Uninstall your anti-virus says Amazon, if you want to work for us from home

Shouldn’t Amazon be encouraging its staff to have better security than this?


With over 400,000 new malware variants being seen every day by research labs around the world, no-one with any security nous would seriously recommend that regular computer users lower their security.

And yet, Amazon appears to have some strange stipulations for those who are interested in being a "Seasonal Work-from-Home Customer Service Associate".

All you need is a Windows or Mac computer, and a decent internet connection. Amazon will supply you with a headset and some training, and soon you could be earning $10 an hour for up to sixty hours a week, on shifts between 3am and midnight.

Before you all rush to apply, however, check out the small print.

Job requirements

The following programs must be uninstalled to meet the computer requirements:

  • All 3rd Party Anti-virus programs such as McAfee, Norton, AVG, Kaspersky, Avast, Comcast Constant Guard
  • Any other previous work from home software should also be uninstalled
  • Unused versions of Cisco AnyConnect Mobility Client

If you run Windows 8.1 or Windows 10 then you *must* run Microsoft Windows Defender, says Amazon.

As I describe in my latest YouTube video, the problem is that, according to independent testing labs, Microsoft Windows Defender simply isn't as good at finding malware as the top-tier anti-virus products - including some of the ones that Amazon named.

If you own a Mac then... well, you're shafted. Mac OS X doesn't come with a real anti-virus program, and Amazon is insisting that you don't run anything to boost your Mac's security while you work for them.

Anything which reduces computer security is a bad idea.

AmazonAmazon would have done better to provide a list of recommended security products rather than insisting on one that isn't commonly thought of as top-notch. And it should open its eyes to the need for Macs to be protected too - even though it's true that there is much much much more malware for Windows.

After all, customer service reps working from home are presumably logging into Amazon systems and entering passwords. They are having conversations with Amazon customers, on their own computers, in their own homes.

It's easy to imagine how malware might end up infecting some of these work-from-home customer service associates' computers, and could end up stealing private information of the staff member, customers and even Amazon itself.

Hat-tip: Thanks to @The_InfoSecGuy for first bringing this to my attention.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

61 Responses

  1. scg

    September 19, 2016 at 6:00 pm #

    use Linux problem solved.

    • Jaime in reply to scg.

      September 19, 2016 at 6:56 pm #

      Great solution — so tell me, which version of Linux is "Windows 8.1, Windows 10, OSX 10.9, OSX 10.10, or OSX 10.11"?

      • Ronnie in reply to Jaime.

        September 19, 2016 at 8:36 pm #

        Run Win 10 within Ubuntu

        • Chris in reply to Ronnie.

          September 20, 2016 at 10:22 am #

          Great, so your VirtualBox Win 10 environment gets compromised, which is connected directly to your home network, which you are using every shift to enter passwords and stuff. But hey, your otherwise little-used Ubuntu environment is clean as a whistle right?

          Smug Ubuntu (and Mac) users who don't actually understand security are smug.

      • Matt in reply to Jaime.

        January 1, 2017 at 1:42 am #

        oh all them 1oo% lol!

    • PDA in reply to scg.

      September 19, 2016 at 7:11 pm #

      Not much on reading comprehension, huh?

      • Bob Blumenfeld in reply to PDA.

        September 19, 2016 at 7:41 pm #

        I suspect those four words are this visitor's knee-jerk "solution" to any and all Windows "problems". This person's religion is Linux.

    • jhansonxi in reply to scg.

      September 19, 2016 at 8:04 pm #

      Would avoid most of the malware problems but I suspect they're using a VOIP client that doesn't support anything other than Windows (and Wine is iffy). The prohibition on satellite connections is probably due to latency which is a significant concern for VOIP (their typical 500mS latency also inhibits VPNs due to limits of TCP error control). But Linux could be used as a host for a Windows VM allowing easy backups and recovery when the latter gets pwned.

      I'm surprised they don't provide a Chromebook with a compatible VOIP client instead and ask for a security deposit. Wouldn't matter what the employee's personal system is then.

      • pda in reply to jhansonxi.

