Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: sidrom on November 20, 2006, 05:46:00 AM
-
Hello, I got one question: why my ashDisp.exe process is running under USER, not under SYSTEM? anyother process can kill this ashDisp.exe and leave my computer without defender!!
-
ashdisp is the user interface ... it is not one of the defending processes.
-
Hello, I got one question: why my ashDisp.exe process is running under USER, not under SYSTEM? anyother process can kill this ashDisp.exe and leave my computer without defender!!
No, like Alan said, the ashdisp.exe is only the icon on system tray 8)
The resident providers are ashServ.exe (main) and the mail (ashMaiSv.exe) and web shields (ashWebSv.exe).
-
Hello, I got one question: why my ashDisp.exe process is running under USER, not under SYSTEM? anyother process can kill this ashDisp.exe and leave my computer without defender!!
Since the ashDisp.exe is an interface only there is no security implication of it not running.
What it does do however, if it isn't there is access the on-access provider settings screen where you can customise those settings. So this customisation would effect that user it makes sense that it runs under the User account (just my take on this).
If however, you run ashDisp.exe as System perhaps the customisations would effect every user on the system. Some might say this is a good idea, but perhaps not if you have multiple users with different preferences.
-
But after killing this process in Taskmanager avast! was not able to defend my computer!! I have just checked this way:
- open Taskmanager;
- kill ashDisp.exe;
- run RavMon.exe or other trojan for example;
- see nothing, avast! keep silence until ashDisp is running again!!
-
I don't know how many other ways to say this the ashDisp.exe provides zero protection it is an interface only.
Check task manager for ashServ.exe the main scanning engine, check for other avast processes they begin with ash or asw.
If this is the case (avast! keep silence until ashDisp is running again!!) there is something wrong with your installation of avast. I just ended the task of ashDisp.exe and tested one of the firewall bypass tols usually detected by avast and guess what it alerted, see image.
-
I catch your point, but we’re talking about different things: you are talking about on-demand scanning (you use Quick Scanner, as shown on image in your post, and you are right - it works and detects without ashDisp.exe process), but I am talking about on-access scanning (on executing RavMon.exe for example, as I’ve written above), it still doesn't work. I'm sure, my installation is correct. This problem appears on other computers in local network. Try to run your D:\Data\zabypass.exe with ashDisp.exe process and repeat this after killing ashDisp.exe process, and I hope you won’t see any message from avast!.
-
Tried that, first avast didn't alarm when I copied it out of my exclusions folder into the data folder, and no alarm when trying to execute and no running of zabypass.exe either. So it would appear that avast intercepts the execution to scan it but no result/alarm is shown, explorer then displays an error, presumably because the the standard shield intercepts the call to scan it.
So it is a little different for me, but there does seem to be something going on with the avast alerts/notifications when ashDisp.exe is disabled/terminated. At least it isn't being executed, very strange.
I also tested the Web Shield provider using the eicar site and web shield obviously intercepts the download, it doesn't alarm but doesn't allow the download either and firefox displays a warning that 'The connection has been reset' or similar, the same message you get if you get an alert from the web shield and choose abort connection, so the background protection seems intact but no alert.
-
At least it isn't being executed, very strange.
At least... the protection is there...
But, ok, it's strange that alerts should depend just on ashdisp.exe being running :(
-
Yes, the protection is there, but it is useful to know everything about protection/alerts. IMHO
-
I think we all agree with YHO and I hope we will hear from the avast team about what may be upcoming to overcome that issue, but it's a long way away from the concern of your original post.
-
What's issue, exactly?
When ashDisp.exe is killed, no dialog is displayed and avast on-access scanner behaves like if the user pressed the OK (or, in case of Web Shield, Abort Connection) button.
In no case the virus gets activated.
-
And, to answer the original question, ashDisp.exe is running under the user account simply because it's the component that interracts with the user (displays warnings, popups, requests input, etc. - all on the particular user's desktop)
-
It just seems strange that if the ashDisp.exe is disabled that the alert messages aren't displayed and you can't choose any action. So you are blissfully unaware you have a problem that might be virus related (or ashDisp.exe was killed if you didn't notice it missing from the systray) as you only see system or browser related errors.
I've just done another test with ashDisp.exe killed, using ashSimpl.exe to start the S.U.I., I select folder selection, I select my exclusions folder, standard scan no archives (having removed the program settings, exclusion) and run an on-demand scan, and the alert displays. Now why should it display for an on-demand scan and not for a resident scan when ashDisp.exe is killed. If it can display for one, why not for the other ?
I appreciate what Igor said about user displays, input, etc. But, ashSimpl.exe is also running under me as the user, so in theory it shouldn't display an alert either if all desktop alerts require ashDisp.exe to be running ?
I assume the anti-kill/self-protection feature proposed for version 5 will make this issue a thing of the past ?
-
OK, correction: ashDisp.exe is the component responsible for user interraction with the resident protection part (which runs as system service). Simple/Enhanced UI runs under the current user's account completely, so there's no need for such splitting (though it might actually change soon, but that's another story).
-
OK ;D
Any chance of an insight into this story and how long soon is ?
-
Igor is talking about some architectural changes that will most likely take place in the avast 5 release.
On the other hand, I somehow agree that the service could actually detect if ashDisp.exe has been killed and respawn it when needed... That would be quite easy to implement, actually.
BTW a similar thing is that when the SERVICE (ashServ.exe) part is not running, and you double-click the avast tray icon (which has the red cross on it), you get the dreaded "AAVM RPC" error message. The tray icon compoment doesn't even bother to have a look if the service is running, and if not, try to start it... This is another thing that will be addressed in v5.
Cheers
Vlk
-
Thanks for the update Vlk.
-
I assume the anti-kill/self-protection feature proposed for version 5 will make this issue a thing of the past ?
cool idea!)) I will be waiting for the version 5)
-
That would be quite easy to implement, actually.
Why do you wait for avast 5 release then?
The tray icon compoment doesn't even bother to have a look if the service is running, and if not, try to start it... This is another thing that will be addressed in v5.
The same... why don't you just add this now in avast 4.8, for instance? :'( ::)
-
They would get my vote for inclusion at an earlier point like 4.8 as mentioned, if the relatively easy to include.
This could avoid the problem of some start-up monitors killing the start-up entry for ashDisp and anything that avoids the dreaded AAVM RPC error would no doubt reduce the activity on the forums.
-
Given the minor havoc we saw at the last avast program update due to antispwyware programs removing the avast startup entry for ashdisp I would second the request from David for earlier action.
There are more and more recommendations in this forum for folks to use antispyware solutions along with avast. Many of these users are likely to install such programs as resident completely unaware that it may well come with startup program monitoring that can be detrimental to avast.
-
Thanks for your answers!!) I hope Avast! will remove this problem in future)