Antivirus false positive on ransomware and keylogger for MikTex & TexStudio?

[Wrichik Basu]

TL;DR Summary

Is my antivirus giving false warnings while installing TexStudio and MikTex?

I decided to set up $\LaTeX$ in my PC, windows 7, 32 bit. The pc has a legal version of QuickHeal Internet Security antivirus.

I downloaded TexStudio and MikTex. When I started installing TexStudio, QuickHeal said that the installer file was a potential keylogger, and put it into quarantine.

I couldn't find any evidence online of something similar happening with others, so I set the antivirus to exclude the installer, and could successfully install TexStudio.

When I started installing MikTex, while the installation was half-way through, QuickHeal said that there was a ransomware in MikTex files, and stopped the installation. The only way to install now is to switch off the antivirus completely during the installation process, and then setting it to exclude the MikTex folder.

Can anyone confirm these are false warnings? I know that QuickHeal isn't a very good antivirus, but my father isn't ready to discard it before the license expires. I got similar warnings when I installed Frizing. Is there a chance that the installer file is getting corrupt while downloading? Or are these just false warnings that I can overlook?

 

[jedishrfu]

Dont be too quick to turn your settings off as you may be among the first of many.

Recently, some common repositories have been infected with malware. Apparently these malware dolls have decided to destroy their own source of free code.

 

[jedishrfu]

Here's some dated discussion on latex being infected or not and some false alarms due to files with names that match known malware but weren't.

https://tex.stackexchange.com/questions/134656/full-version-of-tex-live-malware-checked

 

[jedishrfu]

And here's a cautionary article on it:

https://www.usenix.org/system/files/login/articles/73506-checkoway.pdf

 

[Wrichik Basu]

I am actually helpless, I think. Keeping in mind your links @jedishrfu, perhaps it will not be safe to continue with the installation of MikTex (I can uninstall TexStudio too). But again, so many people in the science community are using these, and they haven't complained.

Is there any place where I can upload the files for a check? QuickHeal doesn't seem to have such a service.

By the way, can such problems exist in the portable version as well?

 

[DrClaude]

Can you get a specific indication which file(s) is getting flagged?

 

[Rive]

Is there any place where I can upload the files for a check? QuickHeal doesn't seem to have such a service.

I think they have something (I don't know if it is active or not).
Generally, switching off the protection during install is not a good idea. Uninstall would not be any help, by now any half-decent malware would dig in itself. Just try to do a system check with different security software.
Maybe, done by a different machine (with moving the HDD).

 

[sysprog]

It's most likely that you're getting false positives, but just in case, you could try doing what I did:

Direct download for TeXstudio:
https://sourceforge.net/projects/texstudio/files/2.12.14/texstudio-2.12.14-win-qt5.exe/download
I didn't see a checksum there, so I also checked the page at: https://fossies.org/windows/misc/texstudio-2.12.14-win-qt5.exe/
and found checksums, and other useful information, including the github link below:

I then downloaded the same file from:
https://github.com/texstudio-org/texstudio/releases/download/2.12.14/texstudio-2.12.14-win-qt5.exe
Then, after checking the byte count:

I ran WinMerge (an open-source freeware file comparison utility) to verify that the file contents were identical.

You can find that utility here:
http://winmerge.org/downloads/index.phpThat page has a link for the SHA-256 checksums for WinMerge.

I don't think anyone's going to corrupt the same file on both sourceforge and github. I ran the installer on a test machine and it ran fine. Then I launched the program, it loaded fine.

If you run it before installing MikTex, you'll get a warning with a link for installing it or a similar product so you can save your pages to PDF.

For MikTex, the direct download is here:
https://miktex.org/download/ctan/systems/win32/miktex/setup/windows-x64/basic-miktex-2.9.7031-x64.exe
The https://miktex.org/download page has the SHA-256 hash for verifying the file.

Here's a link to a tutorial page (with links to free utilities), that explains how to use the SHA-256 hash to verify the file: https://www.maketecheasier.com/verify-md5-sha-1-sha-256-checksum-windows10/

Bottom line: The files I got from the above sources were not corrupted and had no malware. Once you do the same verification for your copies, I think you can safely whitelist them in your AV product.