        September 19, 2016 at 8:26 pm #

        Not just Windows, OSX as well so, in theory, Linux should be operable. And it is does not avoid most malware problems. Where do you people come up with this stuff? Go check the CVEs for Linux specific issues or exploitdb.

        • jhansonxi in reply to pda.

          September 19, 2016 at 8:47 pm #

          Linux and OS X are not binary-compatible so unless their VOIP client is ported to Linux it won't work. The Windows version might work on Wine but it's iffy. You should probably learn more about Linux if you're going to start quoting CVEs about it.

          • pda in reply to jhansonxi.

            September 19, 2016 at 9:56 pm #

            Know plenty about linux and bsd and osx. My point that your assertion was they most likely are using a VOIP process that is only compatible with Windows. Lacking in reading comprehension like the initial poster I see.
            My point is that if using something that is developed for Windows and OSX, Linux should not be out of the question.

    • Laverne in reply to scg.

      September 19, 2016 at 8:04 pm #

      It's sad when Linux fanboys can't read, isn't it?

      • pda in reply to Laverne.

        September 19, 2016 at 8:27 pm #

        Right?

        • Laverne in reply to pda.

          September 21, 2016 at 3:47 pm #

          Right.That knee jerk reaction of theirs always amuses me. They are so desperate to have everyone worship their precious OS. Through the years I've used Windows, Linux, and Mac OS. I use Windows when I want to get down to business, Linux when I feel like tinkering and I have the time and the patience. I can't tell you how many days I've wasted tracking down command line workarounds that didn't work for the particular older laptop I was setting up. And the idea that Linux always works wonders on older machines is a myth. Some of these older laptops have internal quirks that do not play well with Linux. Naturally the fanboys aren't going to admit that. Not everyone wants to tweak their machines. To each his own.

    • A Computer User in reply to scg.

      September 28, 2016 at 3:57 am #

      LMAO!! Listen to this guy! Just use Linux. It's the solution to all your problems… except for a few small issues:

      1. Good luck trying to run .EXE or .DMG files on Linux. Even Wine is real flaky at best with some programs.

      2. Do you guys really think the average user is going to know how to use something like a MacOS emulator or VirtualBox, ESPECIALLY when VirtualBox needs Guest Additions installed for some devices to even work properly on a 64-bit guest OS?

      3. The Guest Additions are in .ISO format. Not everyone even knows what an ISO file is, or even how to mount it properly in Linux.

      4. VirtualBox won't even show 64-bit guest operating systems by default on some computers. Seeing as you NEED a 64-bit OS to be considered for this position, that puts the brakes on the whole idea of working for Amazon. You need to enable virtualization in the BIOS on some machines to fix this. Many people don't even know what a BIOS is, let alone how to get into the BIOS, as there are different ways to get into the BIOS, depending on the motherboard. Some boards use Escape, others use one of the function keys (most commonly F1, F2, F10 or F12) and still others use the Delete key.

      5. Some older motherboards don't even support hardware virtualization. Which means you can forget about using ANY 64-bit OS on VirtualBox, as it will not even list your operating system as installable. Which means you won't be able to work for Amazon.

      Think before you post.

    • A Concerned Citizen in reply to scg.

      October 26, 2016 at 11:39 pm #

      Oh really? And are you going to teach people how to use Linux? Most people barely know how to use Windows. You really think people are gonna be able to use Linux? :P

  2. pda

    September 19, 2016 at 6:24 pm #

    You do not think that Amazon has a scanner on their end of the connection doing verification of the systems? Sounds to me like they are expecting users to use a VPN and that can definitely have a scanner on the other end before granting access. It would also be rendered ineffective if other AVs are fighting the scans. Lame write-up.

    • jhansonxi in reply to pda.

      September 19, 2016 at 8:15 pm #

      Any existing malware on the client would render a remote scan useless. The remote scanner would either have to run on the client CPU or dump the entire drive across the VPN. Either way, a rootkit on the client can easily hide from any remote scan by hiding it's process or substituting unmodified files in place of infected files in realtime. A remote scan also wouldn't include persistent infections in the BIOS or hard drive firmware.

      IOW, Windows Defender is mediocre but it running locally is better than any remote scan that Amazon could do.

