Avast’s man in the middle
Published February 24th, 2015 at 12:47 PM EST , modified March 5th, 2015 at 10:28 AM EST
The security community is ablaze with news of Superfish being pre-installed on some Lenovo computers. The primary issue concerning experts is that Superfish replaced SSL certificates, used for ensuring secure connections on the internet, with its own certificates. It turns out that the same behavior is being exhibited by software that many people are inclined to trust: Avast’s anti-virus software!
Replacing SSL certificates is a significant security issue. The lock icon shown by browsers when the user is connecting to an “HTTPS” site is an indication that the connection is being secured, using a form of encryption that relies on an SSL “certificate” issued by a trusted certificate authority. So, when you connect to your bank’s website, for example, a certificate is used to encrypt all data sent between your browser and the bank site. This protects you from snoops, who cannot see any potentially sensitive data being transmitted.
What Superfish has done is replace these certificates with one of its own, which gives the software the ability to intercept any data being sent to or from such a secure site. This is what security experts call a “man-in-the-middle attack,” meaning something or someone that interjects itself between two parties attempting to have secured communications. It should be immediately obvious that this is a Very Bad Thing.
Surely this kind of thing could only be done by unethical hackers, right? I mean, Superfish is essentially adware, and in my opinion has now crossed the line into malware territory. So we shouldn’t be surprised at its misbehavior. No legitimate software would ever behave this way, would it?
Don’t be too sure. I received an e-mail from a reader yesterday asking why he was getting an error in Chrome complaining that his connection to Google was not private. The error message pointed the finger at a certificate issued by a certificate authority named “Avast untrusted CA.”
Some testing this morning showed that Avast is replacing Google’s certificate with one of their own. On my test system, though, the Avast certificate was trusted. (I’m guessing the certificate on the affected reader’s system was outdated, and had not been properly updated for some reason.)
As can be seen from the screenshot, the certificate claims to be for Google, but was not issued by the authority that Google actually uses (GeoTrust Global). This means that Avast has complete control over the connection between the browser and Google, and has the power to intercept – or even modify – any data being transmitted.
Okay, who cares, right? I mean, sure, there are some potential privacy issues involved there, but in reality, most people don’t care much if someone’s monitoring their searches. Those who do are probably using a search engine like DuckDuckGo, rather than Google, anyway.
Unfortunately, this issue isn’t limited to Google. Suppose, for example, that you go to the Bank of America site to transfer some funds or pay a bill. As with Google, and as would happen with any other secure site, it turns out their certificate gets replaced with the Avast certificate. I doubt anyone needs me to lecture them on the potential security issues involved in having a third-party watching their banking transactions without permission!
This is an extremely serious issue, but surprisingly, it apparently isn’t new! Searching the web for “Avast untrusted CA” or “Avast trusted CA” shows that people have been aware of this on a small scale for some time. On Avast’s own forums, questions about this are treated as bugs – not because of the potential security issues involved, but because of whatever has caused the user in each case to become aware of the problem, such as the error message that brought this matter to my attention.
It’s unlikely that Avast is using the power to snoop on your communications for malicious purposes. I imagine that they are using this power to monitor secured communications for possible malware. For example, Avast is probably intercepting e-mail being transmitted securely between your mail server and your e-mail client so that it can be scanned for attached malware.
However, the issue here is one of trust. Should you trust Avast with this kind of access to your private information? Avast has essentially chosen to hijack your web browser’s security without your permission, inserting itself as a silent watcher into all your secure communications. Worse, Avast has a history of sometimes showing untrustworthy behavior in the past, such as including an adware component in their avast! Online Security browser extension. This is not behavior that should be tolerated, and I strongly recommend uninstalling Avast immediately.
Even if you trust Avast 100%, however, an added issue is the potential for new security risks. In the case of Superfish, for example, security researcher Robert Graham was able to crack the certificate being used by Superfish, due to a poor certificate password, and could have then launched his own attacks on unsuspecting users using that certificate. If Avast’s security is at all sloppy, their certificate could cause security issues that would not exist if Avast did not tamper with certificates.
To be fair to Avast, it’s entirely possible they are not alone. Other anti-virus software could be behaving in exactly the same way. A quick test of a number of other free Mac anti-virus apps this morning did not uncover any, but I did not test every anti-virus app out there by a long shot. Still, any other anti-virus software that might be doing this should also be avoided.
To determine whether your system might be affected by such an issue, go to www.google.com in Safari. There should be a lock or “https” icon in the address bar, indicating that the connection to Google is secure. Click that icon, then click the Show Certificate button in the sheet window that drops down. The certificate should be issued by Google Internet Authority, which in turn falls under the authority of GeoTrust Global. If you see anything different, you may be the victim of a man-in-the-middle attack. This could be the result of other anti-virus software, or could be due to something else, such as a compromised network connection.
Updates
Thursday, March 5, 2015 @ 9:45 am EST: After taking some considerable heat from some folks – including an Avast representative – in the comments below, it turns out that the situation is even worse than I initially realized. Avast is replacing certificates with its own without bothering to check the validity of those certificates!
So what does this mean? Suppose that there’s a malicious site out there that uses HTTPS, in an attempt to trick the user into thinking the site is legit. (Or perhaps a formerly legit site has changed hands and become malicious.) Then suppose the malicious intent of the site is discovered, and the certificate is revoked. Your web browser should warn you that the site is not trustworthy if you try to go there.
