Author Topic: Security documentation  (Read 7246 times)

0 Members and 1 Guest are viewing this topic.

Offline Thomas803

  • Newbie
  • *
  • Posts: 9
Security documentation
« on: May 17, 2019, 09:27:54 AM »
Hi,

The local mirrored VPS respository is one of the feature that will make choose Avast! for our servers.

As VPS repository use no secured connection and no identification mechanism, how can I guarantee the VPS files has not be tempered ?
The absence of identification mechanism make this process vulnerable at man-of-the-middle attack. How can I ensure the virus definition downloaded by Avast! is not corrupted in any way?

Even if I guess the answer of my question, I need an official documented response.

This is a dealbreaker and basic tests seems to confirm there is indeed security mechanism inside Avast! to ensure the VPS database integrity so it's just a matter of documentation..

Thanks in advance.
Regards,

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 394
Re: Security documentation
« Reply #1 on: May 17, 2019, 10:14:38 AM »
Hello,

all our update files are signed and our installer verifies their signature before applying them. I will ensure that this is documented.

Kind regards,
Ondrej Kolacek

Offline Thomas803

  • Newbie
  • *
  • Posts: 9
Re: Security documentation
« Reply #2 on: July 08, 2019, 12:29:41 PM »
Hi,

Would you please provide the documentation discussed previously?

Thanks in advance.
Regards,

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 394
Re: Security documentation
« Reply #3 on: July 08, 2019, 01:00:53 PM »
Hello,
the updated documentation will be released with Avast 3.0.3 which should hopefully get out this week. It will be within http://deb.avast.com/lin/doc/techdoc.pdf
Kind regards,
Ondrej Kolacek

Offline Thomas803

  • Newbie
  • *
  • Posts: 9
Re: Security documentation
« Reply #4 on: July 08, 2019, 02:11:37 PM »
Great, thanks, I wait

(hopefully the 3.0.3 will also contains the bug fix about the version output)

More or less off topic: did you know the licence expiration seems to be checked only after the vps updated? So if I link the update URL to my local server where I never push any new virus definition files, then I can use the free demo licence forever ... But If i run an successfull vpsupdate where I get a "New VPS version" message then I forever screwed.
Don't worry when all problems will be fixed then licences will be purchased anyway  :P

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 394
Re: Security documentation
« Reply #5 on: July 08, 2019, 02:52:46 PM »
Great, thanks, I wait

(hopefully the 3.0.3 will also contains the bug fix about the version output)

More or less off topic: did you know the licence expiration seems to be checked only after the vps updated? So if I link the update URL to my local server where I never push any new virus definition files, then I can use the free demo licence forever ... But If i run an successfull vpsupdate where I get a "New VPS version" message then I forever screwed.
Don't worry when all problems will be fixed then licences will be purchased anyway  :P

Yes, the version issue is fixed.

Regarding the license, I am not sure, but since using any antivirus without an updated vps is nearly useless, I do not think it really matters :)

Kind regards,
Ondrej Kolacek