How to exempt a banking website from HTTPS scanning globally at Avast s.r.o.?

In this 2015 blog post Explaining Avast’s HTTPS scanning feature, an email address is mentioned: banks‑whitelist@avast.com. Search for it as text, there is only one result.

By default the antivirus “spies” on every HTTPS connection to check whether there is malware on the site. This includes banking websites, i.e. if you visit your bank, the antivirus sees everything you see about your money. Avast s.r.o. totally understands the user’s concern about privacy, and gives the said email address at which you can request that your bank will also be not “spied on”.

According to my experience in Firefox, you can tell whether a connection is “spied on” (i.e. protected) by Avast by clicking the padlock icon (:lock:) to the left of the URL to show the Site information popup.

  • If the connection is “spied on”, you will see the following warning message: Connection verified by a certificate issuer that is not recognized by Mozilla.
  • If it is not “spied on”, you will see no warning message.

I have never seen this warning message on www.bankofamerica.com, therefore I suppose this bank is on the whitelist, so the list still exists. Other banks have the warning message, e.g. Bank of China at www.boc.cn.

The question is, how do you ask Avast s.r.o. to whitelist another bank? The said email address does not work any more. (I know how to add it as an exception locally on my computer. The question is not about that.)

The blog post is almost 10 years old… no wonder it no longer works.
For me www.boc.cn shows correct certificate and it’s how it works now (i.e. method described in blog post is a old one, still kicking in sometimes like you though).


I have found this Avast webshield certificate warning seems to be true for popular UK bank websites. Applies to Mozilla Firefox, not other browsers.

For me www.boc.cn shows correct certificate

I don’t know, why it has no warning for you, but has a warning for me, but I have the following ideas:

  • Maybe HTTPS scanning is turned off in your Avast. You won’t see any warning, if it is off.
  • Maybe you just started the computer. The first few websites don’t show the warning for me too. Details in my other post. Try the steps to reproduce described there to verify, that your Firefox doesn’t show the warning for HTTPS sites. Try force reloading the site. Sometimes the warning appears only after that.
  • Your screenshots of Firefox are in Japanese. I suppose, you are using a Japanese Avast, and maybe an Asian version of Avast whitelists Asian banks, like Bank of China.

(i.e. method described in blog post is a old one, still kicking in sometimes like you though)

I don’t get what this sentence means.

  • There is only one method described in the blog post, and that is how to turn off HTTPS scanning. This description is indeed an old one: currently the setting is accessible elsewhere. I know, how to turn it off, but I want to keep it on.
  • I don’t know, that you mean by kicking in.

Could you rephrase it?

Since Avast 2016, Web Shield supports “transparent” HTTPS scanning for certain browsers, including Firefox. In this mode, browsers see the original certificate instead of Avast’s one. See below for quoted release notes of Avast 2016:

If for some reason this “transparent” mode doesn’t work, then Web Shield will change the method to the old one: replacing the certificates (MITM). That’s what you’re seeing intermittently.

So basically, Avast is working as it should: changing scanning method to the old one to keep you safe. I don’t know why the first method sometimes fails for you, maybe a conflict with browser extensions or other resident software, browser configurations etc.

It is not intermittent on Firefox browser, it is constant for all the UK major Banks websites I have visited to check this out. (EDIT: exception is HSBC)
When padlock is clicked, all display: “Connection verified by a certificate issuer that is not recognized by Mozilla”.
However, most users will be oblivious to this functionality and issue re Certificates, as there is no specific warning on Firefox toolbar. You have to go hunting for it.

Clearly the web shield “transparent mode” is not working and all are failing to the old webshield method. I suspect that is not the intended functionality as introduced by Avast in 2016 and suggests a software bug or outdated bank white list or something.
Something for Avast to recognise and address.

@PaulBlueberry I would also suggest not opening new threads on this subject, but concentrate posts on this subject just here from now.

OK so it’s not intermittent for you. Can you share sample URLs?

I just tested 7 Japanese banks/credit-card bureaus and all shows its own certificates even after several force-reload (sample: https://direct.jp-bank.japanpost.jp/).
So it seems working fine for me.

Thank you for the news. This worked for me up until two months ago. Then suddenly I started seeing this warning message we are talking about on most HTTPS websites.