If you happen to have Avast installed, no such luck. Because Avast will replace the site’s revoked certificate with Avast’s own legitimate certificate, eliminating the error and allowing you to navigate to a site that you shouldn’t!
Nobody needs to take my word for this. It’s trivial to test it if you have Avast installed, and have not disabled Avast’s HTTPS scanning: just navigate over to revoked.grc.com, a site designed for testing purposes that uses a revoked SSL certificate. As you can see from the screenshot at right, the site opens just fine, using Avast’s replacement certificate.
You may say that my hypothetical situation above is unlikely to happen. That’s true. However, the news in recent years has been frequented by stories about SSL certificate theft. Hackers can use stolen certificates to execute real man-in-the-middle attacks, tricking your browser into believing that it is visiting a legit site when it isn’t. Stolen certificates are generally revoked after the theft has been discovered, but this vulnerability in Avast will allow those certificates to continue to work.
I’ve had some tips that other anti-virus apps behave the same way, in particular BitDefender, Kaspersky and ESET. However, I was unable to bypass the revoked certificate using Kaspersky, and ESET’s Mac software appears not to do any kind of HTTPS scanning as far as I can tell. The jury is still out on BitDefender, as I haven’t yet been able to download a trial version. (I haven’t received the e-mail I need in order to download the trial software.) I’ll update later, after I’ve tested BitDefender.
This is precisely the kind of security issue that tampering with HTTPS can result in, and is exactly why it should not be done. Case closed.
Thursday, March 5, 2015 @ 10:30 am EST: I finally got a copy of BitDefender’s Mac anti-virus software, and it appears not to be doing any HTTPS scanning. It may do that on Windows – I have to rely on third-party reports there – but as best I can determine, it doesn’t have this problem on the Mac.
Thus far, Avast is still the only one I’ve found on the Mac to do on-by-default HTTPS scanning and to fail to check certificate validity.
Tags: Avast, man-in-the-middle, SSL
67 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
Kaspersky Internet Security does this as well. On all platforms.
Good to know. That was not one I tested this morning. I was going to, but the link on the Kaspersky site to the trial version was broken… 😀
Edit: I found the trial version and installed it on a test system, but was not able to verify this. Certificates appeared to be unmodified in all browsers, even with the Kaspersky browser extensions installed. Perhaps it used to do this, but doesn’t anymore, or only does this on Windows?
You need the paid version which includes “web anti-virus”. It did not mask the HTTPS errors when I disabled that component, but it may today.
I thought that this was pretty much required behavior for antivirus software, if they want to be able to scan things coming over https.
That said, I am running Avast on OS X 10.8. There is a trusted Avast root certificate in the keychain. However, certificates appear to be unmodified in Chrome, Firefox, and Safari.
There is a checkbox in “preferences” in Avast that says “scan secured connections”. There is also a whitelist of sites never to scan. Enabling scanning of secured connections gave me a prompt to install a new helper (which I did not install).
Wow…more and more I have been loosing the long established trust with Avast. First that da*m savings adware, now this? This is more then unacceptable. Avast, you have just lost $500+ a year. I will be removing it off of every one of my family machines, my personal machine, and recommending my district remove it from every machine we use your endpoint anti-virus. You have burned me too much.
Thank you for “showing us how” to check the google cert in Safari. Mine was okay.
I use Sophos for peace of mind and on your previous recommendation.
Aside from Trojans, software installed by the user, is it possible for a Mac to get anything downloaded and installed without permission?
Add kaspersky and eset nod32 to the list as well! I caught this today as well when checking out my root certs.
I found Kaspersky only does this with it’s Safe Money feature to verify the Bank web site.
Ahh, yes, I see that. Looks like you have to explicitly add sites to the Safe Money settings to give Kaspersky permission to do this. Although I still think replacing a site’s certificate is a very serious potential security risk, at least it seems Kaspersky is trying to give the user full control over this behavior, unlike Avast’s “on-by-default” for all secure sites behavior.
This is the only way to check for malware on https traffic. Talk about not knowing the subject.
It is not. Whether it is being transferred via secure protocols or not, actual malware would have to be saved to the hard drive and then executed in order to have any effect. Anti-virus software that includes on-access scanning (including the built-in XProtect in Mac OS X) would catch such malware without having to resort to techniques that require the user to compromise security.
Some malware saves server reponse in process memory and execute it without saving data to disk.
If your statement would be true, it would apply to HTTP as well. Then, there would be no need for any WebShield in any antivirus it the first place. Yet, all major antivirus vendors see the need to implement Web Shield. And yes, it has something to do with what Fetch says in the previous reply: Some exploits/malware can harm you without ever being saved on disk.
Also note that it’s known for very long time, that single layer of protection is rarely enough, as then any single mistake/bug/vulnerability can nullify the protection at once. Take a look how castles or fortification were built since ancient times.
Combine all of this with an information that web is the most frequent attack vector these days, so might to argue that Web Shield is more important then a Filesystem Shield in these days.
Furthermore, consider any Filesystem Shield worth its name needs (at least partially) to work in kernel context, ergo it might theoretically do very harmful things to your computer, your data or your privacy so, using your logic, you should never use it as well.
To “fix” this you would need a piece of SW which can decide whether a file or stream of data is malicious without ever really looking at them. Hence, you need the Oracle of Delphi. Unfortunately that’s something no software engineer was able to implement so far…
The only requirement is that the piece of software doing the MITM alert the user when the original certificate is untrustworthy. Simple, not magic, does not need any new tech, only some quick work.
