How does avast! add a signature into my webmail?

I have the free version of avast! installed on my computer.
When I just sent an email on https://mail.google.com with Firefox a signature was added, saying that the sent mail is

Virus-free. www.avast.com

enter image description here

I am not asking about how to turn it off, I have already done that.

But I am curious, how they managed to add it technically.

Edit (based on comments):
I checked the Firefox Add-ons Manager, but I cannot find any Extension or Plugin from avast!.

This seems to imply that a program installed on my computer can modify the content of a website I am viewing.


That's because your antivirus software is attacking you via a man-in-the-middle attack. Or at least that's the possibility I'll talk about below.

People have downvoted this answer and demanded evidence for my claims. Fortunately, someone already added links in the comments. Kaspersky, Bitdefender (see next mention of the word "Bitdefender"), and avast! do this for sure. I don't know about the others. You can also watch this video about it. (Unfortunately, the video is in German but you'll still be able to see what's happening even if you don't speak German. Start watching at 1:40 in this case.)

Go onto a https page (like the GMail website) and click on the small lock left of the address bar of your browser.

Then you have to figure out how to get information about the connection. In Firefox, you have to click onto the arrow button on the right. You already see what you need to see but click onto "More Information" anyways. A window like this will be shown:

As you can see, I visited Wikipedia to create this screenshot and the identity of the website is verified by GlobalSign nv-sa. In your case, you will see the name of your antivirus software or something related to that.

What's happening here is that the antivirus software is directing your browser's traffic through a software it provides. To it intercepts your browser's traffic through man in the middle.

I'm calling this a man-in-the-middle attack not only because it follows the same principle as a malicious man-in-the-middle attack but also because it can severely increase the vulnerability of your system if malicious software (the authors of which can't sign certificates themselves and therefore not intercept your https traffic without you noticing) uses your antivirus software to read the traffic. Furthermore, Bitdefender severely decreases the security of the connection as you can see in this video at 4:38 or by trying it yourself. The user – of course – isn't told this and therefore is attacked by the software they use to defend themselves. Even if it didn't harm the user, it'd still be a man-in-the-middle attack according to definitions you can find online (including the one on Wikipedia).

This is easy enough to do with http. But if you're using https, you'd think that the antivirus software can't read anything. But it can because you're not connecting securely to the webserver but to your antivirus software. It then reads the traffic, manipulates it if it wishes to do so, and encrypts it again. (So there is a secure connection between your antivirus software and GMail.)

Your antivirus software can then just do with your emails (Or any other traffic!) whatever it wants.