Activating Avast Security Pro for Mac; How do I connect Avast Security to my Avast Account? After you download and install Avast Security, you can connect the product to your Avast Account in the Account section. To connect Avast Security to your Avast Account: Click the Avast Menu bar icon and select Open Avast.
- Avast Free Antivirus raises the bar on security with real-time protection, intelligent threat-detection, and added security for your network, passwords, and browser. Easy to install and easy to use, no other free antivirus comes close.
- Avast Free Antivirus for Mac is Avast's answer to concerns about how to browse safely. The application is packaged with a brand-new, easy-to-understand graphical user interface, with access to all.
Published February 24th, 2015 at 12:47 PM EDT , modified March 5th, 2015 at 10:28 AM EDT
The security community is ablaze with news of Superfish being pre-installed on some Lenovo computers. The primary issue concerning experts is that Superfish replaced SSL certificates, used for ensuring secure connections on the internet, with its own certificates. It turns out that the same behavior is being exhibited by software that many people are inclined to trust: Avast’s anti-virus software!
Replacing SSL certificates is a significant security issue. The lock icon shown by browsers when the user is connecting to an “HTTPS” site is an indication that the connection is being secured, using a form of encryption that relies on an SSL “certificate” issued by a trusted certificate authority. So, when you connect to your bank’s website, for example, a certificate is used to encrypt all data sent between your browser and the bank site. This protects you from snoops, who cannot see any potentially sensitive data being transmitted.
What Superfish has done is replace these certificates with one of its own, which gives the software the ability to intercept any data being sent to or from such a secure site. This is what security experts call a “man-in-the-middle attack,” meaning something or someone that interjects itself between two parties attempting to have secured communications. It should be immediately obvious that this is a Very Bad Thing.
Surely this kind of thing could only be done by unethical hackers, right? I mean, Superfish is essentially adware, and in my opinion has now crossed the line into malware territory. So we shouldn’t be surprised at its misbehavior. No legitimate software would ever behave this way, would it?
Don’t be too sure. I received an e-mail from a reader yesterday asking why he was getting an error in Chrome complaining that his connection to Google was not private. The error message pointed the finger at a certificate issued by a certificate authority named “Avast untrusted CA.”
Some testing this morning showed that Avast is replacing Google’s certificate with one of their own. On my test system, though, the Avast certificate was trusted. (I’m guessing the certificate on the affected reader’s system was outdated, and had not been properly updated for some reason.)
As can be seen from the screenshot, the certificate claims to be for Google, but was not issued by the authority that Google actually uses (GeoTrust Global). This means that Avast has complete control over the connection between the browser and Google, and has the power to intercept – or even modify – any data being transmitted.
Okay, who cares, right? I mean, sure, there are some potential privacy issues involved there, but in reality, most people don’t care much if someone’s monitoring their searches. Those who do are probably using a search engine like DuckDuckGo, rather than Google, anyway.
Unfortunately, this issue isn’t limited to Google. Suppose, for example, that you go to the Bank of America site to transfer some funds or pay a bill. As with Google, and as would happen with any other secure site, it turns out their certificate gets replaced with the Avast certificate. I doubt anyone needs me to lecture them on the potential security issues involved in having a third-party watching their banking transactions without permission!
This is an extremely serious issue, but surprisingly, it apparently isn’t new! Searching the web for “Avast untrusted CA” or “Avast trusted CA” shows that people have been aware of this on a small scale for some time. On Avast’s own forums, questions about this are treated as bugs – not because of the potential security issues involved, but because of whatever has caused the user in each case to become aware of the problem, such as the error message that brought this matter to my attention.
It’s unlikely that Avast is using the power to snoop on your communications for malicious purposes. I imagine that they are using this power to monitor secured communications for possible malware. For example, Avast is probably intercepting e-mail being transmitted securely between your mail server and your e-mail client so that it can be scanned for attached malware.
