News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Avast does…what?

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – Avast does…what?

    This topic contains 30 replies, has 14 voices, and was last updated by  anonymous 2 weeks, 5 days ago.

    • Author
      Posts
    • #1924853 Reply

      Susan Bradley
      AskWoody MVP

      https://textslashplain.com/2019/08/11/spying-on-https/ Spotted that post.  Read it.  Now why this appears to be the RIGHT way for the vendor do to thi
      [See the full post at: Patch Lady – Avast does…what?]

      Susan Bradley Patch Lady

      6 users thanked author for this post.
    • #1924877 Reply

      woody
      Da Boss

      Code injection from Avast? OMG.

      Reminds me of the days when Sony surreptitiously installed a rootkit to play its music on PCs.

      1 user thanked author for this post.
    • #1924891 Reply

      satrow
      AskWoody MVP

      They’ve been interfering with browser HTTPS connections for almost 5 years now.

      5 users thanked author for this post.
    • #1925000 Reply

      AlexEiffel
      AskWoody_MVP

      Interesting, but from what I understand of the article, this might be the best compromise to be able to scan https traffic. How does the Microsoft default solution differ technically? You can rely on Microsoft’s lack of vulnerabilities or Avast or another company, but they all have to look at https traffic one way or another in order to scan it.

      Now, the real question is the monetization part. It all depends on what is collected and monetized (web site names, content is scanned locally or uploaded and saved somewhere, anonymized and how?). The question was the same before. Avast has for a long time disclosed they monetize data on the free version.

      The problem today is that https traffic is/should be standard, so the distinction between browsing to read about gardening vs accessing your bank can’t be made based on that and monetization dropped for the https traffic. https traffic doesn’t mean private highly sensitive traffic, although the idea that all traffic is private is nice. At least, it is better to only have your antivirus see the traffic than your ISP and all the Internet.

      If there is less and less http traffic, how can the free antivirus know what can and can’t be monetized for those who accept the terms of this “free” deal? Does Avast monetizes what you do when in their secure browser or their bank mode? Maybe they don’t do it for bank mode and they consider the rest fair game, that would make sense.

      In any case, yes, antivirus products are highly sensitive pieces of software and you need to choose a company that takes security very seriously, because a vulnerability in it can be terrible as some vulnerabilities could be triggered during scanning of web traffic or a file, which puts it in a different category of risk than a free photo editing software.

       

      4 users thanked author for this post.
      • #1925093 Reply

        Alex5723
        AskWoody Plus

        but they all have to look at https traffic one way or another in order to scan it.

        NO.

        HTTPS scanning is disabled in my Kaspersky A/V.

        3 users thanked author for this post.
        • #1925336 Reply

          AlexEiffel
          AskWoody_MVP

          May I point your attention to the “in order to scan it” part of the sentence? You can disable https scanning if you want, but then you don’t scan https, which might not be what a lot of normal users want since more and more regular traffic is https. A web shield that would target only a small percentage of your web surfing might not protect you very much. And an exploit should then use https to make sure it doesn’t get scanned by people who disable the https scan, right?

          With the browsers warning about non https traffic as being “unsecure”, I don’t see a great future for a web shield that only targets this traffic. You might as well just decide you don’t want to use a web shield, which might not be the choice of a majority of users, although it might be the most appropriate choice for some.

          1 user thanked author for this post.
      • #1925407 Reply

        rc primak
        AskWoody_MVP

        @alexeiffel — My Bank Mode:

        Firefox under Ubuntu Linux. Delete all cookies upon exiting the site.

        -- rc primak

        • This reply was modified 3 weeks, 3 days ago by  rc primak.
        • This reply was modified 3 weeks, 3 days ago by  rc primak.
        1 user thanked author for this post.
    • #1925077 Reply

      Sinclair
      AskWoody Lounger

      The article says that the author installed Avast earlier that morning. Avast comes with default enabled https scanning. There is an option to turn this off in the settings. This was talked about in great detail years ago. With many recommendations to Avast users to turn this off. Did the author of the article do this?

      I find no mention by the author that states that he is even aware that Avast has default https scanning or an option to turn it off. Or is this code injection still done by Avast even if you turn https scanning off? I use Avast myself on my own computers and those of many others so I am more then a little curious about that. Would be nice if someone could clear that up.