 

[Wrichik Basu]

Can you get a specific indication which file(s) is getting flagged?

Nope, QuickHeal deleted the corrupt file before I could do anything, and aborted the installation. The deletion is not present in the reports.

 

[sysprog]

Nope, QuickHeal deleted the corrupt file before I could do anything, and aborted the installation. The deletion is not present in the reports.

Quarantined usually isn't the same as simply deleted. QuickHeal may have 'moved' the file to a quarantine folder. If so, you may be able to find it there.

 

[Wrichik Basu]

Quarantined usually isn't the same as simply deleted. QuickHeal may have 'moved' the file to a quarantine folder. If so, you may be able to find it there.

The texstudio.exe (suspected keylogger) is still in quarantine, but for MikTex (suspected ransomware), the antivirus completely deleted the file.

By the way, I am working to try out your method.

 

[sysprog]

The texstudio.exe (suspected keylogger) is still in quarantine, but for MikTex (suspected ransomware), the antivirus completely deleted the file.

By the way, I am working to try out your method.

I don't know your AV product, but it could be that it misinterpreted the numerous \ characters in $\TeX$ and $\LaTeX$ code as something trying to do something outlandish with directories -- that's just speculation on my part. If the product has blacklisted the file name, you might, after making sure you have a legitimate version, rename a copy of the file before trying again. You could also try the portable version, or use the command line install with the zip version.

 

[Wrichik Basu]

@sysprog This time, I verified the hash with MD5_and_SHA_Checksum_Utility. The matching was ok, and I installed both MikTex and TexStudio, without any threat.

But QuickHeal says that the main executable file of MikTex is a keylogger, and has quarantined it (see the last file in the list):

Same for texstudio:

I believe I can set the antivirus to exclude these files, right? Seems like false positives.

 

[sysprog]

Here's a link to a list of files in the MikTex distribution: https://miktex.org/Package/Browse/miktex-qt5-bin-x64

Qt5Core.dll is on the list.

I think it's safe to say that if you got it from mktex.org, it's not a keylogger, it's a legitimate file.

However, the Qt platform is used by other applications, and your AV product may recognize that the Qt5Core.dll file is registered to another product in the system registry, and therefore decide that your install is trying to tamper with another product's files. Speculation again: the Qt5core.dll file being common to multiple products, its name may have been used before as part of an exploit, and your AV product may have it flagged accordingly.

Python 3.5.0 |Anaconda 2.4.0 (64-bit) has the Qt platform, and consequently uses Qt5Core.dll.

You could do a global search for that file name, and check whether it's already there as part of another product.

As long as the MikTex version of Qt5Core.dll is installed only within its the MikTex directory structure, I think it's safe to whitelist it in your AV product.

For your recent installs of the 2 products, it may suffice to just hit the restore button on those files, and follow through with allowing it past any warnings.

The Properties dialog for my just-installed copy of texstudio.exe looks like this:

If yours matches that on the created/modified date/time, and on the byte count (there could be a small variance in the size on disk due to different device characteristics), I'd say it's safe to restore it from the quarantine.

 

[Wrichik Basu]

Thanks @sysprog. Restored the files from quarantine. TexStudio is opening properly. I downloaded a .tex file from APS. It opened properly, but when I complied it, there was a problem, "Qt path not found". According to this source, it is the Qt of MikTex. I'll see what I can do and let you know tomorrow.

 

[sysprog]

I installed MikTex, and located the Qt5 files. I noticed while watching the install window that it uses a Unix-style install procedure (adapted for Windows), in which some of the earlier-installed components are passed control to install some of the later ones. I therefore suspect that the intervention of your AV product, which rendered Qt5Core.dll unavailable during the install, was not remediable by merely restoring that library from quarantine, as it was needed for the completion of part of the Qt5 platform subset of the MikTex install.