I don’t agree, that Avast works as it should. I am also eligible for enjoying the benefits of “transparent” HTTPS scanning, as it is advertised in the release notes, and I want it back. :slight_smile: Also, in my other post I have written, that I experience the bug with all Firefox add-ons disabled too.


Here is a list of UK banks obtained from Wikipedia: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16. Alternatively you can open all of them at once if you copy-paste this into a cmd.exe window:

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.atombank.co.uk/ https://www.bankofireland.com/ https://home.barclays/ https://www.hsbc.com/ https://danskebank.co.uk/personal https://www.lloydsbankinggroup.com/ https://www.metrobankonline.co.uk/ https://monzo.com/ https://www.natwestgroup.com/ https://www.santander.co.uk/ https://www.starlingbank.com/ https://www.tandem.co.uk/ https://www.co-operativebank.co.uk/ https://www.tsb.co.uk/ https://uk.virginmoney.com/ https://www.sainsburysbank.co.uk/

For me all of them show the warning message, except Virgin Money UK (15). @rocksteady told that for him HSBC UK (4) worked. For me it doesn’t. So, the list of websites, that work is not the same for all users.

I have also tried Japanese banks (source: Wikipedia): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15.

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.dbj.jp/ https://www.jfc.go.jp/ https://www.okinawakouko.go.jp/ https://www.jp-bank.japanpost.jp/ https://direct.jp-bank.japanpost.jp/ https://www.mufg.jp/ https://www.smfg.co.jp/ https://www.smbc.co.jp/ https://www.mizuhogroup.com/ https://www.chibakogyo-bank.co.jp/ https://www.smth.jp/ https://www.resona-gr.co.jp/ https://www.aozorabank.co.jp/ https://www.boy.co.jp/ https://www.82bank.co.jp/

For me all of them show the warning message, except your example (https://direct.jp-bank.japanpost.jp/) which I included as number 5.


Actually, you don’t have to hunt for the warning message. You see it naturally, if you are used to verifying the company name in the Site information popup, every time you connect to a website where you enter sensitive data. Now the warning message is there instead of the company name you want to verify.

From the release notes @NON quoted, we know, how it should work. It doesn’t work that way for some users (e.g., you and me), therefore I agree that this must be a bug. I suggest reporting it in Avast (Menu > About > Got any feedback? LET US KNOW button), referring to this forum thread, as we collected a lot of information useful in investigation, with screenshots.

I will not open new threads on this topic.

The ones I checked and gave the indication were:
Barclays https://www.barclays.co.uk/
Lloyds https://www.lloydsbank.com/
Nationwide https://www.nationwide.co.uk/
Natwest https://www.natwest.com/
Sandander https://www.santander.co.uk/

The only one that is Ok is
HSBC https://www.hsbc.co.uk/

This was a misunderstanding on my side: I took the wrong URL for HSBC UK. To clarify: on my computer www.hsbc.com has a warning, while www.hsbc.co.uk hasn’t.

So far the only websites that work for me, are all banks:

@rocksteady: Did you report the bug to Avast?

Thanks for URLs, unfortunately(?) all of them worked fine here. So it depends on each user’s environment. I would suggest repairing or reinstalling Avast for the next step.

Repair App does not fix it.

Strangely I’m getting the alert from MSN.com and I don’t even browse that site.

What alert? The alert we’re talking is from Firefox and it can’t be seen without browsing.

How many did you try? As I said, after the computer starts, the first few (I don’t know how many) HTTPS sites work: even after several force reloads they don’t show the warning message.

Trying 7 might not be enough. I suggest trying the steps to reproduce in my other post. I am not sure, you are not affected by the bug, until you try those steps, and report, that in all 40 cases you didn’t see the warning message.

Are you using the Japanese version of Avast? Are you on Windows 11?

We are talking about a warning message that can be seen in the Site information popup of Firefox on almost all HTTPS sites. Screenshot and details are in my other post.

URLs you provided are total 40 or so, and considering several force-reload I did it would be over 100 connections or so. Also noting that my machine are up/running 4 day in a row, using everyday, browsing elsewhere.

I’m not your tester. If your symptom does not occur over 100 try, then no user would be willing to try it, so do I.

Thank you. Are you using the Japanese version of Avast? Are you on Windows 11?

Yes and Yes. I’m using beta version of Avast so that might made some difference.

Yes these ones are OK.

The beta version? I consider this as good news. Then the bugfix is coming, let’s hope.