      W7 x64 Pro&Home

      4 users thanked author for this post.
      • #1925216 Reply

        EstherD
        AskWoody Plus

        Last time I checked, which was admittedly about 5 years ago, you could stop the scanning, but you could NOT uninstall / disable the low-level code that implemented it. So it’s there, ripe for the pickin’, whenever someone has the incentive to figure out how to exploit it.

        1 user thanked author for this post.
        • #1925251 Reply

          Sinclair
          AskWoody Lounger

          but you could NOT uninstall / disable the low-level code that implemented it. So it’s there, ripe for the pickin’, whenever someone has the incentive to figure out how to exploit it.

          Your saying you are afraid a third party will hack/abuse Avast to use its https scanning code within it? I do not think that that probability is something I will worry to much over.

          Explanations about the various shields and settings can be found here. The https scanning option is under the web shield.

          To uninstall the various components Avast comes with including web shield check here.

          W7 x64 Pro&Home

          • #1925403 Reply

            rc primak
            AskWoody_MVP

            The only certain way to remove Avast spyware is here .

            Run it in Windows 10 Safe Mode.

            -- rc primak

      • #1925406 Reply

        rc primak
        AskWoody_MVP

        Or is this code injection still done by Avast even if you turn https scanning off?

        A very good question. And one I bet Avast will never answer with a straight face.

        -- rc primak

      • #1925427 Reply

        T
        AskWoody Plus

        Read this article which someone posted on the avast forums – https://techdows.com/2019/08/chrome-you-are-using-an-unsupported-environment-variable-sslkeylogfile.html

        At the bottom there it states chrome still displays this message even if HTTPS scanning or the webmail shield is disabled. Whether that means they’re still scanning HTTPS traffic against the express wishes of the user is anyone’s guess, i believe this issue has already been reported to them.

        1 user thanked author for this post.
    • #1925376 Reply

      BobT
      AskWoody Lounger

      Once again, “legitimate” software that’s supposed to protect you from malware…acting like malware itself.

      I’m having this argument over on the Norton forums right now, where it outright deletes some of my files (not even quarantine!) just because it doesn’t “know” them. Good job I have backups.

      Apparently this is for my own good, as a file that’s unknown could harm my system and…delete my files!

      2 users thanked author for this post.
      • #1925384 Reply

        rc primak
        AskWoody_MVP

        The old story of the guard dog biting its handler!

        -- rc primak

    • #1925381 Reply

      rc primak
      AskWoody_MVP

      Regardless of whether or not this is in itself a serious privacy breach, or even a security risk, I DO NOT TRUST Avast. Period. I could list a lot of other tech companies I do not trust, but Avast, Google and Microsoft head the list.

      Even CCleaner is no longer superior to the built-in Windows Storage Sense when it comes to routine cleanups. That and cleaning your browser in a targeted way. I use HotCleaner’s Click and Clean for Chrome and Forget Me for Firefox. Both can be tailored to retain exactly as much or as little as you prefer with each browser cleanup.

      I also do not believe in relying on web traffic scanning or web site scanning as a security first-line defense. When viewed in this context, especially now that all major web browsers are guarding us against suspicious or outright know-malicious web sites, I see security programs which offer “web shields” as snake oil.

      Only novice users would not understand that all end users need is built into most non-Google web browsers today. No add-ons or special “shields” needed. Use ad blocking and script blocking, and turn off Flash, and you have a reasonably secure web browsing experience.

      For those who want to take things a few steps further, Firefox with Flash Player removed (not just disabled) under any Linux distro, with enforced https and No Script plus at least one ad blocker, should keep anyone except an international fugitive as safe as anyone deserves to be.

      For Windows users, I still side with Susan Bradley: For Windows security, all we need is Windows Defender. Nothing more. (Although, Malwarebytes Free will sometimes catch stuff Windows Defender doesn’t pay attention to.) Turn on Protected Folders for extra ransomware protection.

      Surf safely, my friends!

      -- rc primak

      • This reply was modified 3 weeks, 3 days ago by  rc primak.
      2 users thanked author for this post.
      • #1926011 Reply

        AlexEiffel
        AskWoody_MVP

        I lost a lot of respect in Avast the company over the years for many reasons so I share the concern.