But then you have to care.
After some problems with my Mac I got a recommendation to remove Avast (referred to as crapware) as Protect should do the trick (and much better so). I followed the recommendation although I never had any issues with Avast nor with any Virus or Adware and guess what!? Today I needed to install AdwareMedic because I got constantly MacDeal ads on screen. So what is the conclusion?
Well, for once, Xprotect definitely doesn’t do the trick!
No anti-virus software, including XProtect, does a very good job protecting against – or removing – adware. Using anti-virus software of any kind isn’t the right approach to protecting yourself against adware.
I don’t see anything wrong. If you are using Chrome browser then you have to trust Google that the browser is not doing anything strange with certificate for https. So if you can trust to one company than what’s the difference to trust few companies?
In case of Avast it is justified to use man in the middle technic. Without this how they could check emails on SSL connections or viruses on https site?
If you do not trust Avast then there are settings which should disable this behaviour: in web shield settings there is enable https scanning (default on) and in the email settings SSL connection scanning (default on).
I guess (I’m not sure because I do not know Avast internals) that switching off these two options should solve the issue.
I’m agree with Graybeard, I see noway to prevent from malware before downloading file. The question is why prevent from downloading file when filesystem is scanned ? Maybe, because you may have exclude the folder where you download.
However, you can disable web and mail protect agent.
To have a complete protection, I use Handsoff and deny write file/network access on all new programs. If i download a new app (from appstore) I allow it in Handsoff.
Moreover, I suggest to download only from appstore or from opensource software, at least from editor’s web site.
PS : sorry for my bad english
For those who want to use avast virus protection can definitely use it but for this problem I have found a fix, Just by going to the settings and disabling web shield & mail shield fixes the SSL Issue. Here is a screenshot http://imgur.com/NKXfVc8
Have a look and let me know did this helped you guyz
avast gave me so many false positives i removed it.got tired of going to a site and avast blocking it.would check the site with several online services and the site was clean.installed clam from their website and have sentry monitoring my downloads only.am satisfied with clam but avast needs a lot of improvement before i go with them again.
A preliminary response by a Rep. of Avast has already been posted on their Support Forum and a more detailed explanation will be forthcoming shortly:
https://forum.avast.com/index.php?topic=167112.msg1189100#msg1189100
Knowing all the facts is the best way I know to stop rumors and half truth from spreading.
I don’t like the suggestion that I’m spreading “rumors and half truth.” Avast is intercepting secure communications by default, and without alerting its users that it is doing so… that is fact. This is, in my eyes, a very serious potential security issue. If you trust Avast completely, then you may not see it that way, but surely you must be able to see that many people will not be comfortable trusting this organization with all their secure communications!
Further, on the page you linked to, lukor says:
However, given that I have seen this behavior with one of the largest and most popular banks in the US (Bank of America), as shown in a screenshot in this article, that is obviously not entirely true. He suggests alerting them if you find a bank that is not on this list, but I would argue that a major, well-known bank like Bank of America should be on that list without a need for someone to report it to Avast! What other major banks are not on that list, simply because few people are aware of this behavior and thus aren’t reporting the issue to Avast? What else among all the claims he makes is similarly untrue?
“I don’t like the suggestion that I’m spreading “rumors and half truth.” ”
That’s not a suggestion, that’s a fact. The whole article is nothing more than a tabloid compilation of rumors and half truths with the intend to scare the readers. Additionally it reveals the authors incompetency and lack of technical knowledge as already pointed out by previous comments. No one doing security seriously can ever write stuff like: “…actual malware would have to be saved to the hard drive and then executed in order to have any effect…”. No, malware really has not to be saved and executed as an executable file, there are plenty vulnerabilities that allow the attacker to affect process memory without ever touching the hard drive. And that is exactly why the AV products have Web and Mail shields. And to make those shields really work, you need to check the connections regardless whether they are secured or not.
Objections that the AV (Avast in this case, but it applies to any AV by definition) is “accessing your private information” when scanning HTTPS are true but completely irrelevant as there is no such thing like “private data” that the AV could not access anyway once you install it. Either you trust the AV 100% (like you trust your browser, your OS and all software in it installed with root privileges) or you don’t and then you should not install it. Stated otherwise, the AV can see the bill you are paying in Bank of America’s online banking regardless whether HTTPS scanning is turned on or off. And so does the OS, the browser and any kernel driver that wishes to do so.
Finally Avast did never hide the fact that it is using the MITM technique to access SSL encrypted connections like suggested in the article. There is and always was the option to disable this feature in the shield preferences. We also do not handle requests about this technique as bugs on the forum, there is even a technical info describing the process available online that is linked from the forum. If you have some technical questions feel free to ask in the appropriate forum section (the Mac and Windows implementation is slightly different as already mentioned here).
Ahh, the Avast representative rears his head for some name calling. I expected as much.
I stand by my opinions. There has never been a case of Mac malware that didn’t save files to the hard drive, nor is there currently any known way for merely visiting a website to infect a Mac with anything. Remember, we’re talking specifically about the Mac here, not Windows, folks! Sure, we could theorize about some potential future vulnerability that is exploited for remote code execution without saving files. However, since that doesn’t exist yet, why should we have any expectation that Avast – or any other anti-virus software – would detect it?
Secondly, if this is an important thing to do, why is it that of all the anti-virus tools I tested, only Kaspersky did something similar? And in that case, it was entirely opt-in on a site-by-site basis, rather than on-by-default for all HTTPS sites I tested.
