After the U.S. government banned federal agencies from using Kaspersky Lab software last week, worries rippled through the consumer market for antivirus software. Best Buy and Office Depot said they will no longer sell software made by the Russian company, although one security researcher said most consumers don't need to be alarmed.
The U.S. Department of Homeland Security cited concerns about possible ties between unnamed Kaspersky officials and the Kremlin and Russian intelligence services. The department also said Russian law might compel Kaspersky to assist the government in espionage.
Kaspersky has denied any unethical ties with Russia or any government. It said it will continue to get its product to customers "through its website and other prominent retailers." Kaspersky software is used by consumers in both free and paid versions, available online and in stores.
To uninstall or not to uninstall?
Should other users of Kaspersky software follow the U.S. government's lead? Some companies sought to tread carefully, addressing questions from customers who asked about it without alarming those that didn't.
"We've had few customers raise concerns, but for those that have, we've offered advice on how to remove Kaspersky from their computers," said Craig VerColen, spokesman for Boston-based software provider LogMeIn, which offers Kaspersky as a complementary perk to small businesses that buy its products.
Nicholas Weaver, a computer security researcher at UC Berkeley, called the U.S. government decision "prudent" — he had argued for such a step in July. But he added by email that "for most everybody else, the software is fine."
The biggest risk to U.S. government computers is if Kaspersky, based in Moscow, is subject to "government-mandated malicious update," Weaver wrote this summer.
Kaspersky products accounted for about 5.5% of anti-malware software products worldwide, according to research firm Statista.
Other experts, however, suggested that consumers should uninstall Kaspersky software to avoid any potential risks. Michael Sulmeyer, director of a cybersecurity program at Harvard, noted that antivirus software has deep access to the user's computer and network.
"Voluntarily introducing this kind of Russian software in a geopolitical landscape where the U.S.-Russia relationship is not good at all, I think, would be assuming too much risk," he said. "There are plenty of alternatives out there."
The government ban should alarm any company that has been relying on Kaspersky's software to protect its business, said Nate Fick, chief executive of computer security specialist Endgame.
"I don't think this is political posturing here, but a sign that there is some real risk," Fick said. As a result, he expects most companies to find an alternative to Kaspersky. "It is all about risk mitigation in cybersecurity, and this is an easy risk mitigation to make," he said.
Best Buy was the first big retailer this month to announce it would stop selling the software. Office Depot followed Thursday. Amazon and Staples are still offering it.
A Russian firm with ties to Russia?
Various U.S. law enforcement and intelligence agencies and several congressional committees are investigating Russian meddling in the 2016 presidential election.
Kaspersky said it is not subject to the Russian laws cited in the directive and said information the company receives is protected in accordance with legal requirements and stringent industry standards, including encryption.
Company spokesman Anton Shingarov said that the U.S. ban was "part of a geopolitical game" and that "there is no proof provided of any improper ties to the Russian government."
Russia also came to the company's defense, with a spokesman for Russian President Vladimir Putin criticizing the ban.