Here's a Windows Explorer image of the main relevant directory, showing the Qt5 files:

Please note that there should be 601 files in that directory. There is also a profile file that should have been updated to contain the Qt5 path, and I think that the flawed install process prevented that update from being done correctly.

I recommend that you de-install both MikTex and TeXstudio, then whitelist them in your AV product, then re-install them, MikTex first (because TeXstudio will try to find MikTex already installed).

 

[Wrichik Basu]

I recommend that you de-install both MikTex and TeXstudio, then whitelist them in your AV product, then re-install them, MikTex first (because TeXstudio will try to find MikTex already installed).

I also thought that blacklisting of the files could hamper the installation. But you know what? The antivirus is now malfunctioning. No matter how much I tell it to exclude those files and folders, it won't listen. The moment I open TexStudio, it will quarantine the .exe file. And as I open the MikTex console, it will quarantine the Qt file. But now I cannot take it out of quarantine, God knows why. I am asking QuickHeal to restore the files, but it won't.

I will try installation tomorrow by turning the antivirus off completely. I'll keep in mind the order you specified. If it doesn't work even after that, I'll leave it. It's becoming rather frustrating. I spent an hour trying to tell QuickHeal to exclude that folder, but it just won't listen. Even restart of pc didn't solve the problem.

I will keep you posted on the situation.

 

[Wrichik Basu]

Sorry, but the installation attempt was a failure. I switched off the antivirus, but as MikTex was being installed, it blocked the setup wizard:

And then stopped the installation before I could do anything.

I tried again, now it gave a different error:

Basically MikTex wants an empty directory. Windows has denied the setup wizard access to C:\Program Files. If I ask it to install in any other directory, it is giving an error that the directory is not empty. If I make an empty folder and ask it to install there, it is giving the above error.

It seems I have no luck with my PC. Maybe after some months when I buy a laptop, I can try there.

But @sysprog thanks for helping me out to quite a great extent, and also to others for their suggestions.

I am trying to install the portable version, but I have no idea if that would work.

Update: No, it didn't work.

 

[sysprog]

If your Quick Heal product is issuing messages that way, it obviously isn't effectively turned off.

I think the simplest next step would be to start in Safe Mode, which won't start the AV program, and then run the install.

I'm actually kinda ticked off that your AV product is getting in the way of your access to some of the benefit of Prof. Knuth's wonderful work as the originator of $\TeX$.

Here's a photo of him playing his custom-built pipe organ in 2018:

 

[Wrichik Basu]

I think the simplest next step would be to start in Safe Mode, which won't start the AV program, and then run the install.

Good idea. Will try that. Should I choose Safe mode with networking or simply safe mode?

But then again, there is a chance of the antivirus putting the .dll and .exe files into quarantine (as I said, it is not listening to me even if i ask it to do otherwise). Nevertheless, I will try your method.

 

[sysprog]

I recommend without networking. Just bring up what you need for the purpose of getting your install done. The installer wanting to go to the net to make sure you have the most recent version of everything can be denied and disregarded and the install will still complete successfully.

 

[Ampulla]

Do not turn your anti-virus off too quickly. There's no way the software gives a false warning. Everything has a reason. If your downloading is not from the official website, you should scan your computer once again. It's an experience I got from Techgara.

 

[sysprog]

Do not turn your anti-virus off too quickly.

That's good general advice.

There's no way the software gives a false warning.

That's not true; there are many ways for a false warning to occur.

Everything has a reason.

I don't disagree with that; however, that doesn't mean that a diagnostic program is incapable of misdiagnosis.

If your downloading is not from the official website, you should scan your computer once again. It's an experience I got from Techgara.

It looks to me like you're presenting 'drive-by' general advice without having read the thread in it's entirety. It's well-understood here that in general, it's worthwhile to try to keep any errors on the side of caution. In this matter, @Wrichik Basu has painstakingly ensured that the software is from an authoritative source, and is not corrupted.

 

[Ampulla]

That's good general advice.
That's not true; there are many ways for a false warning to occur.