        However, I could say that web shields helped us about once every two years maybe catch something from one of our users browsing without being click happy careless. Given time and with a growing number of users, statistics end up getting you.

        It also happened to me to reach an infected page while doing a simple car information research about two years ago. Unless you don’t click on anything on the web, no one is immune to this, regardless of knowledge/carefulness. You might be lucky or you might choose to reduce your risk by adding this layer of protection which also isn’t a panacea. Of course, if the company producing the web shield can’t be trusted when it comes to security, you might rise your security risk by introducing a new layer of vulnerabilities.

        In any case, I see a big difference if the antivirus scans https locally only vs sending what is scanned somewhere and storing it. That is a much more important question to me than having a hook to do what it is supposed to do if it only does what it is supposed to do and it is clear.

        Let’s say a normal user disable https scanning to avoid having a hook that a piece of code would need to exploit an unpatched vulnerability in the antivirus to get any advantage from it. Let’s say he gets infected because he doesn’t scan https traffic when clicking on a https joke/meme linked from the https Facebook he uses. Then, later, when he does banking, his https doesn’t have any hook, but there is a trojan listening to everything he types on his keyboard and records what he sees on his screen. A lot of what https should protect here will have been recorded by the malware, just differently and maybe even in a more user friendly way to steal credentials in seconds.

        1 user thanked author for this post.
      • #1934512 Reply

        Morty
        AskWoody Plus

        I see security programs which offer “web shields” as snake oil.

        So, I’d guess you wouldn’t recommend installing Malwarebytes Browser Guard.

        But, if you do recommend it, would it work or conflict with uBlock Origin and Privacy Badger?

        Thanks

        • #1934575 Reply

          anonymous

          Hi Morty, 6536 here.

          Ken Sims said, “I’ve always made it a point to not allow my anti-virus solution to scan either my web traffic or my email traffic (inbound or outbound). I’ll accept the additional virus/malware risk over compromising TLS.”

          I like that attitude. The real time protection of a good antivirus will protect the computer. from what I have seen both to me and my clients, The “web scanner” bogs you down and makes playing videos a mess! The “email scanners” use break people email connections because they inserted themselves (anti-virus) between you and your ISP. Eventually you would not be able to get your mail and it was the fault of the AV. Years ago, we have MUCH troubles from Symantec, McAfee and Panda breaking the ability to retrieve emails. Uninstalling that aspect of the AV or uninstalling the whole AV would correct that.

          Here is some talk on AVG anti-virus. https://www.askwoody.com/forums/topic/avg-free-upgrade-in-2019/

          Malwarebytes is a good program, but like Symantec (Norton) it too has grown and are getting a bit big and overactive. Malwarebytes started with a manually run anti-spyware type program and it was VERY good. Now it runs in the background and problems arise. About once a year we run into an issue where the computer is causing a problem. After much investigation we turn off the background process of Malwarebytes (Pro). Problem gone. We then look at the Malwarebytes forum and people mention similar and there is a denial of it being Malwarebytes. After about a week a new version of Malwarebytes comes out and the problem is gone. This has happened MORE than once to us.

          If you have uBlock Origin and Privacy Badger, you are on the right track. I would suggest you investigate installing SpywareBlaster and Spybot S&D 1.6.2 (still supported) and both are PASSIVE protections.

          Nice to see you Morty. You are going to be a “go to” techie here yet!

          1 user thanked author for this post.
      • #1934635 Reply

        EP
        AskWoody_MVP

        well rc primak there are other alternative apps to CCleaner like BleachBit (I use the portable version of that app) and Wise Disk Cleaner that do the job well

    • #1925409 Reply

      Ken Sims
      AskWoody Plus

      I’ve always made it a point to not allow my anti-virus solution to scan either my web traffic or my email traffic (inbound or outbound). I’ll accept the additional virus/malware risk over compromising TLS.

      • This reply was modified 3 weeks, 3 days ago by  PKCano.
      1 user thanked author for this post.
    • #1926052 Reply

      anonymous

      I have never seen the purpose of HTTPS scanning. Why should I not rely on my browser being properly patched more quickly than any antivirus, and on downloaded files being scanned for anything that would run on the system (both by my antivirus and Chrome/Firefox’s built in cloud scanner)? Is there actually any data showing that having live scanning actually reduces the risk of malware? And, if so, why doesn’t Microsoft do it with Defender?

