Avast Free Mac Security - How it works

Welcome to Avast! The following provides a quick overview of how Avast protects your computer from threats.

File shields and real-time scans

The antivirus engine that protects your system uses a continuously updated threat database to identify known viruses. Specialized algorithms also identify suspicious behavior of files when Avast scans your computer. All threatening files are moved to the Virus Chest.

How Web and Mail shields work

The Avast shields use a network proxy which scans all the network traffic on your system. IPv6 network connections are immediately closed. Most clients do not attempt to connect using IPv4 so threatening destination servers become inaccessible. To test how the shields work, we offer a harmless virus sample file. The EICAR file can be detected by Avast and most antivirus programs. You may need to temporarily disable the File shield to access the test file when testing Web and Mail shield.

See Shields for more information.

Testing the Web Shield

Use the http://www.avast.com/eng/test-url-blocker.html to test the URL blocking capabilities of Web Shield or download the EICAR file and watch Avast detect and block all the EICAR samples. When you have https scanning enabled, all samples on https should also be detected.

Testing the Mail Shield

You can test the mail shield by doing the following:

  • Mail Client: Send the EICAR file to yourself and view the message in a mail client. The mail shield only scans received mail so it does not block the test file when sent.
  • Mail Server: Compress the EICAR file with and old file compression tool such as DIET and send the message through an email server with antivirus installed.
    Avast detects the file as a threat, but most mail servers do not.

    Learn about how Avast Scans and reports Scan Results for more help.


The Mail shield and the Web shield allow exclusions. Connections to hosts on the exclusion list pass without being scanned.

Troubleshooting tip:

Exclusions are IP-based and the proxy server converts host names into IP addresses. Servers with DNS load balancing that directs every connection to a different IP address usually do not match the exclusion list IP address. You can add the excluded host to the /etc/hosts path with a specific IP address so that all traffic to that host goes to the specified IP address and the exclusion works.

SSL/TLS scanning

The proxy is capable of scanning secured connections when enabled. Avast generates a "trusted", and "untrusted" SSL CA certificates during installation. The trusted certificate goes into the System Roots keychain. On a secured connection, the proxy initiates the SSL handshake with the destination server, checks the SSL certificate, and sends a new CA certificate signed with the Avast "trusted" or "untrusted" label to the client.

The recreated certificate signing is done according to the following rules:

  • Re-signs verified certificates with a "trusted" CA certificate
  • Re-signs certificates that cannot be found or are self-signed with an "untrusted" CA certificate
  • Certificates that are expired, revoked, or invalid are not re-signed and the connection is dropped

Applications with hard-coded certificate storage like Dropbox do not work when SSL scanning is enabled unless the hosts they contact, such as client.dropbox.com are in the Avast preferences exclusion list.

See our Troubleshooting tips for more help.