVPN, and Betternet) and Comparitech (a VPN software review website).

“If you are a paying Kaspersky customer, when the transition is complete UltraAV protection will be active on your device and you will be able to leverage all of the additional premium features,” UltraAV says on its official website on a page dedicated to this forced transition from Kaspersky’s software.

“On September 30th, 2024 Kaspersky will no longer be able to support or provide product updates to your service. This puts you at substantial risk for cybercrime.”

“Software update” behind forced switch to UltraAV

A Kaspersky employee also shared an official statement on the company’s official forums regarding the forced switch to UltraAV, saying that it “partnered with antivirus provider UltraAV to ensure continued protection for US-based customers that will no longer have access to Kaspersky’s protections.”

“Kaspersky has additionally partnered with UltraAV to make the transition to their product as seamless as possible, which is why on 9/19, U.S. Kaspersky antivirus customers received a software update facilitating the transition to UltraAV,” it added.

“This update ensured that users would not experience a gap in protection upon Kaspersky’s exit from the market.”

The company states that UltraAV has a similar feature set to its products and asked customers to review a FAQ page on UltraAV’s website or contact its support team for more information.

A Kaspersky spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Maintainer | Creator | Source Code
Summoning /u/CoverageAnalysisBot

The fact that they were able to do this without needing to update the software is concerning, makes me wonder what they were able to do so far below everyone’s radar.

Also from an attempt to research it seems ultraav isn generally not trusted for a good reason, but I can’t find if it’s confirmed malicious or not

They sent email describing this move beforehand.

I think the idea was that customers paid for antivirus, so Kaspersky can’t leave them without one. There is a chance to get a virus if your PC somehow exposed and suddenly lose antivirus.

Still shady, but at least I can see the reasoning.

Wow. They remotely installed someone else software, “uninstalled” theirs, AND some people are reporting that if they uninstall the new surprise software, it somehow reinstalls itself.

Way to prove that everyone’s fears were completely valid.

It looks like OP posted an AMP link. These should load faster, but AMP is controversial because of concerns over privacy and the Open Web.

Maybe check out the canonical page instead: https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/

^(I’m a bot | )^(Why & About)^( | )^(Summon: u/AmputatorBot)

Shades of Microsoft’s Windows 10 forced update.

If you feel that your software has to deceive your user, take a long, hard look at what you’re doing.

Between this and crowd strike I’m starting to notice that AV software is just a big a liability as actual malware.

words words words words words words words words words words words words words words words words words words words words words words words words words words words words words words words words

I think we should start looking into the terms of privacy and security even more now before we actually accept them… quite sure that we are allowing many apps to have the same access without knowing.

The only way this could’ve been more rapey, is if they also downloaded a new U2 album and set it as the login music.

(mods, this rule is hated. thoroughly.)

The fact that they were able to do this without needing to update the software is concerning,

No it isn’t. Every AV software (essentially) runs with administrative permissions. Every AV software (essentially) has the ability to self-update, which means it can add and remove administrative components.

Literally any AV product you’ve installed can do the same thing, and there is no harm from doing this?

Yeah I can see why people don’t trust it.

People just seem to ignore this. I have the email and it clearly says what they’re gonna do.

Ther terms of service probably has a caviat that they need to obligate.

The fact that this can happen at all on Windows is also concerning from a technical standpoint. I assume this is because antivirus has to run with some sort of elevated privileges level in the first place?

AND some people are reporting that if they uninstall the new surprise software, it somehow reinstalls itself.

Any decent antivirus is going to prevent you uninstalling it without using the uninstall program, else a malicious program could just uninstall the antivirus

But I specifically removed the amp in the URL!

You should know that you’re giving your anti-virus a back door. That’s how any of that works.

Do you know, if you miss the mark, does editing your comment fix it, or do you have to delete the old one and post it again?

It’s a breach of consumer trust. You didn’t pay and install UltraAV, you installed Karapersky. The fact that they installed another AV without alerting costumers with enough time or giving them an option to opt out is bad comercial practice and best and fraudulent at worst

Edit: and saying there is “no harm done” is a straight up lie. You don’t know where that AV came from or if you can trust it. And it’s like ordering a pizza and getting served a hamburger, and the waiter telling you that there is no harm done