I wanted to make sure I got a clean, uncorrupted download to a new machine that has no AV installed on it.
However, I downloaded the offline installer three times within an hour, https://www.avast.com/en-us/download-thank-you.php?product=FAV-AVAST&locale=en-us&direct=1 and each one has a different checksum suggesting some small difference between each of the three downloads.
My guess would be that the full off-line download includes the Virus Definitions, which if periodically incorporated could result in a change.
However, 3 times in an hour seems a lot.
Having some issues with my ISP, so I’m not sure.
I just downloaded twice more from the link at https://www.avast.com/en-us/installation-files
https://www.avast.com/en-us/download-thank-you.php?product=FAV-AVAST&locale=en-us&direct=1
10:22 PM EDT
Name: avast_free_antivirus_setup_offline.exe
Size: 691098296 bytes (659 MiB)
SHA256: 779B596D990660A8525CA9F49655044B29B64343B21697A7247EFFA7FFA1E75A
SHA1: 23E883F8E93AA320EC6C7576B79804D0216237A6
10:40 PM EDT
Name: avast_free_antivirus_setup_offline (1).exe
Size: 691098304 bytes (659 MiB)
SHA256: DEA8F9DE1509DC3249C831E399A7D30C1DA16E9A19ACF4DD6334782504326938
SHA1: 943283BA788D67F2018B1D512A1BBE385E7A33A4
The main thing I would be looking at would be is the downloaded file digitally signed by Avast ?
If so the file hasn’t been tampered with, then there should be nothing to worry about.
I might be getting too paranoid, but with things like the solar winds incident this year, maybe a good time to learn.
When you look at the digital signature under file properties of the downloaded file, how do you know 100% sure that it’s the Avast digital signature? Do you just check that it says “This Digital Signature is OK” and “Avast Software s.r.o.” or do you check it further to be 100% sure? Is there any further check you can do?
I suppose it would be difficult, but could a bad actor sign a fake exe with something like Avast 5oftware s.r.o. or some other loophole, or are digital signatures pretty infallible?
I wonder if Avast is issuing many different versions of the file to different nodes and identifying the nodes or something in the file that changes the checksum slightly? I just downloaded the online installer 4 times a few minutes apart, and got different sha256 checksums for the download on the new computer to the download done on the old computer at the same time. Both under properties say “This Digital Signature is OK”
One had a digital signature
Wednesday, July 28, 2021 6:15:51 AM
and the other had a digital signature
Wednesday, July 28, 2021 11:06:25 AM
(I got 2 the same checksum out of the 4)
As an Avast User like yourself I can’t answer why there are changes occurring in a short time other than what I mentioned earlier.
There comes a time when you have to trust something, you can’t distrust everything or you wouldn’t do anything.
I have been using Avast Free for over 17 years, when a new program update is released I download and save the offline installation file (should I have need to do a clean install). I’m doing this on my system with Avast already installed, so it like other downloaded files should be scanned by Avast (you too could do that).
I don’t believe there are any checksums available at the point of download.
Virus definition updates would make sense for the offline downloader being changed between downloads. These could happen several times a day.
The online installer is changing checksums too though frequently, which I don’t quite understand.
I scanned the one offline installer with virus total and virus total came up with three positives saying there were trojans in it. I think that was a false positive, but it made me extra paranoid to be sure it was clean and not corrupt. Today the offline download exceeds the 650MB scan limit of virus total, so I think the definition updates added size to it in the last few days.
It’s nice with software that does offer a checksum because it gives a published “this is what you should expect” that you can easily check. So for example I can look at a website that lists the checksum – it’s published in a public place where lots of people have eyes on the checksum, and I can just compare that checksum with the file I download to make sure the file I got matches. If I’m very paranoid such as downloading an Operating System ISO, I can even look at the google cache or archived versions or a secondary location of the published checksum to make sure that hasn’t been tampered with.
