Avast Download Redirect to CNET - Not concerned with security best practice?

Start: https://www.avast.com/en-us/index
Click on “Download Free Antivirus” copied url is: https://www.avast.com/en-us/download-thank-you.php?product=FAV-ONLINE&locale=en-us
The link redirects here: http://download.cnet.com/Avast-Free-Antivirus-2015/3001-2239_4-10019223.html?hasJs=n&hlndr=1&part=dl-85737&path=direct&ls=media

Should I worry when the Antivirus software you rely on to protect you from just these maneuvers does not serve its own products and redirects you without notice or permission?

Or the question is, why should I NOT worry?

You can also download it from the official Avast server.
https://forum.avast.com/index.php?topic=210678.0

Thank you for the link to the Avast online installers. But the linked urls are also http not https and point to an executable file. So we have to risk malware to get the Antivirus?

No malware just the installation file. :slight_smile:
If you prefer, get them from here: How to Successfully Install Avast http://goo.gl/VLXde

I am surprised that AVAST does not utilize https for software distribution. Isn’t this a basic precaution? What am I missing?

Here’s the download link I use for the free version:
https://www.avast.com/download-thank-you.php?product=FAV-AVAST&locale=en-ww

https://forum.avast.com/index.php?topic=60523.msg527512#msg527512

My concern is that Avast itself does not respect customer security enough to permit this. Following links in a forum does not instill confidence in security practices. Should be on the main page, secure and transparent.

This url also redirects to CNET without notice or permissions:
https://www.avast.com/en-us/download-thank-you.php?product=FAV-ONLINE&locale=en-us

http://download.cnet.com/Avast-Free-Antivirus-2015/3001-2239_4-10019223.html?hasJs=n&hlndr=1&part=dl-85737&path=direct&ls=media

What you say seems to be correct. Seems to go along with what you could get for free could also come at a hidden cost.

I’d follow Asyn’s advice @ reply # 1. Furthermore, I’d also strive to download all executable files from original vendor sites only in the future as I’ve known about this redirect issue for several years now.

Bitcoin miners is one of the new things in redirects.

Asyn’s reply - the link is https to the forum (low risk) but the links to the downloads are http (high risk).

So it seems I am the only one out of 400 million who finds this to be problematic. In posting the question, I was hoping to be educated on security risks but am just getting more unsecure links.

See Reply #6.

I realize where you are coming from and I don’t disagree. However you could download the package from the http site (avast’s not cnet’s) then get the md5 hashes from this page https://support.avast.com/en-us/article/Troubleshoot-Antivirus-corrupted-setup and use a md5 tool to verify the package. IMHO the best you’ll probably get?

OK This one is served from AVAST - https://www.avast.com/en-us/download-thank-you.php?product=FAV-AVAST&locale=en-us

NOTE FAV-AVAST not FAV-ONLINE

All the Avast installers (and other files) have a digital signature by Avast Software s.r.o.
Verifying that (rightclick → Properties / Digital Signatures / Details) is the best way (much better than comparing some MD5 hashes, in my opinion).

Good information, Igor. However once you click on the executable and before the confirmation prompt, if there is malware, it is too late.

To verify the signature (manually), you only have to rightclick - to display the file’s properties. There’s no execution involved there.

I don’t believe there is currently (at least on any modern OS) an attack vector by which opening a shell dialog to observer file information / security information / digital signatures etc. can actually launch the exe.

Isn’t that what you asked for ??? The original link I shared also gives you downloads to the rest of the Avast versions
all coming via https. :slight_smile:

I wonder this exact same thing, and am very unhappy about it. I have never trusted that site and probably never will. You only get one chance at being honest and then your done with me, and that site has not been honest IMO.

I downloaded Avast Free from the de-funked link today (haven’t noticed this in recent past?) and went into email in Incognito Mode today on a computer I was setting up, and got a Pop up Talking Scam, and had to Ctrl Alt Delete to shut down as it was telling me all my files and passwords were compromised. This was a Clean Install of Windows 7 and All Partitions were scanned with MBAM Prior to the Clean Install using the Recovery Partition. So please stop defending Avast for this practice. I did not do anything but Check the Box for some emails to be Deleted, and they were all known email addresses because I hovered on them.

Then I went to the link provided in this Thread and Checked the MD5, AND IT DID NOT MATCH! Now Avast seems to be running fine, but please tell me why this would be then, bad download? I think not if all is working well at this time. And I have had very few bad downloads on my connection.

Neither does the MD5 From the Avast Link provide here match either?

Found a better link to all that care. Major freaking hassle just to stay secure? Is it really time to move to Windows Defender or MSE?
https://support.avast.com/en-us/article/3

I have now downloaded three different Free Versions, all of which the MD5 don’t match the one on this page:
https://support.avast.com/en-us/article/Troubleshoot-Antivirus-corrupted-setup

I’ll leave all three downloads as an Attachment.

And, where are the SHA’s?

and got a Pop up Talking Scam, and had to Ctrl Alt Delete to shut down as it was telling me all my files and passwords were compromised.
That is a HTML:FakeAlert .... lots of info online