As to the necessity of trusting the anti-virus, that’s absolutely true. Anything you install on your computer could potentially access private data. That’s why issues of trust are so important. As I pointed out in the article, I do not believe that Avast is doing this maliciously (so please don’t make implications that I said anything like that). However, the method used, combined with the way it was implemented throws up all kinds of trust-related red flags.
> if this is an important thing to do, why is it that of all the anti-virus tools I tested, only Kaspersky did something similar?
Apparently BitDefender does this and in the process does not check to see if the original certificate had been revoked, thus substituting a valid certificate in it’s place. Source: . No indication as to whether this applies to their OS X apps or not.
That’s quite a bit worse than what I’ve described here! Thanks for the info.
Correction: not a bit worse. Turns out Avast does the same thing!
So this seems really simple. Either malware can execute in memory or it can’t. If it can, then preventing it requires scanning it before it reaches memory while if it can’t, you can just scan the disk. Correct? There are the two contradicting claims so whats the deal? Can malware be executed from memory? Or is that only a possibility on windows? Do we concede that this is common on windows? If so what/where do we find the confidence that it is not possible on a Mac? Is the claim that it is currently impossible on macs based only on the fact that “There has never been a case of Mac malware that didn’t save files to the hard drive”. If this is true, why is the same not true for windows? Or does it apply to all computers in which case “malware really has not to be saved and executed as an executable file, there are plenty vulnerabilities that allow the attacker to affect process memory without ever touching the hard drive” would be bogus.
As a user, the fact of the matter is, Yes i trust avast. But I’d rather not take any risks IF i don’t hafto. It would seem that according to some, full protection from malware REQUIRES giving up the privacy that is, this whole certificate business. If it is indeed NECESSARY to protect from certain attacks then I don’t mind. If no such attack is possible for which this monkeying around with certificates is NECESSARY in order to prevent, then I’d rather not give up that privacy.
Windows malware is about a decade (at least) more advanced than Mac malware. I believe (though I’m not a Windows malware expert) that there has been Windows malware that stayed resident in memory only. That has never happened on the Mac.
Of course, we can’t say that it’s impossible for this to ever happen… however, if it does, Avast still won’t catch it, because it will be brand new, and Avast won’t know what it’s looking for yet. (Which begs the question: what’s it looking for now?)
In addition, I’m not the only one to notice this and consider it a problem. See the following article from a couple weeks ago:
http://www.securityweek.com/antivirus-software-has-negative-impact-https-security-researcher
Dear Norbert (Bob) Gostischa,
Assuming that you, sir, are the same Bob Gostischa, AVAST! “Evangelist,” cited here:
http://www.kickenhardware.net/showthread.php?22127-Bob-Gostischa-AVAST!-Evangelist-presentation-this-Friday-Aug-16-Central-Jersey
then may I gently suggest, in order to establish credibility, especially when you presume to admonish Thomas Reed for “rumors and half truth” about Avast, that you disclose the full truth about your relationship with the product vendor before you do so.
You are not a disinterested party to the conversation here, regardless of whether or not you are volunteer “evangelist.” And by the way, are you an unpaid evangelist, or do you receive payment, or other consideration from Avast? And why do I have to ask?
So now I wonder about the other more or less “anonymous” contributors weighing in here in Avast’s behalf. Are they just “some guy on the internet,” honestly dropping by to help or set the record straight? Or are they all a bunch of paid Avast shills who troll the web attacking anything or anyone that might besmirch the reputation of their company’s product?
You seem like a decent person (you did use your real name, right?) and your intentions might be good, but you Avast folks are RIGHT NOW doing DAMAGE to your company’s product and reputation, to say nothing of your own. I have half a mind to contact the company CEO and clue him in. (And yeah, it’s gotta be a him; no woman CEO would tolerate this kind of thing. Then again, maybe he’s the combative type who eggs you all on.)
The irony is that several of us here are TRYING TO HELP YOU.
So here’s a parting thought for you, Martin, and anyone else affiliated with Avast: when people are trying to help you, SHUT UP AND LISTEN.
-Mark
P.S. Here’s another toughie for you Avast grains of sand who, after reading this, want to drop the gloves: In the game of ice hockey, what shape is the faceoff circle?
P.P.S. Full disclosure: I’m really just “some guy on the web.” I’m not affiliated with this site, only a visitor. Not working for any company. These posts, which will probably amount to nothing, are “volunteer work” in partial payment to Thomas Reed for hosting this valuable oasis of honesty, integrity, and utility in an ocean otherwise littered with garbage. I use Intego Lite and ClamXAV on my Macs. And, oh yeah, I was once, long ago, a contributing editor to “Windows Tech Journal” — that’s right, a PC techie, who gave up trying to secure his Windows boxes and went all Apple.
Any questions?
Lukor’s description applies to the Windows version of Avast. The Mac version is slightly different.
In any case, please realize that this is not much different from any browser extension (Chrome, Safari etc) — they also have complete view of your entire HTTPS traffic. And they are much easier to write, and are being used in the wild to spread spyware and adware…
“Avast is replacing certificates with its own without bothering to check the validity of those certificates!”
Another example of tabloid headlines. But I have an even better one for you “Google Chrome is not checking the validity of certificates!” – just try it out, it also lets you go to the test page without any warning/error. The fact is only the revocation is not checked in this case (by both Avast and Google Chrome).