      • pda in reply to jhansonxi.

        September 19, 2016 at 8:24 pm #

        Not if they plan on installing a scanning client. That is how we run our remote systems and it operates just fine. This is obviously all conjecture about their intentions but I can assure you that Amazon will not knowing and willingly allow unchecked systems on to their network.

        • jhansonxi in reply to pda.

          September 19, 2016 at 8:43 pm #

          Installing a scanner on the client is only useful if the system is in a known safe state. Since Amazon doesn't own and control the client systems then any remote scanning or apps they install are not secure. If it was already infected then the scanner can be lied to since it doesn't have full control of the system. Installing secure software on an unsecure system doesn't make it secure. With persistent infectors in hard drive firmware then even scanning the drive in a different system isn't reliable (and may infect that system also).

          • pda in reply to jhansonxi.

            September 19, 2016 at 8:53 pm #

            If the firmware was infected it would not matter what was or was not installed. That being said, yes there are scanners that can pick up firmware issues. You may want to check out some enterprise level scanners before jumping in with blanket statements. Yes I can install one of my clients on a system and yes I can determine if it is or is not secure from the standpoint that the scanner can tell. Malware can disguise itself, true but real scanners are not simply looking for definitions, they seek about behavior.

            So no, not owning a system does not render installing a client "not secure".

            Where do you guys come up with this stuff? Seriously?

            Continue believing what you want to believe. Know that you are not correct but I will not try to enlighten you.

  3. v.o.r

    September 19, 2016 at 6:36 pm #

    One solution would be to have a dedicated older or low-end computer only for performing the job (i.e. no browsing or apps except as explicitly required for performing the job). Unfortunately, those who are most in need of a $10/hour seasonal job are least likely to be able to afford a disposable device. Perhaps Amazon should include one with the headset.

  4. daniel

    September 19, 2016 at 6:50 pm #

    well since they need you to uninstall old vpn software you can kinda figure its because they need to install their own VPN… which most antivirus would probably reject and as the user would be using a vpn may not need the protection anyways… and with the severe tax that antivirus puts on a system rarely even helps an end user since they dont have it configured properly in the first place they may not be able to perform their tasks with it installed. im also assuming they would be working off of some sort of remote desktop i am assuming it would force a system scan when user logs in… that is just an assumption though

    • pda in reply to daniel.

      September 19, 2016 at 8:58 pm #

      yes

    • Jason in reply to daniel.

      September 20, 2016 at 10:43 am #

      I'm sorry? If the user is using a vpn they may not need malware protection? Please explain how you arrive at that conclusion. Also, my antivirus has no real-world noticable impact on my system. Sure, a percentage point or two if I'm benchmarking but day to day use? No impact at all.

  5. Bob

    September 19, 2016 at 6:51 pm #

    How ridiculous. It shows how little Amazon care about their customers and their security. I would never remove my internet security solution.

    Windows Defender is a very poor relation and even Microsoft themselves recommend using a proper third-party solution.

    I notice the vacancy is in the United States but this is a high requirement:

    "10 mbps download and 5 mbps upload speed or faster from a reliable provider (no satellite or wireless internet)"

    Apart from the obvious incorrect unit spelling many places are still connected to the copper network. And I assume "wireless internet" means no WiFi or do they mean no cellular internet?

    Most younger people (who I guess this position would appeal to) are unlikely to have an external monitor and keyboard. The majority use phones as their primary devices, followed by laptop, followed by tablet (in order of popularity).

    Most of the fibre connections in the U.S. have fast download speeds but low uploads speed thus 5 Mbps is the exception rather than the rule – especially with Verizon.

    I appreciate this is a homeworking position but $10/hour, really? At the current exchange rate that is £7.66/hour.

    And then you've got 60 hours a week… no thanks.

    • Joey in reply to Bob.

      September 19, 2016 at 7:10 pm #

      VPN, they would have antivirus through the VPN.
      Installing a VPN with antivirus on the machine can be problematic.
      Don't fall for this silly article…it's not explaining the situation correctly.

    • PDA in reply to Bob.