I don't disagree with that; however, that doesn't mean that a diagnostic program is incapable of misdiagnosis.
It looks to me like you're presenting 'drive-by' general advice without having read the thread in it's entirety. It's well-understood here that in general, it's worthwhile to try to keep any errors on the side of caution. In this matter, @Wrichik Basu has painstakingly ensured that the software is from an authoritative source, and is not corrupted.

Sorry for just skimming the first post xD

 

[sysprog]

Sorry for just skimming the first post xD

That's ok, I'm sure you were just trying to be helpful in maybe keeping someone from getting harmed by malware.
Welcome aboard PF, the Physics Forums, from a member who's comparatively new here, too. The forums are well-disciplined, and the Staff members and Science Advisors here, along with the members in general, are very loyally devoted to the PF mission. Thanks for being here as a member.

 

[sysprog]

But then again, there is a chance of the antivirus putting the .dll and .exe files into quarantine (as I said, it is not listening to me even if i ask it to do otherwise). Nevertheless, I will try your method.

Assuming your Windows OS is not corrupted, Safe Mode won't start the AV product, so the AV product will have no chance of interfering with your installs.

 

[Wrichik Basu]

@sysprog Tried in Safe mode, but got this error:

This seems to be a well-known bug over the internet, with no fix unfortunately.

Same error came in Normal mode too (I bypassed the ransomware alert) when I tried later.

 

[sysprog]

Try installing into a directory path that doesn't include spaces in any of the directory (folder) names.

@sysprog Tried in Safe mode, but got this error:

View attachment 243294

This seems to be a well-known bug over the internet, with no fix unfortunately.

Same error came in Normal mode too (I bypassed the ransomware alert) when I tried later.

I suggest that you try copying the installer file into a newly created directory/folder, such as C:\temp01, and when running the installer, specify another newly created directory/folder, such as C:\MikTeX, with no spaces in the directory/folder name, as the target directory/folder. Also ensure that the original installer filename is not changed, including by a (1) or (2) index being inserted into it due it being a subsequent download of the file. If you encounter the problem again, please move the alert box aside before making a screenshot and posting it, so that the content of the window behind it is visible.

 

[James Demers]

I trust you've cloned the drive, and put the clone away in a drawer.

TexStudio comes up clean with just about every other antivirus scanner out there:
https://www.virustotal.com/en/file/...4a7255993b26e42684d949a456415e21fd4/analysis/
It's also hard to believe that you'd get so many roadblocks from a false postiive. I would download the installer from a different source, and try again. If that works, notify the original source ASAP.

 

[sysprog]

I trust you've cloned the drive, and put the clone away in a drawer.

Of course it's a good idea to make some kind of reliable backup.

TexStudio comes up clean with just about every other antivirus scanner out there:
https://www.virustotal.com/en/file/...4a7255993b26e42684d949a456415e21fd4/analysis/

The VirusTotal site that you linked to looks like a useful resource; however, a TexStudio install is not at issue at this juncture; the MikTeX product install is, and the MikTeX installer passes the tests there too. I think it's worth noting that QuickHeal, the AV product in question in this thread, is not on the list of AV engines there.

It's also hard to believe that you'd get so many roadblocks from a false postiive. I would download the installer from a different source, and try again. If that works, notify the original source ASAP.

That seems like a wrong remedy to me. I think that @Wrichik Basu has already adequately verified the authenticity of the installers of both programs, and has now encountered another problem that is probably not related directly to his AV product. I think that his current obstacle may be related to his prior MikTeX install attempts having produced some residual detritus that is interfering with his most recent attempt.

 

[Wrichik Basu]

I suggest that you try copying the installer file into a newly created directory/folder, such as C:\temp01, and when running the installer, specify another newly created directory/folder, such as C:\MikTeX, with no spaces in the directory/folder name, as the target directory/folder. Also ensure that the original installer filename is not changed, including by a (1) or (2) index being inserted into it due it being a subsequent download of the file. If you encounter the problem again, please move the alert box aside before making a screenshot and posting it, so that the content of the window behind it is visible.

