So far this week, separate reports have indicated that Russia exploited software from Kaspersky Lab to trawl US systems for classified data—in at least one case, successfully—and that North Korea hacked into classified South Korean military files. (It’s only Wednesday.) The common culprit? Antivirus software.

While antivirus software ostensibly seems like a benefit—it can stop malware from infecting your computer—many security researchers have expressed reservations about it for years. And though the recent Russian and North Korean incidents involve fairly specific circumstances, they serve as sobering reminders of just how much can go wrong when you grant deep system access to software that may not be as secure as it seems.

None of that means you should trash your personal antivirus just yet. But it's worth understanding what you’re dealing with.

Into the Breach

A quick recap: After months of escalating hostility toward the Russian cybersecurity company and antivirus maker Kaspersky, including its complete banishment from US government agency computers, the New York Times reports that Russia has in fact used Kaspersky antivirus software to probe federal systems for US intelligence secrets.

North Korea, meanwhile, reportedly infiltrated Hauri, a South Korean company that provides antivirus software to that country’s military. By sneaking malware into the legitimate antivirus offering, The Wall Street Journal reports, North Korean hackers were able to grab classified data that included joint US-South Korea planning in event of war.

'AV is pretty much the perfect bugging device on every computer it’s sold on.' Bobby Kuzma, Core Security

Kaspersky denies that it has any direct connection to the Russian government, and the New York Times report that outlines Russia’s intrusion stops short of stating that the company colluded with Russian intelligence. But the two incidents underscore a troubling truth either way: Antivirus software can pose major risks, whether you’re an intelligence service or an everyday computer user.

“AV is pretty much the perfect bugging device on every computer it’s sold on,” says Bobby Kuzma, systems engineer at Core Security. “You’ve got this piece of software that’s in a position to see everything on your computer.”

That privileged status makes it possible for antivirus software to do its job, but also makes it an attractive target to well-heeled hackers.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts, and contrary to erroneous reports, Kaspersky Lab software does not contain any undeclared capabilities such as backdoors as that would be illegal and unethical,” the company says in an emailed statement.

But the North Korea incident shows that antivirus companies can be compromised without any sort of backroom agreement. And in fact, security analysts caution, the nature of antivirus makes detecting those vulnerabilities exceedingly difficult.

All Access

Think of it like this: You’re responsible for defending an impossibly large compound, filled with all sorts of tunnels and chambers and rooms, each containing prized secrets. Attacks are near-constant, and your enemies use ever-evolving tools to let them sneak and snoop and steal undetected.

To do your job effectively, you’d probably want to know exactly what’s happening everywhere in that edifice at any given time. A camera in every room, say, or even a guard. You’d want the ability to thoroughly inspect any new deliveries to make sure they don’t contain anything malicious. In short, to achieve your goal of complete protection, you’d have to turn that complex into a Panopticon.

That’s antivirus software. It sees all, it knows all, and it has total access. Which means that if and when someone compromises it—like, say, Russian intelligence services—they, too, have system-wide omnipotence.

And like any software, antivirus can’t promise infallibility. Last year, Google’s Tavis Ormandy discovered critical vulnerabilities across all of Symantec’s antivirus products. And the so-called DoubleAgent attack, discovered this past spring, demonstrated how a Microsoft debugging tool could be used to turn antivirus software into the ultimate spyware.