The local mirrored VPS respository is one of the feature that will make choose Avast! for our servers.
As VPS repository use no secured connection and no identification mechanism, how can I guarantee the VPS files has not be tempered ?
The absence of identification mechanism make this process vulnerable at man-of-the-middle attack. How can I ensure the virus definition downloaded by Avast! is not corrupted in any way?
Even if I guess the answer of my question, I need an official documented response.
This is a dealbreaker and basic tests seems to confirm there is indeed security mechanism inside Avast! to ensure the VPS database integrity so it’s just a matter of documentation…
Hello,
the updated documentation will be released with Avast 3.0.3 which should hopefully get out this week. It will be within http://deb.avast.com/lin/doc/techdoc.pdf
Kind regards,
Ondrej Kolacek
(hopefully the 3.0.3 will also contains the bug fix about the version output)
More or less off topic: did you know the licence expiration seems to be checked only after the vps updated? So if I link the update URL to my local server where I never push any new virus definition files, then I can use the free demo licence forever … But If i run an successfull vpsupdate where I get a “New VPS version” message then I forever screwed.
Don’t worry when all problems will be fixed then licences will be purchased anyway