Followed your advice word by word. Got the same error:

 

[sysprog]

I had previously not been able to replicate your problem; however, I had been using the 64-bit version. Using the 32-bit version, I was able to replicate the problem when running with (other than the install directory) the default options. When I switched from 'for all users' to 'this user only', the install ran successfully.

 

[Wrichik Basu]

I had previously not been able to replicate your problem; however, I had been using the 64-bit version. Using the 32-bit version, I was able to replicate the problem when running with (other than the install directory) the default options. When I switched from 'for all users' to 'this user only', the install ran successfully.

Thanks, could finally install MikTex properly (I installed in safe mode).

MikTex wants to set the PATH variable to its own bin folder. The variable already has the jdk address. I know I can set multiple addresses with the delimiter ;, but MikTex is not taking this. It wants to be the sole address in the PATH variable.

Any idea how I can keep both addresses (jdk and miktex) in PATH?

 

[sysprog]

Yay! You fixed it! Now you can write $\TeX$ and ftp://ftp.dante.de/tex-archive/info/intro-scientific/scidoc.pdf ($\leftarrow$nice writeup there) stuff to your heart's content. I've rarely had to address any PATH issues since the '80s. Here's a link to a tutorial on modifying the Windows PATH: https://www.h3xed.com/windows/how-to-add-to-and-edit-windows-path-variable

 

[Dr-Flay]

If you are having problems with installing for different types of user, make sure you right-click and run the installer as Admin.When having problems with an AV and installers, simply excluding the installer or folder it is in will not help, as the unpacked files are not the installer, they are new files in a new location.
You have to disable the AV temporarily. If it is still complaining, you didn't actually disable it.

At the end of the install process and before enabling the AV again you can exclude the new program folder.
The problem is that you now lose all protection of the contents of that folder so in future it could be full of malware.

Looking at your picture of the quarantined files it seems to have issue with Qt files in other software, so has obviously borked them or certain features. Either that or you have had a lot of bad downloads.
Looking at Quick Heal ratings, I would say go and buy a magic 8-ball or some lucky heather from a passing gypsy, as it may do much better.
https://www.av-comparatives.org/vendors/quick-heal/Perhaps that is unfair as the AV-Test site does show it has improved this year, but it is up and down like a yo-yo.
https://www.av-test.org/en/antivirus/home-windows/manufacturer/quick-heal/I would suggest you put it to your father that continuing to use it till the end of the current payment is incredibly unwise and downright risky. Sometimes you need to cut your losses and run.
You can get top class protection for free with either Bitdefender, Avira or Kaspersky. They stay in the top 5 more than any others all year long, so you cannot lose out by comparison.
(General rule of thumb) all the best AV offer a free version as they know you are likely to pay for the full thing after using it.
Bad AV do not have free versions or offer a free trial period to force you to buy.

Whatever AV (or OS) you use you should have a VirusTotal or similar extension in your browser for a second opinion, so that all your downloads are scanned my multiple engines (bare in mind VT can be at most 1 month out of date).
You can use the official VT extension https://support.virustotal.com/hc/en-us/articles/115002700745-Browser-Extensions
or alternatives such as https://add0n.com/virus-checker.html and https://www.opswat.com/free-tools/secure-online-downloading
These allow testing of files before you get them or automatically upon finishing download.

If you are not confident in the AV you have it is worth adding more protection the system so that malware can be stopped or do less harm.
https://www.novirusthanks.org/products/osarmor/ (Free)
The tools on that site are useful for all Windows users, with or without AV protection.

 

[elusiveshame]

You can get top class protection for free with either Bitdefender, Avira or Kaspersky. They stay in the top 5 more than any others all year long, so you cannot lose out by comparison.

I would definitely not recommend Kaspersky. The software may be good, but the company behind it isn't, and has been proven that they cannot be trusted.

Avira - I've had a single bad experience with them. I've since moved to AVG Free for the last 9 years (Avira was prior for 5), and I haven't had a single issue or infection with it. I know it's anecdotal, so take that for whatever it is worth, but definitely avoid Kaspersky.

 

[sysprog]

I would definitely not recommend Kaspersky. The software may be good, but the company behind it isn't, and has been proven that they cannot be trusted.