      September 19, 2016 at 7:10 pm #

      The mbps is not incorrect. Means same as Mbps. Were it MBps vs MBps, you'd be correct. Wireless means cellular, metro wireless and wimax solutions but it does also specify direct connect meaning no wireless connection in-house either for that computer. Fiber up over 5 mbps is not unrealistic for the majority of users in the US. Cable and fiber both exceed that by orders of magnitude, DSL not so much. As I stated above the AV issue is most likely made moot by remote scanning solutions that kick in when attaching to the VPN.

    • towerguru in reply to Bob.

      September 20, 2016 at 12:09 am #

      I know someone who works for them. Yes no-WiFi must be hard wired directly to the modem or router. They connect a VPN then to a computer on amazon's side via remote desktop. The also use a soft phone, previously you had to have a phone line too.

  6. A. Schmidt

    September 19, 2016 at 7:03 pm #

    This is just another reason why I tend to go to Amazon last when I'm looking for something, and even then I think twice or more. They have turned into the biggest scumbag retailer on the 'Net, but their customers are so bloody dumb they jes' keep 'a buyin' stuff from them, come hellerhiwater.

    • pda in reply to A. Schmidt.

      September 19, 2016 at 8:58 pm #

      WTF are you on about?

      • Chris in reply to pda.

        September 20, 2016 at 1:24 am #

        not his meds…

  7. Barbara E.

    September 19, 2016 at 7:05 pm #

    I know nothing about this Amazon work-at-home program (other than what I've read here) but don't be so quick to make fun of its low pay and/or *ridiculous* requirements. Seriously, a $10/hour work-from-home job could be a godsend to many, many people in the US. Not everyone makes $50/hr.

    • jonn in reply to Barbara E..

      September 19, 2016 at 7:21 pm #

      There are other privacy problems. Amazon might be looking at what else you have on your computer. The people who do not have a desktop with 64 bit are also out of luck. This would be a throwaway desk top with nothing else connected and no personal programs. Then Amazon can deal with the malware and spies.

  8. M G

    September 19, 2016 at 7:14 pm #

    I'm guessing they are trying to make it easier for them to spy on the people working for them

    • pda in reply to M G.

      September 19, 2016 at 8:57 pm #

      no

  9. Jim Berry

    September 19, 2016 at 7:17 pm #

    On the one hand, all the Antivirus programs that Amazon cited have been hacked over the last couple of years. But, for them to suggest the removal of any but a Microsoft product, crosses the border of nonsense.

    I had used Windows Defender for years. It really did a pretty good job detecting malware and malicious programs. But, beginning with Windows 8, Microsoft injected their own antivirus to the program. And made it pretty much useless.

    Also, though I am no expert on work-from-home programs, $10.00/hr doesn't seem like much for a customer service position.

    Thanks for the informative article, Graham. And your time. Be well!

    • pda in reply to Jim Berry.

      September 19, 2016 at 7:55 pm #

      $10 for customer service is on par with basic customer service positions. Defender was around before Windows 8, as stated above by myself and others: they most likely have their own AV solution and scan your system prior to connecting. It would make zero sense to ask a bunch of unsecured computers to join your secured systems otherwise. The article is telling a true story but not form both sides. I would wager the author has an issue with Amazon so chooses not to elaborate as to the true reason for the setup specifications.

  10. r00tb33r

    September 19, 2016 at 7:33 pm #

    Use a virtual machine.

    • pda in reply to r00tb33r.

      September 19, 2016 at 8:57 pm #

      Won't help as those can be discovered and they can just say kill it or you won't get the gig.

  11. Robert Riddell

    September 19, 2016 at 7:55 pm #

    Judging from the comments on here, there are quite a few people who do not understand how an enterprise network solution actually works. Amazon is doing fine, all the armchair IT Support Specialists on here, not so much.

    Robert Riddell
    A+
    Security+
    MCSE (Microsoft Certified System Engineer)
    SCSA (Sun Certified System Administrator)

  12. Windows SUx

    September 19, 2016 at 8:05 pm #

    You guys are missing the point. It is well known in the dev community that this type of software actually creates more vulnerability to your OS which is a principal reason why OSX doesnt ship with cheesy software.