Be that what it may, I can learn new ways to do things too
If I understand correctly, any change to the file would invalidate the digital signature, so that takes away worries that a file would be corrupt in transfer. So then the only question to check 100% (for the very paranoid) is whether the digital signature is the official Avast digital signature.
Is there a published certificate (?) or line that I can compare to the digital signature on the file to make sure it’s a 100% match.
Is “Avast Software s.r.o.” what I use to verify that the signature is from the real Avast? Is there any concern that some bad guy could figure out how to create a digital signature under Avast, Inc. or Avast co. in some other country? Or is Digicert so careful when issuing the certs to do a valid digital signature that you don’t have to watch for this?
Is there a way to quickly check the public key on the avast digital signature to make sure it matches Avast’s real signature?
Or is there a way to check the thumbprint of the digital signature against a published value to make sure it’s the real digital signature?
As an Avast User I simply can’t answer this, digital signatures are used and if something is changed after the digital signature is applied it should fail. it is what the system is built on.
Even when scanning executables avast checks for a valid digital signature, all of that would go out of the window if the digital signatures could be got around.
https://www.docusign.co.uk/how-it-works/electronic-signature/digital-signature/digital-signature-faq
Thanks. Still trying to make sure I got this. In the example there it says
As an example, Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document. The buyer who receives the document also receives a copy of Jane’s public key. If the public key can’t decrypt the signature (via the cipher from which the keys were created), it means the signature isn’t Jane’s, or has been changed since it was signed. The signature is then considered invalid.How does one get the copy of Jane's public key? (or in this example, Avast's) If it's in the file itself and only in the file itself, how do you know the public key is actually Jane's? Could a bad actor, say Jan, substitute in a file and sign it with Jan's public key so it would still say it was a valid signature? I guess we trust Digicert in this case would not issue a signing privledge to any entity with Avast in the name other than Avast s.r.o. that is the official Avast company, is that correct, or how closely do you have to look at the digital certificate signer to be sure it's actually Avast? Will it always say "Avast s.r.o." exactly as the signer?
OK, so I did a quick check and modifying the file does in fact make it so the digital signature would say invalid. I just did a quick change of one o to a and it immediately says invalid. So if the digital signature says valid, it means the file hasn’t been corrupted in download I think, the same as a checksum.
Then under digital signature, you can click on “view certificate” and for all the downloads, despite the very slight changes in the files themselves which changes the checksum, it says
CN = DigiCert SHA2 Assured ID Code Signing CA
OU = www.digicert.com
O = DigiCert Inc
C = US
Subject
CN = Avast Software s.r.o.
OU = RE stapler cistodc
O = Avast Software s.r.o.
L = Praha
C = CZ
Thumbprint
db4336a6dc808c8f6a4944fa8e8d6a9e703f8915
Valid from
Wednesday, April 1, 2020 8:00:00 PM
Valid to
Thursday, March 9, 2023 8:00:00 AM
Revocation Status : OK. Effective Date <Tuesday, July 27, 2021 3:15:02 PM> Next Update <Tuesday, August 3, 2021 2:30:02 PM>
The subject and thumbprint is the same between all the installers. So that’s easy to check if you don’t trust your eyes (i.e. you can check both Avast Software s.r.o. and also the country and also the thumbprint.)
(scanned the installer with the same certificate thumbprint on another computer with avast already installed just to be really sure ;))
Hopefully you can now rest easy.
I don’t believe the example is a good one:
As an example, Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document. The buyer who receives the document also receives a copy of Jane’s public key. If the public key can’t decrypt the signature (via the cipher from which the keys were created), it means the signature isn’t Jane’s, or has been changed since it was signed. The signature is then considered invalid.
The public and private keys I would say are more encryption related, example email wise is, PGP Pretty Good Privacy, which follows the example, so no one can decrypt (read) or change the email/document in transit or on receipt without the private key.
So in this case there is no public/private key, but the embedded digital signature that is invalidated if the file is changed in any way, it is effectively baked into the file. As you have found and change immediately invalidates it.