Sorry for the late reply guys.
(1) Which Avast browser extensions send every URL people visit to Avast?
Both (Avast Online Security and Avast SafePrice). Although in case of SafePrice itself, we will likely change it to send domains only for non-shopping sites.
(2) Is the entire URL sent including URL parameters (generally the portion after the question mark in the URL)?
Kind of. There is some elementary stripping done in the extension, but then a more comprehensive one done on the backend.
(3) If the Avast browser extensions are disabled, but all the Avast shields are enabled, are any URLs or filenames sent to Avast?
Yes, absolutely. For example, the pathname and hash of every EXE you're executing (that's "FileRep"). Often accompanied by additional metadata, including the URL the file was downloaded from. And there is more occurences like this.
Again, this is what's usually referred to as "cloud AV". It uses the cloud part of the engine to do at least part of the heavylifting. And of course, this is only possible if the requests are sufficiently rich.
I an quite certain that's what all good AVs do these days.
This is not true. Avast has implemented very effective "streaming" updates which keep your LOCAL anti-virus databases current. With Avast's streaming updates, there is no need to send everything that needs to be scanned to someone else's server.
This is true, Avast is still what I call a "hybrid" AV. That is, it relies on the cloud but still keeps a good database locally to allow it to make some good decisions even in the offline scenarios. With that said, the cloud part is getting more and more important for us. Nothing can beat the power of big data and to cope with today's threats, it is really almost impossible to realy on local definitions only. Not to mention that even the creation of those local definitions now absolutely relies on the data that we receive from our users, through channels like discussed above.
You seem to be claiming that in order for the core functionality of Avast to work, that every URL you visit is sent to Avast. I doubt that is true, but it might be, and I would like to hear an answer directly from Avast.
Well, again, the basic mechanism is quite simple here: the URLs is sent to the cloud to be checked. The local database does part of that job, but some parts of the logic are cloud only and need to be cloud only.
Even Google, a company notorious for collecting data about millions of people, sends their blacklists directly to the clients so that every URL that is visited is not sent to Google.
I don't think you're right here. Both Chrome and Firefox use Google SafeBrowsing API
https://developers.google.com/safe-browsing/ and this is essentially the same thing as we're talking about here: a cloud-based API for real time lookups.
Thanks
Vlk