    This write up sux.

  13. D.S.

    September 19, 2016 at 8:15 pm #

    This is most likely done so that Amazon can deploy their antivirus solution to all of their employees and ensure compliance. If you already have a 3rd party antivirus on your system, it would likely cause problems. The author did not research this article very thoroughly.

    • pda in reply to D.S..

      September 19, 2016 at 8:56 pm #

      yes

  14. another user

    September 19, 2016 at 8:21 pm #

    actually, they want you to uninstall that so they can put tracking software on your machine.Tracking software is commonly used in enterprises and anti-virus software can easily detect it.

  15. Stoshy

    September 19, 2016 at 8:53 pm #

    This is why we have virtual desktop applications.

  16. FaQ

    September 19, 2016 at 9:32 pm #

    He forgot to mention also that you need to be living in certain states: Arizona, Colorado, Delaware, Florida, Georgia, Kansas, Kentucky, Michigan, Minnesota, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, Tennessee, Washington, West Virginia, Wisconsin, Virginia.

    I do understand that this article is about AV software installed on their computer, but if people are interested anyway in finding about applying.

  17. Paul

    September 19, 2016 at 10:41 pm #

    Compared to most, this is secure. I've worked on some Banking (extremely large bank) VPN that will only work on Windows XP with IE 6 or 7, (not even 8). No, this is not from 10 Years ago… it was earlier this year. They're Juniper VPN client would not work on Windows 7,8,10 machines. We were trying to get a Windows 7 Professional box to connect and flat out were told we had to "downgrade" the computer to XP.

  18. Bubble Gum

    September 19, 2016 at 10:56 pm #

    Nothing wrong with Windows Defender I actually prefer it over McAfee and Norton bloatware!!

  19. someone

    September 19, 2016 at 10:58 pm #

    Use VMware with a disposable virtual machine OS. Problem solved.

  20. Chris

    September 20, 2016 at 1:20 am #

    Just use a "dumb box", a non-essential secondary computer. PCs are like $300 new, and more than likely you have an unused one in a closet somewhere from when you bought your current one. If it gets infected, just re-install the OS.
    It's not rocket science, it's "work-from-home".

  21. Tommy T

    September 20, 2016 at 3:04 am #

    Lookup "wireless internet service provider" (WISP). This is likely one of the things they don't want in a worker, as its speeds are pretty low, although better than satellite internet (Hughes, Exede and the like).

  22. Cyberwolfman

    September 20, 2016 at 5:21 am #

    BFD, just set up a second computer and keep nothing of your personal data on it and don't surf the web on it. If you ONLY use it for work then you shouldn't pick up any viruses or malware.

  23. FakeOneDust

    September 20, 2016 at 8:15 am #

    Is common sense people. Amazon is a multi billion dollar company. They are not going to hire you and not be able to monitor your home computer from their home base. The first thing they are going to do is install a key logger on your computer. To see everything you type to people. They are also going to control your camera and microphone. They need to see how you are treating their customers.

  24. Mike

    September 20, 2016 at 9:15 am #

    for 10 bucks a hour i think i could find better work and save myself the hassle

  25. Mailsphere

    September 20, 2016 at 11:03 am #

    They're probably using a key logger and screen scraping to track what the customer service associate is doing. Both of which are red flags to an AV.

    They could easily configure exceptions within the AV's and this could be documented for the most common products, but there is a chance that they built in AV capabilities into their monitoring tool which is why a 3rd party solution would cause issues.

  26. Greg

    September 20, 2016 at 1:03 pm #

    $10 an hour? Pass…

  27. Techno

    September 20, 2016 at 5:53 pm #

    Well, whatever, thanks for the link to the independent study, I think I will avail myself of one of those top rated products now, I didn't realise that Windows Defender was so poor.

  28. Fred

    September 22, 2016 at 4:29 am #

    Windows Defender protects more Windows 10 computers than any other AV solution, and Microsoft recommends using Windows Defender. See https://www.microsoft.com/en-us/windows/windows-defender for details. (Disclaimer: I work for Microsoft.)

Leave a Reply