Avast definition update process secure?

Hi guys.

Just have a quick question regarding the security of the virus definition update process. You can get them 2 ways:

(1) Run the auto-update from within Avast
(2) Download the definitions

Is either of these procedures “secure”? As in can an attacker force corrupt/malicious definitions on your system?

Only if the download channels are secure (e.g. SSL) or definitions are digitally signed will they be totally reliable IMO. Otherwise, some attacker “can” force their own definitions on you.

Please can someone provide me with more details as to what Avast does?.. Thank you!

All antivirus have different kind of def. incryption and it is often changes increases with new program updates. So it is difficult, almost impossible to inject other code in the definition file with out warning from antovirus that file become corrupt or cannot be read.
Some antivirus crashes and can crash you computer in that cases.
//Avast not do that as normal

The definitions are digitally signed.

If you are not sure. You can download defiition file manualy scan it then with some online scanner. And then use it.

//How safe can that be?

Hi guys. Thanks for the responses.

That’s great to here. Any links to this on the avast website man? Would like to read more details about it.

I am not talking about a “virus” infecting the definitions. Just someone modifying the definitions to harm your system. For example, deleting a subset of the definitions so that your system is more vulnerable to some viruses after the update. Or worse!

Thanks guys :)…

Worth can be be if new definition file is replaced with old one, but avast will complani in that case. “You need to update you definition file.”

//But those warings can be also disabled. I think so.

\ I don’t understand
// what is your point.

Poit is that it is good to use automatical update of virus database. And check that it works.


New virus. not shutting down antivius, it just replacing definition file with old one. So old viruses can be downloaded and executed.
That does not exit but old viruses also do came back sometimes. But now users have as rull few different protections and online scanners. So in that case it is so actualy.

Avast have good feature for that, sound alers that is enabled by default. So user knows that virus database is updated.

BTW… do avast have time limit on how old version of database can be used?

And almost no one or noone of antiviruses protected access to database when it using realtime protection. Not all setting usualy protected with password.

I pretty much doubt anyone will target avast! for a very long time… Not to mention size of tha “carry” load that would be required to carry all old definitions for all antiviruses…

P2P/FTP/WEB sharing for old databases
All those viruses need just to chose correct filename to download and know where to put it. //Some viruses alredy did that b4.

Old version of programs is easy to find.
Lots of people have CD’s with old or almost old software.=Simple to collect if need.

Search egines is one way for finding. So it is not neseccery to have own list of download path, just be able to sort results, scan pages for links. Internet have lot of different search engines, not just google.

Spywares collecting user information now to some database on the internet. Virus can be able to use same database for own use (make zombies).
Zombies= PC of users who cannot manage computer well and have low security and often connected to internet. How much are they?

Or… first wave: spywares for crypt-info collect
secound wave: viruses that uses same database.

Who knows how fast that can spread youself?
No one knows. I thinking that we are good protected and “all” have backedup computers and important documents.
Just restore them and continue to work. :smiley:

…BTW internet become be faster and faster so you will not se that connection become be slower…

Hey guys.

The reason I posed my original question was “not” because of someone trying to force an “old” (but legit) copy of definitions on you, but an attempt where they purposefully craft a malicious definition file and force “that” on you. Naturally, they would also try to set the “date” of the file to sometime recent so that your program might think “hey this is a new update, let us use it.”…

The only way for the Avast program to know that the copy of the “new” definitions was in fact manufactured by Avast is if it is digitally signed or if it is downloaded over a secure channel. That’s what I was getting at :)…

If the updates are simply incremental, I guess it would be a less of a problem. But, still it IS a problem against new viruses.

To force it against you, is just to infect unprotected system files in windows. I hope that you used VRDB that avast have. If not so you can run it manualy once efter you updated windows.

Signed and randomly encrypted time by time, is almost impossible to change fast b4 it will be changed again.

Time is encrypted inti the file inside and on some other settings in program and not outside(when you se on that time when file was created or changed).

Chankama is right boys…
Kaspersky and Symantec have to admit new attacks came last week through virus definitions of both companies.
It required a ‘program’ patch to correct. Even doing that, they admited that a lot of computers get compromissed.
Do not underestimate the capacity and imagination of the virus makers… :-\

Nothing is impossible in the virtual world.

Symantec, kaspersky and few others have different kind of encryption on different databases. Some of them almost never changes. That makes time for cracking.

Avast using just one file for virus database and it updates that makes more difficult to crack. As I know.

You are 100% right, and it makes a lot of sense…

haha :). Guess attacks such as that is right around the corner then. Norton will always get attacked first due to their customer base - much like IE… If Avast uses digital signatures as Lukor has mentioned, they shouldn’t have to worry about this too much. Assuming, the virus doesn’t modify the program itself… :-\

What do you mean by this man?.. Please elaborate. :slight_smile:

This 400.vps file in the avast data folder contains virus definitons and it is only one file.

To prevet modification of program itself is by checking version with MD5 on server when updating.

So you are saying Avast checks only the MD5 hash of the virus definition file, with the one on the server?.. That’s it?.. :o

Lukor mentioned that it is also digitally signed… But, if what you say is true and all it does is simply verify the MD5 hash (and NOT digitally signed), then Avast should be suspectible to a very persistent attacker who “does not” necessarily have control of your machine… Would be a problem, on an untrusted network… Which I am on… :frowning:

I hope Lukor was right…

I think not…
What are all those files into avast4\setup folder?

I think not either as it is highly likely that your 400.vps file because of the different start point and differing number of updates, I doubt it would match an MD5 hash on the avast! web site. My 400.vps was last updated today plus I can’t see any way of checking the MD5 hash of the 400.vps file.