The explanation why we do not use e.g. OCSP at the moment is that like Google (who has a reduced CRL set distributed with Chrome) we have a different channel with malicious URLs that is updated at least twice a day via the VPS (much more often than the usual OCSP validity) where we also include the REAL bogus servers.
That just gives people a good reason to criticize Chrome, not a justification for this behavior on the part of Avast.
As for the comment that you don’t check the certificate’s validity because you have another method for detecting malicious servers, don’t you feel that a second tier of protection is important? After all, that is a foundation of the justification of all anti-virus software: that it’s important to have multiple tiers of protection.
Thomas said 3-3; There has never been a case of Mac malware that didn’t save files to the hard drive, nor is there currently any known way for merely visiting a website to infect a Mac with anything.
With all the talk of drive-by viruses and malware this is a great relief!
To Mr. Martin Tůma,
Avast is a good product. My savvy PC using friends swear by it. Mr. Reed has (free of charge) given you some feedback which you could use to make it better. I shall attempt here to do the same, perhaps to little avail.
You modestly omitted to mention (unless I missed it?) that you work for Avast (that FACT was mentioned by Mr. Reed) and regularly defend its honor on the web.
This lack of disclosure reduces your credibility, as do statements like:
“The whole article is nothing more than a tabloid compilation of rumors and half truths with the intend to scare the readers.”
Please, sir, this kind of indignant (and frankly ridiculous) hyperbole only makes you look like you really do have something to hide. This is an excellent site where complex issues are presented with clarity and respect for the intelligence of its grateful visitors, a model for all others.
You have a good–an excellent–product and I’m sure you’re a fine developer. There is no need to become defensive (though I sense the hairs rising on the back of your neck even now) and to attack Mr. Reed’s integrity. He’s giving you a gift, if you’d only recognize it as such.
To Thomas Reed:
Thank you from a grateful visitor, no doubt one of many (who not only uses AdwareMedic, but paid for it too!)
To Everyone:
I recently found out that I have been mispronouncing (in my head) the name Avast, by mentally putting the emphasis on the initial A, and treating it as a long vowel. Evidently the proper pronunciation sounds like the beginning two words of the following sentence:
“A vast amount of expertise goes into creating Avast.”
With warm regards to all.
Thanks for the kind words!
Your post makes me realize, though, that to some degree I have revealed privileged information by saying that Mr. Tůma is an Avast representative. The Avast e-mail address was right there, staring me in the face as I composed my reply, but that information is only for me to see. I have a policy of respecting privacy and not revealing such private information, and did not realize the error I made in doing so until just now. For that, I apologize!
I hope that Mr. Tůma will forgive this oversight (though somehow I doubt it). If it’s any consolation, my revelation of that information has granted a credibility to his comments that they wouldn’t have if the reader thought he was just some random guy on the internet. However, it would have been better if it had been Mr. Tůma’s choice to reveal that information, rather than mine.
Dear Thomas Reed,
You didn’t reveal anything about Mr. Tůma’s relationship with Avast! that a casual web search wouldn’t have exposed. And, assuming that he is an employee, or otherwise a representative of the company, he had a moral, if not legal, obligation to disclose himself as such. It would have helped his cause.
Although there is a Czech hockey player (a defenseman, of course) of the same name, I suspect that our Mr. Tůma (unless he is quite the Renaissance figure) is the same technically inclined chap who participated in this discussion:
http://rants.effu.se/2013/03/Arrogant-Anti-virus-Doesn%27t-Appreciate-Your-Choices
His was the last post:
“We do normally not overwrite the preferences on program updates, but in this case, there was a major shield redesign that forced us to do so. However, it could be better communicated to the end user, that’s true. ”
I daresay there is a theme in that thread that echoes the one here: That Avast could better communicate with the end users, if not the world at large.
One of my (security obsessed) PC-using friends came to Avast’s defense when I discussed the issue with him, pointing out that the product’s behavior in question was in fact documented — in the release notes. These of course are read about as often as ToS and license agreements…
(see South Park episode: ) http://www.imdb.com/title/tt1884035/
…so while Avast and a tiny minority of its users are covered, the rest of us can be forgiven if we weren’t *quite* up to snuff about what’s going on.
No pearl would be created had not a tiny grain of sand irritated an oyster, and I do believe that, drama aside, there are pearls in this discussion. Mr. Tůma himself contributed several, and I for one did not know that a PC could execute code without saving to disk (technically this is fascinating, although one of the many reasons we use Macs in the first place is to avoid the vulnerabilities created by this sort of Windows nonsense).
And Thomas, your “defense in depth” concept, though not necessarily original, is well worth reconsidering. I hope Mr. Tůma will avail himself of your shared wisdom — now that we’ve let him out of the penalty box. 😉
Warm regards,
Mark
P.S. Mr. Tůma, I will be honored if you chose to respond to this note, unless your first words are something other than, “Thank you for your kind feedback about Avast…”, in which case you will be penalized for two more minutes. Cheers!
