Avast Free Antivirus Installer
Gen Digital Inc. (Avast Software)
The Avast installer is significantly more aggressive than CCleaner (same parent). It integrates Google Analytics with a hardcoded API secret in plaintext, performs IP geolocation before consent, fires 5+ pre-consent network requests, and once installed deploys kernel-level DNS-over-HTTPS interception and deep packet inspection across 17 protocol handlers. The FTC fined Avast $16.5M in 2024 for selling 8+ petabytes of browsing data through its Jumpshot subsidiary.
Grade Breakdown
Weighted score: 34/1005+ pre-consent network requests including IP geolocation and Google Analytics (third-party). No consent mechanism before data collection. Worst in category among analyzed software.
Hardware fingerprinting via direct disk I/O, 200+ post-install tracking parameters, kernel-level network interception far exceeds what antivirus needs. 6 separate analytics endpoints.
DNS interception and deep packet inspection not prominently disclosed. GA4 integration hidden. IP geolocation silent. FTC found prior lack of transparency.
HTTPS for most endpoints but GA4 API secret hardcoded in plaintext (security risk). Kernel driver has proper signing. Transport encryption present but API secret exposure is concerning.
FTC already found Avast misrepresented data practices ($16.5M fine). Kernel DNS interception, DPI, and pre-consent tracking exceed policy disclosures. Binary behavior bears limited resemblance to stated practices.
Findings
Pre-Consent Collection
5+ network requests fire before user consent
avs-pre-001On binary launch, before any UI: (1) IP geolocation to ip-info.ff.avast.com, (2) Google Analytics event, (3) Shepherd A/B testing request, (4) hardware fingerprint computed, (5) marketing cookie transmitted. User has not consented to anything.
Phase 1 timeline: hardware fingerprint → IP geolocation GET → GA event POST → Shepherd GET → marketing cookie. All before Phase 2 UI display.
IP geolocation request leaks user IP before any disclosure
avs-pre-002GET https://ip-info.ff.avast.com/v3/info fires before user sees any UI. Returns country, region, ISP based on IP. Used for A/B testing and content targeting. Leaks user's IP to Avast with zero consent.
GET https://ip-info.ff.avast.com/v3/info — fires in Phase 1. Returns geolocation data used for targeting.
Hardware Fingerprinting
Direct disk I/O for hardware serial numbers
avs-hw-001Avast reads disk serial numbers via direct \\.\PhysicalDrive I/O (bypassing filesystem APIs) plus SystemUUID from SMBIOS and CPU ID from registry. The AcsSaveHardwareId function persists a composite fingerprint.
AcsSaveHardwareId function. Direct access to \\.\PhysicalDrive0-3, \\.\Scsi%u:, SMBIOS Type 1 SystemUUID, HARDWARE\DESCRIPTION\System\CentralProcessor\0.
Kernel Interception
Kernel-level DNS-over-HTTPS interception (DohMode=3)
avs-kern-001Once installed, Avast deploys a kernel driver that intercepts encrypted DNS queries. DohMode=3 (most aggressive) targets cloudflare-dns.com and dns.google. If you configure Windows to use encrypted DNS for privacy, Avast decrypts every query at the kernel level.
DohMode=3, DohSystemEnabled=1. Targets: cloudflare-dns.com/dns-query, dns.google/dns-query. Overrides system DoH settings.
Deep packet inspection across 17 protocol handlers
avs-kern-002The Avast Stream Filter kernel driver (aswSP.sys) monitors all internet traffic through 13 TCP handlers (HTTP, HTTP/2, SSL, WebSocket, RDP, etc.) and 4 UDP handlers (DNS, QUIC, SecureDns, Antiphishing).
TCP handlers: Connect, DataTheft, DnsCache, Http1x, Http2x, InnerDump, OuterDump, Rdp, SecureDns, Spdy, Ssl, SslCertRep, TinyFw, Websocket. UDP: Antiphishing, DnsCache, Quic, SecureDns.
Analytics & Third-Party
Google Analytics GA4 with hardcoded API secret in plaintext
avs-ga-001Avast integrates Google Analytics 4 with measurement ID G-WZQ6MQ6RF3 and API secret YQldHTFNQhK9FZrFOXa3Lw hardcoded in the binary in plaintext. This sends installation telemetry to Google before user consent.