Avira - I've had a single bad experience with them. I've since moved to AVG Free for the last 9 years (Avira was prior for 5), and I haven't had a single issue or infection with it. I know it's anecdotal, so take that for whatever it is worth, but definitely avoid Kaspersky.

That seems like a shameless plug for an ill-mannered package that comes bundled with intrusive popup advertising for paid versions of itself and is not straightforward to remove. If you just use the normal uninstall procedure from Windows, it launches their uninstall wizard, and that process reports that the product was successfully uninstalled, but it's not really true.

Like a bad guest who leaves some of his stuff behind so he can drop by unexpectedly to visit his stuff later, AVG is not completely uninstalled at that point. To completely remove it you have to download their real uninstaller from the vendor's site.

If you don't already know about AVG Clear, which can be discovered from the AVG Resources tab in the AVG product before the uninstall runs, you have find it yourself, or the product will continue to lurk. (Ref: https://smallbusiness.chron.com/completely-uninstall-avg-anti-virus-45439.html)

They tacitly admit that their normal uninstall process is deliberately incomplete. Apparently they want the user to have to experience punishment for trying to uninstall the product before using their real uninstaller.

From https://www.avg.com/en-us/avg-remover

AVG Clear deletes all files associated with your AVG product, including registry items, installation files, and user files. Only use this if your AVG uninstall or repair has failed repeatedly.​

I think that's deeply hateworthy.

 

[elusiveshame]

That seems like a shameless plug for an ill-mannered package that comes bundled with intrusive popup advertising for paid versions of itself and is not straightforward to remove. If you just use the normal uninstall procedure from Windows, it launches their uninstall wizard, and that process reports that the product was successfully uninstalled, but it's not really true.

Like a bad guest who leaves some of his stuff behind so he can drop by unexpectedly to visit his stuff later, AVG is not completely uninstalled at that point. To completely remove it you have to download their real uninstaller from the vendor's site.

Shameless plug? I think you're reading way too much into it. Sure, AVG might leave remnants behind, but why do you want to uninstall it? (FWIW, McAfee, Norton, and a few others do the same). I'd rather have remnants left behind rather than a virus protection software opening backdoors to other government officials. Especially if I have zero plans on removing it (again, why remove something that's actually helping you?)

That being said, Avira, AVG, Avast, etc. all promote their full versions through pop-ups. I was easily able to disable pop-ups on AVG and haven't seen them in years.

I went with my experience and knowledge. If that's a "shameless plug", then I suppose everything anyone says about anything in a positive manner is a "shameless plug". Apparently saying "this is just anecdotal, so take it for whatever it's worth" wasn't a good enough preamble for thwarting ridiculous responses like this.

But yes, if you want outside actors being able to coerce a company into letting them into your workstation, by all means, promote Kaspersky.

 

[sysprog]

Shameless plug? I think you're reading way too much into it. Sure, AVG might leave remnants behind, but why do you want to uninstall it? (FWIW, McAfee, Norton, and a few others do the same). I'd rather have remnants left behind rather than a virus protection software opening backdoors to other government officials. Especially if I have zero plans on removing it (again, why remove something that's actually helping you?)

That being said, Avira, AVG, Avast, etc. all promote their full versions through pop-ups. I was easily able to disable pop-ups on AVG and haven't seen them in years.

I went with my experience and knowledge. If that's a "shameless plug", then I suppose everything anyone says about anything in a positive manner is a "shameless plug". Apparently saying "this is just anecdotal, so take it for whatever it's worth" wasn't a good enough preamble for thwarting ridiculous responses like this.

But yes, if you want outside actors being able to coerce a company into letting them into your workstation, by all means, promote Kaspersky.

I didn't promote Kaspersky, or endorse any product in my post. I deplored the misbehavior of AVG, and chided you for recommending such ill-mannered software. My saying that your recommendation of AVG "seems like a shameless plug of an ill-mannered package" was intended mainly to castigate AVG, and the word "shameless" was partly intended as play on your username. I didn't mean to be too reproachful of you.