Well although I do play ice-hockey, I’m probably not the hockey player you mean 🙂 And yes, I work as a developer at Avast. I’m sorry, if this is not so obvious as I thought. I always use my real name and real company email, when sending posts to discussions regarding Avast. Here I didn’t simply noticed that the email is not shown publicly but is only used by the Article author for argumentation in the discussions. A quite strange and unfair behavior, but to be honest, it does not surprise me as it fits into the “journalistic” style of this blog…
You may find my responses here to be defensive, but the point is, the articles here really are “a tabloid compilation of rumors and half truths with the intend to scare the readers”. A layman may probably not see this at first look, but if you have at least a basic cryptography knowledge and read statements like “a certificate is used to encrypt all data sent between your browser and the bank site”, you know that there is something wrong… There is a plenty of technically wrong blogs like this on the internet, but this is not the problem. The problem here is the form of the “message” the reader gets and the conflict of interest of the author. I simply do not think that it is acceptable for a product vendor (AdwareMedic) to denigrate the concurrency by mendacious articles. Note that this is not the first such article here, not a long time ago Avast was accused here in the same “bombastic” style to “steal virus definitions”, which everyone with Avast installed could prove to be wrong.
You’re not the first to dislike my articles. The Genieo folks got pretty mad at me, too, making all manner of accusations and even threatening a lawsuit.
The unfortunate fact is that there are some serious problems with your product. First is the long-standing problem with false positives, including a repeated false detection of a component of Mac OS X as a “decompression bomb,” going back for years. (I’ve found references to that particular false detection as far back as 2009.) Second is the fact that an adware component was included in the Avast Online Security browser extension recently. Third is the issue described in this article.
You should also note that not everything I have written about Avast is bad. My testing of malware detection rates in anti-virus software in 2013 and 2014 put Avast at or near the top of the rankings. There is no doubt that Avast does a great job of detecting Mac malware. However, the associated costs of using Avast – especially recently – have become too high.
You can choose do something about that, or you can attack the people who criticize Avast because of those problems. Keep in mind that the choice you make says a lot.
Yes, we for sure have some problems with the product – like all non-trivial SW projects do. But the issues you have chosen are again an example of the “tabloid journalism” you use on your blog.
There are and probably always will be false positives in every AV regardless how much effort the vendor will put into avoiding them. Calling them “serious problems” is however very misleading, especially when talking about the decompression bombs. Files suspected of being decompression bombs cause only warnings in Avast and you can get them only in on-demand scans. The warning only says “this archive has an extraordinary compression ratio and may be a decompression bomb” and I really do not see anything like a “serious issue” in pointing out such files in detailed scan reports…
Maybe You will be surprised, but I do not judge articles by whether they speak positive or negative about Avast. I judge them whether they are good or bad and whether they are true or not. I also do not argue under every negative article about Avast, like I didn’t for example under the “SafePrice adware” article here. The reason was that adware definition is quiet diverse and for one it may be everything commercial in the product while for another one it is all commercial he can not avoid (the browser extensions are optional in Avast). So even though written in the usual “thesafemac tabloid style”, there is nothing principally wrong in the article (except the conflict of interest that still remains of course) like in the following ones, that I did comment.
Finally – pointing out lies and half-trues about the product is for me as important as the technical quality of the product itself, so yes, I have chosen to do something about it.
Well, it’s obvious we’re never going to see eye-to-eye here. Since you continue to call me a liar, I think we’ve taken our conversation as far as it needs to go. I will simply point out that the things I have said here are easily verified by anyone with Mac OS X and a copy of Avast. Until/unless Avast is updated to address these issues, of course, as seems to have happened after the furor over adware in the Avast browser extension.
“The Genieo folks got pretty mad at me, too, making all manner of accusations and even threatening a lawsuit.”
And then there was Bob (probably not his real name) from MacKeeper back in November, which was on the other end of the spectrum — that is, completely hilarious… Oh, those were good times 😀 😀
Hi,
Once again Avast has clearly demonstrated by this latest controversial issue that they are a windows based Antivirus vendor and that their efforts in developing Mac security products have been plagued by many technical issues. They also have a long history of false positive detections.
To put icing on the cake Avast also installs Adware.
The lack of experience Avast has shown in dealing with the Mac platform was very clearly demonstrated by the Avast representative whom made several obvious errors in their attempts to discredit Thomas Reed, Who has always been a trusted source of good quality technical information on Mac security.
I tried Avast a some time ago and it was an ongoing source of nightmarish technical issues and caused serious issues with my Mac until it was uninstalled.
Even then I had to perform a full Time Machine restore of my Mac to a period when it had not been installed.
Hell will freeze over before Avast gets installed on my Mac again.
“whom made several obvious errors in their attempts to discredit Thomas Reed”
Can you name the errors please? Thanks.
Hi Martin Tuma(Tumic on the Avast User Forums),
I am simply NOT going to get into a long winded debate your obvious errors that Thomas Reed has clearly detailed.
You are quite simply extremely evangelistic and one eyed in your unwavering support of Avast for Mac.
You are the person who is often quite bombastic and very offensive in your personal attacks upon Thomas Reed.
For an example Avast made a false positive detection of an simple RSS feed on this site.
Now any respectable and professional security company would have simply done their best to fix this as soon as possible when brought to their attention and profusely apologized for any inconvenience caused.
This is NOT what happened, you pounced upon this issue and went on the attack right here with your quite combative postings.
It’s obvious you are hypersensitive to any criticism regarding Avast.
The pure and simple facts are that Avast serious and long standing technical issues and a very bad track record for positive detections, These issues with Avast often take forever and a day to be finally resolved.
Take for example this “compression bomb” issue which still has NOT been fixed after 5 years. Now you may have enough technical knowledge not to be alarmed when confronted by this in a scan reports, But other less experienced Avast users may well be alarmed and become quite concerned as to what it all means.