POST https://www.google-analytics.com/mp/collect?measurement_id=G-WZQ6MQ6RF3&api_secret=YQldHTFNQhK9FZrFOXa3Lw. Universal Analytics: UA-58120669-3.
Tracking & Identifiers
5 pre-embedded tracking identifiers baked into binary
avs-track-001The binary contains hardcoded tracking IDs: gdid (Global Device ID: 4ac436c9-...), clid (Google Analytics-style: 1183318856.1770780902), seid (Unix timestamp), senu (session counter), and marketing cookie (mmm_ava_tst_999_402_m).
Browser Tracking
Chrome browser tracking keys and extension force-install
avs-browser-001Avast writes Google RLZ partner attribution keys to Chrome's registry and force-installs the Avast Online Security browser extension via registry manipulation.
Telemetry
200+ In-Product Messaging parameters tracked continuously
avs-ipm-001Post-install, Avast's config.def reveals 200+ client parameters tracked for ad/upsell targeting: license state, feature usage, browser data, device info, account state, and behavioral patterns.
Network Endpoints
6 separate analytics/tracking endpoints
avs-net-001Avast uses six separate tracking systems: (1) Google Analytics GA4, (2) Gen Digital Burger Analytics, (3) Avast Event Telemetry, (4) Avast Statistics, (5) IP Geolocation, (6) Shepherd A/B Testing.
Endpoints: google-analytics.com, analytics.avcdn.net/v4/receive/json/70, v7event.stats.avast.com, v7.stats.avast.com, ip-info.ff.avast.com, shepherd.ff.avast.com.
GDPR / Privacy Regulation
GDPR Art. 6 — 5+ pre-consent requests including third-party data sharing
avs-gdpr-001At least 5 network requests fire before user consent, including one to Google (GA4) which constitutes international data transfer to a third party. No lawful basis established.
Phase 1: IP geolocation, GA4 event (to Google servers), Shepherd request, marketing cookie, hardware fingerprint. All before Phase 2 UI.
ePrivacy Art. 5 — Kernel DNS interception breaks communication confidentiality
avs-gdpr-002Intercepting and decrypting DNS-over-HTTPS queries at the kernel level violates the confidentiality of communications that users explicitly encrypted by configuring DoH.
DohMode=3 intercepts cloudflare-dns.com and dns.google DoH queries. DohSystemEnabled=1 overrides user's explicit encrypted DNS configuration.
Regulatory Actions
FTC fined Avast $16.5M for selling browsing data (2024)
avs-ftc-001The FTC found that Avast collected 8+ petabytes of browsing data from 2014-2020 and sold it to 100+ third parties through its Jumpshot subsidiary. Data revealed religious beliefs, health concerns, political leanings, and financial status at individual session granularity.
FTC v. Avast (2024). Fine: $16.5M. Period: 2014-2020. Jumpshot shut down January 2020. Technical capability for data collection remains in 2026 codebase.
FTC findings still present in 2026 codebase
avs-ftc-002Key FTC findings from 2014-2020 remain in the 2026 build: browser extensions force-installed, pre-consent telemetry, persistent device tracking, browsing behavior observation (now expanded with kernel DNS/HTTPS interception), and third-party data sharing via Google Analytics.
Comparison table: Browser extension force-install (still present), pre-consent telemetry (still present), persistent device tracking (still present), browsing observation (expanded: kernel DoH+DPI), third-party sharing (GA still active).
Policy Adherence
Binary behavior materially exceeds policy disclosures
avs-policy-001Kernel-level DNS interception, deep packet inspection across 17 protocols, hardcoded Google Analytics API secret, and pre-consent IP geolocation are not prominently disclosed. The FTC already found Avast misrepresented data practices (2024 enforcement).
DohMode=3 not in installer disclosure. GA4 API secret in plaintext. IP geolocation pre-consent. FTC found prior misrepresentation. Policy adherence: poor.
Methodology
Static analysis via Ghidra decompilation of microstub and asw_sfx PE32 binaries (17,555 functions). RTTI class recovery. String extraction. Cross-reference with CCleaner analysis (same asw:: framework). FTC enforcement data from public filings.
Compare with other software
See how this product's data practices compare side-by-side.
View Comparison