However, the issue here is one of trust. Should you trust Avast with this kind of access to your private information? Avast has essentially chosen to hijack your web browser’s security without your permission, inserting itself as a silent watcher into all your secure communications. Worse, Avast has a history of sometimes showing untrustworthy behavior in the past, such as including an adware component in their avast! Online Security browser extension. This is not behavior that should be tolerated, and I strongly recommend uninstalling Avast immediately.
Even if you trust Avast 100%, however, an added issue is the potential for new security risks. In the case of Superfish, for example, security researcher Robert Graham was able to crack the certificate being used by Superfish, due to a poor certificate password, and could have then launched his own attacks on unsuspecting users using that certificate. If Avast’s security is at all sloppy, their certificate could cause security issues that would not exist if Avast did not tamper with certificates.
To be fair to Avast, it’s entirely possible they are not alone. Other anti-virus software could be behaving in exactly the same way. A quick test of a number of other free Mac anti-virus apps this morning did not uncover any, but I did not test every anti-virus app out there by a long shot. Still, any other anti-virus software that might be doing this should also be avoided.
To determine whether your system might be affected by such an issue, go to www.google.com in Safari. There should be a lock or “https” icon in the address bar, indicating that the connection to Google is secure. Click that icon, then click the Show Certificate button in the sheet window that drops down. The certificate should be issued by Google Internet Authority, which in turn falls under the authority of GeoTrust Global. If you see anything different, you may be the victim of a man-in-the-middle attack. This could be the result of other anti-virus software, or could be due to something else, such as a compromised network connection.
Updates
Thursday, March 5, 2015 @ 9:45 am EST: After taking some considerable heat from some folks – including an Avast representative – in the comments below, it turns out that the situation is even worse than I initially realized. Avast is replacing certificates with its own without bothering to check the validity of those certificates!
So what does this mean? Suppose that there’s a malicious site out there that uses HTTPS, in an attempt to trick the user into thinking the site is legit. (Or perhaps a formerly legit site has changed hands and become malicious.) Then suppose the malicious intent of the site is discovered, and the certificate is revoked. Your web browser should warn you that the site is not trustworthy if you try to go there.
If you happen to have Avast installed, no such luck. Because Avast will replace the site’s revoked certificate with Avast’s own legitimate certificate, eliminating the error and allowing you to navigate to a site that you shouldn’t!
Nobody needs to take my word for this. It’s trivial to test it if you have Avast installed, and have not disabled Avast’s HTTPS scanning: just navigate over to revoked.grc.com, a site designed for testing purposes that uses a revoked SSL certificate. As you can see from the screenshot at right, the site opens just fine, using Avast’s replacement certificate.
You may say that my hypothetical situation above is unlikely to happen. That’s true. However, the news in recent years has been frequented by stories about SSL certificate theft. Hackers can use stolen certificates to execute real man-in-the-middle attacks, tricking your browser into believing that it is visiting a legit site when it isn’t. Stolen certificates are generally revoked after the theft has been discovered, but this vulnerability in Avast will allow those certificates to continue to work.
I’ve had some tips that other anti-virus apps behave the same way, in particular BitDefender, Kaspersky and ESET. However, I was unable to bypass the revoked certificate using Kaspersky, and ESET’s Mac software appears not to do any kind of HTTPS scanning as far as I can tell. The jury is still out on BitDefender, as I haven’t yet been able to download a trial version. (I haven’t received the e-mail I need in order to download the trial software.) I’ll update later, after I’ve tested BitDefender.
This is precisely the kind of security issue that tampering with HTTPS can result in, and is exactly why it should not be done. Case closed.
Thursday, March 5, 2015 @ 10:30 am EST: I finally got a copy of BitDefender’s Mac anti-virus software, and it appears not to be doing any HTTPS scanning. It may do that on Windows – I have to rely on third-party reports there – but as best I can determine, it doesn’t have this problem on the Mac.
Thus far, Avast is still the only one I’ve found on the Mac to do on-by-default HTTPS scanning and to fail to check certificate validity.
Tags: Avast, man-in-the-middle, SSL
Today's best Avast Free Mac Security deals
Avast Free Mac Security doesn't break a lot of new ground. As is the case with most free software, it does an OK job and — like popular free-to-play games — aims to pull money from your pockets after it's installed.