Avast unfortunately is earning itself a bad reputation because of multiple technical issues, One finally gets fixed and soon another issue with Avast promptly rears its ugly head.
“I am simply NOT going to get into a long winded debate your obvious errors that Thomas Reed has clearly detailed.”
In other words – there are no such errors that You could name…
Thee story with the RSS feed is a little bit different then you describe it (which can be easily traced when reading the comments under the article). Avast has apologized for the false positive and has fixed it in the next virus definitions update. The problem with the article were the allegations (in the usal thesafemac tabloid style), that Avast “steals” virus definitions. And that was, where I did defend Avast as nothing of the blames was true (as everyone with Avast installed could proof).
Finally – I could maybe understand you considering the handling of “decompression bombs” as an issue haven’t I spend the time here to explain it again. But since I have spent the time, I only can say: haters gonna hate…
Martin, it would be to your benefit to look at these websites:
https://yourlogicalfallacyis.com/burden-of-proof
https://yourlogicalfallacyis.com/ad-hominem
Hi Martin Tuma,
The only reason I dislike Avast is simply because of the sheer number of technical issues I had when it was installed and the sheer nightmare of trying for countless hours trying to get these issues solved.
The simple fact is that if Avast was not plagued by these seemingly never ending issues, I would only be too happy to use it and recommend it.
However because of my tortuous experience with Avast that simply is not possible.
The simple fact is that Mac users who want to install an antvirus product want one that is reliable, easy to use and well designed and not riddled with hair pulling technical issues.
Nor do we want an antivirus with the alarmingly high rate of false positives that Avast has had.
It is widely acknowledged that most antivirus products will make a false positive identification from time to time, But nowhere near the sheer number of false positive detections that Avast has.
There is also the extremely long delays in getting Avast to finally fix issues. In my case the issues took well over 12 months on several issues.
Once again let us NOT forget this “compression bomb” issue is still not fixed after 5 years.
Regardless of how trivial you believe this issue is It looks like Avast is simply never, ever going to get this one sorted out. By the way other Mac antivirus products I have used do not have this issue.
Their was also no responses to my issues when I posted on your Avast user forums.
Yes I did the right thing and lodged tickets for technical support through the proper channels, I eventually after a long wait received the stock response that the issues were acknowledged and would be fixed in a later version of Avast.
The vast majority of Mac users also don’t want a product which also installs Adware.
You know Avast would be much more respected if they simply got on with the job of sorting these issues out as rapidly as possible.
It is simply quite bad enough that your antivirus has been plagued by a never ending stream of technical faults which your company takes forever and a day to fix.
I quite strongly believe that because Avast has traditionally been a provider of Windows based security products and this is why your sheer lack of your experience in dealing with the Mac platform is really sticking out like a sore thumb.
Mac users really don’t want hypersensitive Avast representatives like yourself who can’t handle criticism of your product becoming combative and attacking those people who have been brave enough to speak out and be honest and quite frank when detailing the tortuous experiences your antivirus has so generously provided in abundance.
People have a right to voice their opinions of products they have grievous concerns about and are deeply unsatisfied with.
In closing I can respond to your trite and dismissive comment ” I can only say -haters gonna hate…”
Well maybe that’s because of what Avast has put me through and also because of its evangelistic and biased representatives whom get quite combative when Avast users speak up and have the temerity to be critical of your product.
Hey folks,
Thank you Ofelia for the reference to yourlogicalfallacyis.com.
I’d never heard of that site before and it is helpful, not only in the present instance, but for future reference. This only goes to show that a single irritating grain of sand can spawn multiple pearls from the same oyster.
I can only regret that the intent of your posting, and of the site itself for that matter, will be completely lost upon the those who could benefit from it most. Grains of sand seldom change — if you’re lucky, they just get covered in something nice.
At the risk of mixing metaphors, may I also say that as a lifelong hockey player myself, I’ve found that there are roughly two classes of player:
1) Those who want to improve their game and be better teammates;
and
2) Those who want to drop the gloves and fight*.
Funny, but as I get older I find myself gravitating toward the former, and simply skating away from the latter.
I again express my gratitude to Thomas Reed, who is not only a reliable — and might I add, unbiased — expert and superb technical writer, but also a gentleman whose patience and grace continue to astound me.
You have a good oyster here, Mr. Reed, which contains a vast trove of knowledge, for anyone who wishes to partake of it..
With regards to all,
Mark
*Oh, and here’s a parting question I ask them, which curiously is often a real stumper: In hockey, what color is the blue line? 😉
Hi St. Mark,
I do agree with your quite pertinent observation that as a hockey player you have found that there are roughly two classes of player:
1) Those who want to improve their game and be better teammates;
and
2) Those who want to drop the gloves and fight*.
This principle also applies to most people you encounter in life,
Some unfortunately turn every mishap or criticism into a huge drama and respond with viscous personal attacks or worse.
These people often have the proverbial elephant’s memory and don’t ever forgive or forget slights and they usually become quite vindictive when they feel that they have been wronged.
Fortunately there are more patient people who take calmly stock of a situation when something goes wrong and then decide what needs to be done to sort things out and get to work fixing the problem without making a big dramatic issue out of it.
The people at Avast really need to understand that their product simply has many technical faults and a very bad track record of false positives.
We would all better served if Avast simply worked as hard as possible to sort out these issues rapidly.
But unfortunately this is NOT the case with Avast at the present time, As previously mentioned most technical issues with Avast take a very long period of time before they get resolved and then as soon as one issue gets fixed up pops another one.