From your post:

Sure, AVG might leave remnants behind, but why do you want to uninstall it?

Why should any software company exhibit the effrontery to ask that, or the arrogance to leave things behinds and falsely report to the user that the product is de-installed? Your apparent nonchalance about that is not shared by me. I find it fully hateworthy (detestable).

You mentioned Avast, which is in my opinion just as bad as AVG in this regard.

From https://www.avast.com/en-us/uninstall-utility:

Uninstall our software using avastclear
Sometimes it's not possible to uninstall Avast the standard way - using the ADD/REMOVE PROGRAMS in control panel. In this case, you can use our uninstallation utility avastclear.

1. Download avastclear.exe on your desktop
2. Start Windows in Safe Mode
3. Open (execute) the uninstall utility
4. If you installed Avast in a different folder than the default, browse for it. (Note: Be careful! The content of any folder you choose will be deleted!)
5. Click REMOVE
6. Restart your computer

The statement "Sometimes it's not possible to uninstall Avast the standard way" is meretricious; in fact it's never possible.

The fact that other programs, such as Avira, of similar functionality are similarly ill-mannered does not justify recommending any of them.

Well-behaved programs don't try to defy the user when he wants to deinstall them, and they don't "leave remnants behind" when they are de-installed.

If I have any suspicion that a program package I install might be reluctant to be de-installed, or "might leave remnants behind", I will usually install it "under the watchful eye of Revo Uninstaller", which logs all changes to the system made during the install process, so that all of them can be undone during any future uninstall.

Proper backup procedures are much better than relying on AV programs.

 

[Dr-Flay]

I used to promote AVG as a good option when they were a good company with consistent performance.
Since Avast bought AVG it uses the same definitions, so is as good/bad as each other at file recognition.
Avast/AVG/Piriform sell your activity to 3rd parties.
When the pro packages expire they stop updating as they do not offer a free mode, thus leaving you behind and insecure.

The perceived Kaspersky threat is based on Politics not the actual evidence of what went down.
Kaspersky did/does nothing different from any other good AV. When an unknown file is seen it will upload it for analysis.
VirusTotal (owned by Google) is used by hackers and Gov agencies to find secret files in the same way they would end up in any other AV repo, because "Problem in Front of Keyboard", and people send secret files all the time.
It hit the news because.
1) A CIA operative broke the rules and took secret work home.
2) That operative failed to understand that AV will send new files somewhere else.
3) The Russian secret services had infiltrated Kaspersky.
3) Israeli state hackers had infiltrated Kaspersky and were watching the Russians at work.
4) Rather than notify Kaspersky that the Russian spooks were in the system, they notified the US and let the hacking continue.
5) Instead of blaming the CIA operative for the data breach, Kaspersky was seen as a more useful target as the media and general populace will not understand the real implications of how it happened.

Since then all relevant interested parties can have access to the source code for Kaspersky and can compare their own build with the regular distro.
As yet no one has found anything wrong with the code.
As for being the lapdog of the Russian Gov. the actual evidence would seem to show that if info is freely handed over they don't need to waste so much time in hacking the company to gain access. Apparently we are to think they could just use the phone, or walk in and ask.

Back to evidence based security issues, the US agencies have a well proven track record of getting US companies to add backdoors, weak crypto, or just hand over info due to commercial pressure or a 1-size-fits-all warrant.
In the released treasure trove of CIA and NSA hacking tools and docs over the past few years we also see that they had made their own special builds of several AV distros, including AVG, Avast and Kaspersky.

If I am going to draw any conclusions about privacy or security in AV software I would say, stay away from US software because [insert criticism of Russia].

All this aside, what you want is the best in protection, and going by trusted 3rd party tests we see that Bitdefender, Avira and Kaspersky are the top performers when it comes to real-time protection, that also have free versions so you can make up you own mind.
I have to support many users with many different AV so I get to experience the reality of the differences.
To see how they all compared over last year I compared the results from AV-Comparatives.
https://dr-flay.vivaldi.net/2018-anti-virus-comparison/