Security documentation

Hi,

The local mirrored VPS respository is one of the feature that will make choose Avast! for our servers.

As VPS repository use no secured connection and no identification mechanism, how can I guarantee the VPS files has not be tempered ?
The absence of identification mechanism make this process vulnerable at man-of-the-middle attack. How can I ensure the virus definition downloaded by Avast! is not corrupted in any way?

Even if I guess the answer of my question, I need an official documented response.

This is a dealbreaker and basic tests seems to confirm there is indeed security mechanism inside Avast! to ensure the VPS database integrity so it’s just a matter of documentation…

Thanks in advance.
Regards,

Hello,

all our update files are signed and our installer verifies their signature before applying them. I will ensure that this is documented.

Kind regards,
Ondrej Kolacek

Hi,

Would you please provide the documentation discussed previously?

Thanks in advance.
Regards,

Hello,
the updated documentation will be released with Avast 3.0.3 which should hopefully get out this week. It will be within http://deb.avast.com/lin/doc/techdoc.pdf
Kind regards,
Ondrej Kolacek

Great, thanks, I wait

(hopefully the 3.0.3 will also contains the bug fix about the version output)

More or less off topic: did you know the licence expiration seems to be checked only after the vps updated? So if I link the update URL to my local server where I never push any new virus definition files, then I can use the free demo licence forever … But If i run an successfull vpsupdate where I get a “New VPS version” message then I forever screwed.
Don’t worry when all problems will be fixed then licences will be purchased anyway :stuck_out_tongue:

Yes, the version issue is fixed.

Regarding the license, I am not sure, but since using any antivirus without an updated vps is nearly useless, I do not think it really matters :slight_smile:

Kind regards,
Ondrej Kolacek