      • #1926348 Reply

        AlexEiffel
        AskWoody_MVP

        I would tend to think it depends if the https scanning does a behavioral analysis or only a signature based detection (passive traditional approach). Drive-by downloads / fileless malware can hit you without any downloading if you are vulnerable.

        Yes, your browser being patched more quickly than your antivirus updates its signatures if that is the case could help. But there are also zero days attacks that can last for years undiscovered and sometimes the vulnerabilities are in the OS, not the browser, but still expose you if the browser uses those components. If you use mitigations that aren’t based on signatures, it can add more protection. Some providers send analyzed traffic to a cloud based solution and they detect patterns there, catching new malware as they are spreading. You might not want that, I don’t like it for my personal data, but from a business perspective, it might makes sense to use such a solution at work and it might in fact be a more secure approach.

        Here’s a recent example of a combination of vulnerabilities exploited on the Iphone:

        iPhone Zero-Days Anchored Watering-Hole Attacks

        • #1934582 Reply

          Alex5723
          AskWoody Plus

          your browser being patched more quickly than your antivirus updates

          No browser is being patched more quickly than A/V. A/V is usually being patch every 2 hours while browsers ~ once a month or more.

          Attachments:
          • #1934645 Reply

            satrow
            AskWoody MVP

            If you disregard the ‘silent’ updates at browser startup for block/black-lists, ad/mal-ware and other extensions, Google’s Safe Browsing, etc.

            Some free A/Vs might not have a program/engine update for ~3 years.

    • #1934631 Reply

      EP
      AskWoody_MVP

      Alex5723 is correct on that one about AVs being patched more often than web browsers

      • This reply was modified 2 weeks, 5 days ago by  EP.
    • #1934647 Reply

      anonymous

      “patching” usually refers to repairing the intended function of software
      “Updating” may include new functions
      In the case of AV software, updating the definitions does not generally mean patching the underlying software.

      But I am not clear on the relative statements made by two Alex and an EP are using these words as I read them.

      1 user thanked author for this post.
      • #1934659 Reply

        anonymous

        Anonymous #1934647 has a very good point. Upgrade, update, patch. Those have different meanings.

        The Alex(es) have a point as does Satrow (good one Satrow).

        The UPGRADE of the AV engine may be once a year. Usually it is something like AVG 2018 to AVG 2019.

        The UPDATE of AVG is a 0.1 version change. AVG is now at 19.7 (2019). My records show it has updated itself six times this year on the engine.

        Definitions UPDATE is the daily or maybe every 4 hour update of new viral definitions.

        A PATCH is usually a problem that has been solved. A vulnerability has been found, a patch is made. The engine has a bug causing a BSOD, a patch is made to correct it.

        Web browsers like Firefox do have little tiny updates to “blocked items” (https://blocked.cdn.mozilla.net/) and similar.

        1 user thanked author for this post.
    • #1934652 Reply

      Morty
      AskWoody Plus

      If you have uBlock Origin and Privacy Badger, you are on the right track. I would suggest you investigate installing SpywareBlaster and Spybot S&D 1.6.2 (still supported) and both are PASSIVE protections.

      Wow! Spybod S&D! You just hit my nostalgia button. Do they still have the Teatimer?

      Thanks. Will check it out. I’ll probably stick to what I’m using, though. Your analysis points in that direction.

      • #1934667 Reply

        anonymous

        Hi Morty, Yes Spybot (version 1.6.2) does have the tea timer. Make sure you uncheck that box upon install. When I install Spybot for someone I uncheck EVERYTHING I can to only install the core program and during the install uncheck the tea timer (background process).

        It seems I tend to like “old” stuff. The older Spybot being passive. The older Malwarebytes 1.75 being a manually run program. SpywareBlaster that only “immunizes” the web browsers (passive). Many new programs run in the background to be “actively protecting you” and while this is true, it seems to step on something’s toes and one day you have a very weird problem with the OS or the browser and it gets fixed when you start turning off those “helpful background processes”.

        6536

        1 user thanked author for this post.
    • #1934661 Reply

      Morty
      AskWoody Plus

      Nice to see you Morty. You are going to be a “go to” techie here yet!

      Holy moly! I missed that before. Thanks, but I’m just a bat boy here.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – Avast does…what?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.