Arrogant Anti-virus Doesn't Appreciate Your Choices

2013-03-15 08:00:35 by chort

I'm all for having safe defaults in security software, i.e. erring on the side of turning on protection, and leaving it up to the user to disable it if they feel it's too restrictive. Recently I had an experience with a particular anti-virus program that went well beyond this. Every time I turned me head, the program had overridden my choices.

I'll preface my comments by saying this has nothing to do with the lively debates I've had with employees of this company. I was actually using their product well before the Twitter exchanges, and continued to use it until their product betrayed my trust.

Initially I installed avast! after doing a fair amount of research on multi-platform anti-virus for work. avast!, Avira, and BitDefender were on the shortlist. I decided to try avast! first on my home machines to evaluate it for possible use at work.

Because I've been handling dangerous emails for years, and have a number of attack mitigations enabled in my browsers, I turned off the email and web traffic interception capabilities in avast! deliberately. I also uninstalled their browser plugins from Chrome, Firefox, and Safari (through the avast! application), because I like to limit the number of third-parties who have access to my surfing habits. I noticed that every time I would reboot, the avast! browser extensions would magically show up again, without my permission. It was annoying, but since I only reboot to install security patches, it was bearable.

Things started to go downhill, however, when I installed their recent version upgrade. Unfortunately after the upgrade downloaded, I couldn't open the main application to show the browser extensions were disabled, but trust me they were. Here are the screenshots showing the email and web MitM features were turned off.



Email:


Web:


Seems to indicate their proxy was blocking TLS before?:


Features disabled (by me) prior to reboot:


After reboot, they're turned back on:


This means avast! will MitM my TLS email:


And automatically deleted attachments I told it not to:


And the bloody browser extensions are back (I thought Chrome 25+ blocked this!?!)


OK, all this I can understand, to a point. Previously the MitM features apparently didn't work very well, so they want to turn them back on in case a user disabled them out of frustration. I kind of get this, but there was no warning this would happen and no way to opt-out, let alone opt-in. avast! just silently re-enabled MitM after I had explicitly disabled it.

I became curious though--if MitM was a problem before, but now it suddenly isn't a problem, does that mean perhaps they have a trusted CA to forge certificates on the fly? The installer sure didn't ask me if I wanted to install/trust a new CA, but we better check...

Smoking-gun:


Boom! There it is. avast! silently gave themselves the ability to MitM all my traffic. Suppose they end up selling email security gateways or web proxy appliances at some point. Maybe I'm on some shady hotel network, you know, they kind who love to MitM their customer's traffic, and I don't even get a warning, because the CA is already trusted. This pattern of deliberately and repeatedly overriding the user's explicit choices, especially about something as important as which CAs to trust, is unacceptable. I will never use or recommend avast! products, and my company certainly will not be buying any. Good riddance.

Comments

at 2013-03-15 08:04:01, fuck_THAT_shit wrote in to say...

Holy fucking shit, dude... They declare themselves as a fucking CA? This puts them squarely in the realm of true malware/spyware. That is BULLSHIT.

at 2013-03-15 08:43:03, Michael Adams wrote in to say...

I just checked my cert list on my Windows 8 box running Avast Enterprise: no Avast self-signed cert there. Present your findings to the Avast Forum: you might get an explanation regarding the difference here. http://forum.avast.com/

at 2013-03-15 09:10:58, Fendo wrote in to say...

Wait, do all customers get the same certificate, or is it generated uniquely on your machine? If it's the former, can't _anyone_ mitm you, not just avast?

at 2013-03-15 09:34:18, chort wrote in to say...

Fendo, that's actually a good question. I neglected to take a screenshot including all the details (like serial number), and it looks like the uninstaller removes it so I can't check without reinstalling. Also, like you say if it's not unique per-install, the key could be used by anyone to MitM any avast! customer. I suspect it's probably generated unique per-install, which mitigates a lot of the concerns. Good catch.

at 2013-03-16 22:00:30, Anonymous Drone wrote in to say...

Anti-Virus SW resetting your settings? LOL,it's like NIS'07 all over again. Good luck.

at 2013-03-25 04:01:33, Martin Tůma wrote in to say...

The avast! CA certificate is of course generated during the installation and is "unique" for that machine. You can read more info about it in the technical info at http://public.avast.com/~tuma/techinfo Just a note to the "changing" configuration. We do normally not overwrite the preferences on program updates, but in this case, there was a major shield redesign that forced us to do so. However, it could be better communicated to the end user, that's true.

Add a comment:

  name

  email

  url

max length 1000 chars