Web Shield blocks server certificate check for "wget"

Avast Free Antivirus / Premium Security
1
  • OS: Windows 10
  • Product: Avast Premium Security
  • Program version: 25.1.9816a (build 25.1.9816.906)

The issue related to:

  • Web Shield
  • wget.exe as a package of Cygwin software

Run either from Windows Console or from Cygwin terminal.

Case 1:

  • Action: wget.exe https://avast.com
  • Actual result: fail with message:
Resolving avast.com (avast.com)... 104.91.49.184
Connecting to avast.com (avast.com)|104.91.49.184|:443... connected.
ERROR: The certificate of ‘avast.com’ is not trusted.
ERROR: The certificate of ‘avast.com’ doesn't have a known issuer.

Case 2:

  • Action: wget.exe --no-check-certificate https://avast.com
  • Actual result: file dowloaded with message:
Resolving avast.com (avast.com)... 2.17.157.190
Connecting to avast.com (avast.com)|2.17.157.190|:443... connected.
WARNING: The certificate of ‘avast.com’ is not trusted.
WARNING: The certificate of ‘avast.com’ doesn't have a known issuer.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.avast.com/ [following]
....
Resolving www.avast.ua (www.avast.ua)... 2.17.157.190
Connecting to www.avast.ua (www.avast.ua)|2.17.157.190|:443... connected.
WARNING: The certificate of ‘www.avast.ua’ is not trusted.
WARNING: The certificate of ‘www.avast.ua’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                           [ <=>                                                     ] 118.33K  --.-KB/s    in 0.08s

2025-02-13 (1.52 MB/s) - ‘index.html’ saved [121166]

Case 3:

  • Action: disable Web Shild and run wget https://avast.com
  • Actual result: file is downloaded with message:
Resolving avast.com (avast.com)... 2.17.157.190
Connecting to avast.com (avast.com)|2.17.157.190|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.avast.com/ [following]
...
Resolving www.avast.ua (www.avast.ua)... 104.91.49.184
Connecting to www.avast.ua (www.avast.ua)|104.91.49.184|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                           [ <=>                                                     ] 118.33K  --.-KB/s    in 0.05s

2025-02-13 (2.42 MB/s) - ‘index.html’ saved [121166]

This is not secure that Web Shield blocks downloading file with server certificate check and doesn’t block without this check, i.e. Web Sield only blocks server certificate check.

Moreover, Web Shield does not show any notifications in the cases described here.

2

Hello user1234567, welcome to the community.

It looks like Avast did a MITM scanning for Cygwin wget, means Avast validates server certificate in place of client program (in this case, wget).
I’m not familiar with Cygwin, but I suppose it’s having own certificate store like Firefox. In that case you have to insert Avast self certificate into it as trusted root authority.