The one major perk of Avast Free Mac Security is that it can identify attacks in your email inbox, a feature that we'd like to see in all Mac antivirus services. At the end of the day, though, Avast's Mac malware protection rate isn't quite as good as its competitors', which is the most important part of antivirus software.
Avast Free Mac Security costs and what's covered
Avast Free Mac Security is free. It supports Macs running any version of macOS, as long as they have 128MB of RAM and 750MB of available disk space.
Antivirus protection
Avast Free Mac Security keeps Macs free of malware using traditional signature-based detection by unpacking Mac-specific file formats and scanning them for malicious content. It also uses its artificial-intelligence system to apply lessons from its user base to train its software.
Avast also thwarts PC malware on Mac, to prevent it from spreading on networks, and scans unopened ZIP files. It performs system protection scanning in the background, permits both on-demand and scheduled scans, and can scan your router to protect you against DNS hijacking and other threats.
Antivirus detection
Avast Free Mac Security's on-demand malware-scanning engine has a mixed record in recent lab tests. It stopped 100% of malware in tests conducted by Austrian lab AV-Comparatives in July 2018 and June 2019.
Results from German lab AV-Test were less consistent: 100% of Mac malware was detected by Avast in June 2018 and June 2019, but Avast caught only 96.3% of malware in December 2018.
That means Avast tied with Bitdefender Antivirus for Mac and Kaspersky Internet Security for Mac on the AV-Comparatives test (both hit 100%). However, it failed to match Bitdefender, Kaspersky and Norton 360 Deluxe on the AV-Test study, in which all three earned 100% scores.
Of all the Mac antivirus programs we tested, Avast Free Mac Security was the only one that flagged items already on our system as threats. Specifically, it found three email messages in my old, inactive, Outlook database that contained links to phishing websites.
Security and privacy features
Avast Free Mac Security includes Avast's Online Security browser extension, which automatically installs itself in Chrome unless you opt out, while Firefox provides a confirmation prompt to make sure you approve the extension. The Avast extension appears as a button that is green when you're safe and red if a site is potentially harmful. Similar flags will appear next to search results.
If you're wary of sites that monitor your actions, the Avast browser extension also displays a counter badge that tallies the number of activity trackers found in a website and provides an additional option to block social network-based tracking.
Not only does Avast scan activity on your hard drive and web browsers, but it also monitors POP3 and IMAP email clients, including Apple Mail, Thunderbird, Postbox and Airmail, and scans email attachments as well as email messages.
Avast monitors your computer and its network connections in the background, scans new files upon installation and lets you schedule scans. However, Avast Free Mac Security doesn't have any of the extra features offered by paid competitors, such as parental controls, a VPN service, firewalls or webcam blockers.
Performance and system impact
Avast Free Mac Security had a moderate impact on system performance, which we assessed by running our custom Excel VLOOKUP benchmark test, which matches 60,000 names and addresses on a spreadsheet. Our test machine wasa 2017 MacBook Air with a 1.8-GHz Intel Core i5 CPU and approximately 54GB of data stored on a 128GB SSD.
With Avast Free Mac Security installed on our MacBook, but without any active scans running, the VLOOKUP test finished in an average of 3 minutes and 38 seconds, 1 second longer than without any antivirus software installed. That's a passive system hit of less than 1%, and not something you would likely perceive.
MORE: Hackers Say They've Breached Three Antivirus Companies
Other antivirus products' passive system impacts ranged from 5% (Sophos Home Premium) to zero percent (Bitdefender). This is overall great news for Mac users: Most of the time, you'll never notice that you've got antivirus software running.
You would be more likely to notice the slowdowns created by Avast's active scans. During full-system scans, the VLOOKUP test finished in an average of 4 minutes and 59 seconds, resulting in a big performance dip of 37 percent. That's not as bad as McAfee AntiVirus Plus' 47% fall (the worst offender), although it wasn't as good as Sophos' 7% full-scan system hit.