I also quite strongly agree with your compliments regarding our Thomas Reed, Whom indeed has shown great patience and grace when subjected to repeated and ongoing attacks by Martin Tuma.
Once again Thomas Reed thank you very much for your excellent unbiased website and its well researched and respected advice.
Mark — Glad to know you liked the website — you’ll have to send a thank you to Bill Wharton, my school’s headmaster and teacher, for introducing it to me!! 😀 And your use of metaphor is incredible. Well done, you! *claps and cheers*
Who knew that a technical news website would turn into a discussion of how to live life?
And, by the way — the blue line is in fact blue, although I had to Google whether or not it existed, seeing as some of the people on this site are smart enough to pose a trick question.
Also, one of my favorite quotes: “Tell me the truth if you think you know it!” I think we can determine who knows the truth and who merely thinks he does.
P.S. If anyone can name where that quote comes from (and don’t just Google it, that’s just cheating), you get a gold star!! 😀 😀 😀
Oh, and by the way — when I said “send” I of course meant mentally… that would be rather weird if you were to all of a sudden send an email to my teacher!! 😀
I went through this procedure. Everything looked good except for one thing: You said it should read ‘Google Internet Authority’ But it actually read ‘Google Internet Authority G2’. Does that addion of ‘G2’ mean I have a problem.
Looks like the posted a new certificate for some reason on March 19, 2015 at 1:48:59 AM Pacific Daylight Time.
Tried Avast – As soon as the installer complained that I had Safari and Mail open, I knew it would be tinkering with them, and I cancelled the install. Checked around and, sure enough, people were complaining that it changed their search engine preferences and added to their outgoing mail signatures. Just because it’s freeware, you don’t get to change my personal settings without asking. That’s simply dishonest, and the exact opposite than you would expect from a program that is supposed to expose hidden files with malicious intent. It seems rather – Malicious…
I started wondering why it would change the user’s search engine to Bing – Then I read about the Rewards program: http://www.bing.com/explore/rewards – does that mean they are adding their user account information as well? Bet that adds up to a lot of Amazon gift cards – and furthers my opinion that this program should be avoided.
I use Avast, and like it. It is also very unfair for everyone to keep banging on about history, when most issues are now fixed. But I cannot accept that a MITM technique is installed without very clear notice, and wonder why Avast does this when reputable companies can achieve similar results without these [In my opinion] extreme measures. The net of it is, how do I reliably uninstall Avast?
There should be an uninstall option in the Avast menu within the Avast app.
thanks Thomas
Thank you for an excellent description of Mac security. This has been a very enlightening read for me. I have deleted Avast. To check the deletion, I re-visited the revoked.grc.com website from Chrome, Firefox & Safari. Chrome failed the test again. Here is what revoked.grc.com said about Chrome:
Executive Summary
Eschewing the industry’s standard and increasingly strong and effective solutions for enforcing the revocations of Internet security certificates, Google’s Chrome web browser invented its own system known as CRLSets.
Though presented by Google as a superior solution, the data below conclusively demonstrates that CRLSets are actually quite ineffective in protecting Chrome’s users.
Despite the fact that hundreds of certificate authorities are revoking and publishing updated revocation lists daily, Chrome’s current CRLSet contains entries for just 53 certificate authorities. Chrome implicitly trusts all certificates revoked by all other issuers.
The Internet certificate revocation lists enumerate more than two million revoked and untrustworthy certificates. Yet Chrome’s CRLSet presently lists approximately 24 thousand revoked certificates. Every other one of the more than two million is implicitly trusted by Chrome.
To obscure the fact that Chrome’s CRLSet mechanism is ineffective, high-profile websites using revoked certificates must be manually revoked by listing them in a special “header” section of the CRLSet file. (In contrast, Mozilla’s Firefox browser automatically blocked our revoked.grc.com site instantly, several days before Chrome’s developers added a manual override.)
On May 8th, 2014, The official Certificate Authority (CA) Security Council weighed-in on Google’s Chrome CRLSet effectiveness. (They’re not happy either.)
So Chrome is gone too. What Google & Avast don’t seem to understand, is that their actions – however well intentioned – simply create a larger attack surface. Surely it is better to drive existing standards to improve, than to create a second, competing standard, that just creates a second avenue of attack…
Oh, of course, Chrome comes from Google, who brought us Android…
Not sure why some people are still getting to revoked.grc.com, but when I tried going there today, Avast! Web Shield (with HTTPS scanning enabled) blocked access to the page saying that it had a revoked certificate.
On a somewhat unrelated note, I don’t have Avast or any other anti-virus software installed. I attempted to visit the revoked.grc.com page, and it successfully loaded both in iOS 8.3 and Mac OS X 10.10.3. In both cases, I was using Safari. I can’t think of any modifications that I may have done to weaken Safari’s security settings, so that’s a bit unnerving. Any idea what could be amiss? I use VMWare to run Windows 8.1 Pro on the same Mac. Internet Explorer successfully blocked the page from loading.
Yes, I’m seeing that now in Safari 8.0.5. Back when I wrote this article, that page was blocked in Safari. I’m not sure why that would have changed, but I’ll report that to Apple.
I just tried to visit revoked.grc.com and, thankfully, avast webshield blocked it, it looks like HOPEFULLY they’re getting their act together?
If you go into avast’s shields settings. For web shield, there is an option to scan secured networks. If you turn that off, it will be normal.