Avast's full-scan completion time, which took an hour and 11 minutes on average, was on the longer end of scores but was not the longest we found — Sophos' 2-hour-and-56-minute time was the longest. Malwarebytes for Mac Premium's full scan took a miraculous 16 seconds, while Bitdefender closed its full scan in 4:25. Kaspersky (41:20) and Norton (25:49) fell in the middle of the pack.
Interface
Avast Free Mac Security may not be the prettiest antivirus app, but it provides a number of functions and options. Its main window shows users a Protected status, as scans are enabled by default. All other features, including on-demand scans, are located in a menu bar on the left.
Avast's main window presents users with their status — Protected or otherwise — and a 'Run scan' button that pushes you to Avast Cleanup Pro. You'll be confused by this abrupt switch of apps if you weren't paying attention to the fine print, and you'll soon realize that Cleanup Pro is a paid product that looks to tidy up your hard drive and costs between $2.99 or $3.99 per month.
MORE: Best Free Antivirus Software
After you click that Run scan button once, it changes to an Upgrade button for Avast Security Pro, which features anti-ransomware protections and Wi-Fi and network scanning. To avoid further confusion, click on Scans in the left-hand menu, which opens that section as well as other sections of the app, such as Reports, Virus Chest, Shields and Preferences.
In Scan, you can select from a number of different types, such as scans of custom directories, scans of removable volumes and scans of your home network. Avast also includes scheduled scans, an increasingly rare option these days.
Clicking on New Scan presents a Start button for activating a Quick Scan and a Change Scan Type button to switch to a full-computer scan.
You'll find database updates and analyses of scans performed on your system in Avast's Reports. Avast places files it flags as malicious into the Virus Chest quarantine section, where you can delete or restore them (if you think Avast is mistaken).
Open the Shields section to see real-time analysis of scanned files. Annoyingly, if the file directory is especially long, Avast won't give you the full directory, so you can't go look up the offending file for yourself. You may not need to, but we'd prefer to have the option.
In the Preferences tab, you'll find options to change the frequency of notifications, system updates and scans. Here, you can also disable hard-drive, email and web protection, although Avast wisely makes you enter your system password first. Additionally, you can disable Avast's menu-bar icon from this window (it's under Miscellaneous).
If you create an account with Avast, you can check the status of any systems you've logged into in the Account tab as well as at my.avast.com. Avast's menu-bar button provides links to open the main interface window, see current activity and application information, and review previous notifications.
Installation and support
To install Avast Free Mac Security, you open Avast.com and click Download, which will place the installer DMG on your Mac. (Thankfully, you won't have to go through download.com anymore, an annoying part of the previous model.) After you click through the end-user-license agreements, the installer will download more files and install Avast.
No restart is required, and the whole process took about 2 minutes for me, which felt about normal. In the middle of the installation, you get the option to not install Avast's unlimited Password Manager and the company'sSecureLine VPN client. The Avast Online Security browser plug-in is free, but you get only a seven-day trial of SecureLine VPN service, which otherwise starts at $60 per year.
To get technical support, click Help in the menu bar, select Avast Technical Support and then select Contact Help to open Avast's Support site. Here, you can find a FAQ, ask for help in the forums and call a customer-support line that will provide free advice for installing, configuring, updating and removing Avast.
MORE: How to Buy Antivirus Software
If you need more help than that, Avast offers paid support starting at $79 for any call that isn't related to removing a virus or malware, or at $119 per call for virus-related calls. For more support, you can spend $199 for a year of unlimited service, or $10 per month plus a $99 setup fee.
Bottom line
Malwarebytes For Mac
Avast's email scanning gives it an edge over competing Mac antivirus products. It needs such an advantage when the rest of its package is such a mixed bag.
Mac Virus Software
Not only does Avast's software continually push you to spend money on additional services (unlikely if you've already chosen to use free antivirus software), but its malware detection rates aren't great overall.
If you're going to pay, you should instead choose Bitdefender Antivirus for Mac, which gives you excellent protection and a low system impact for $40 a year. If
you'd rather not pay, then Avast is the best free option, but only because Sophos Home, which has a more full-featured free tier, has undetermined malware-protection abilities on Macs.