Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: tuttle on July 04, 2008, 06:49:44 AM
-
Hello all:
Vista Home Premium, Service Pack 1
UAC enabled
Avast Home Edition 4.8.1201.80611
Why is Avast coded to allow a Standard user to right-click the Avast tray icon to open it and to change settings? In Vista, Avast permits a Standard user to Stop On-Access Protection, to Stop Providers, and to make other risky changes. This seems contrary to the protection intended in Vista.
As an Administrator account, I install and configure systems and software for my non-technie friend. We do not want him to have the ability to harm the system. Vista's User Access Control (UAC) helps with that, as I as Administrator can setup things but he as Standard user account cannot modify or disable things that could reduce system security. In this regard, I would expect that Avast should allow Administrators to access its settings (which it correctly does) but that it should not allow a Standard user to diable or modify Avast settings.
Is this by design, or is there a setting I can toggle to prevent a Standard user from changing or disabling Avast settings?
Thanks
-
A toggled option to limit 'User' control of avast! could be useful, though it sounds to me like your "non-technie friend" is seriously accident prone if he/she can ignire the warnings while "inadvertantly" disabling avast! providers. ;D
Have you tried just customising the tray icon to "always hide"?
-
avast! resident protection settings can be protected by a password...
-
I'll look into that password protection, thanks. It wouldn't be necessary if a new update of Avast were coded to operate with the principles of Vista's User Access Control: Standard users aren't permitted to directly run critical software; they require an Administrator elevation and password.
-
Hi:
Newbie here, and I've read help files and browsed the forums, but I'm still confused on some things.
In instructions for installing the latest Avast beta, Vlk wrote:
go to avast settings, and on the Troubleshooting page, disable the avast self-defense module
Is that the method that will disable all Avast scanning and protection? It's prudent to disable anti-virus prior to installing large software applications, so I want to be sure that I know how to fully disable Avast before installing other software.
I had been using the tray icon to Stop On-Access Protection, to Stop Providers.
Does Troubleshooting | select "Disable avast! self-defense module" disable all of the application and scanning from running? Even when I do that, the tray icon still reports that the On-Access Scanner has providers running.
1. Is there a function to immediately disable of the application and scanning, e.g. to prepare for installing software packages.
2. If I hide the Avast tray icon (to prevent Standard users from changing settings), how can I still open the On-Access Scanner panel to check or customize various providers? I can't seem to find access to On-Access Scanner panel from the Simple User Interface.
3. Help file says I can set password to protect resident protection settings (and termination). Is that different from the On-Access Protection and other scanning? I want to be able to configure things as a Vista Administrator, but prevent a Standard user from changing or disabling protection.
Thanks
-
Is that the method that will disable all Avast scanning and protection?
No, the antivirus will stay on. It's just for the self-defense module.
It's prudent to disable anti-virus prior to installing large software applications, so I want to be sure that I know how to fully disable Avast before installing other software.
It's not prudent to disable the anti-virus for ANY installation, on contrary.
You'll temporarily disable this particular module, update the antivirus, turn on again the self-defense module.
I had been using the tray icon to Stop On-Access Protection, to Stop Providers.
Does Troubleshooting | select "Disable avast! self-defense module" disable all of the application and scanning from running? Even when I do that, the tray icon still reports that the On-Access Scanner has providers running.
No, it disables only the self-defense module.
1. Is there a function to immediately disable of the application and scanning, e.g. to prepare for installing software packages.
Yes, there is. But you shouldn't do that.
2. If I hide the Avast tray icon (to prevent Standard users from changing settings), how can I still open the On-Access Scanner panel to check or customize various providers? I can't seem to find access to On-Access Scanner panel from the Simple User Interface.
Run ashdisp.exe from avast folder and the icon will be back (temporarily).
3. Help file says I can set password to protect resident protection settings (and termination). Is that different from the On-Access Protection and other scanning? I want to be able to configure things as a Vista Administrator, but prevent a Standard user from changing or disabling protection.
The password blocks avast disabling or changing the resident protection status.
-
Thank you for the reply and the information.
It's not prudent to disable the anti-virus for ANY installation
That is contrary to the advice of many experts, and also contrary to the instructions that appear in the installers for many software packages. They recommend to disable anti-virus prior to installation.
Is there a function to immediately disable of the application and scanning?
Yes, there is. But you shouldn't do that.
Where is that function? How would I turn off everything temporarily?
-
Well I would take the work of the developers of avast over any unknown expert.
Not to mention why do these programs want you to disable your AV, what is it that they are doing that would incur the wrath of an AV, what are they trying to hide, if they aren't doing anything dodgy why would they need you to disable your AV ?
-
That is contrary to the advice of many experts, and also contrary to the instructions that appear in the installers for many software packages. They recommend to disable anti-virus prior to installation.
I don't believe any expert would recommend it. And yes, the installers say that - but there is no reason to do that. I'd say 15 years ago somebody put that message into an installer, and since then everybody repeats it.
Installation of a program is exactly the moment when the antivirus should be active - more then the rest of the time, probably. If you'd be an author of a malicious program - wouldn't you put such a message into your installer to make the users switch off their antiviruses?
-
I don't believe any expert would recommend it. And yes, the installers say that - but there is no reason to do that. I'd say 15 years ago somebody put that message into an installer, and since then everybody repeats it.
Installation of a program is exactly the moment when the antivirus should be active - more then the rest of the time, probably. If you'd be an author of a malicious program - wouldn't you put such a message into your installer to make the users switch off their antiviruses?
Hi...
Bingo! And this is one of the reasons why I've never been prone to do that, apart from not wanting to bother with it ;D
Best Regards...
-
Where is that function? How would I turn off everything temporarily?
Right click the 'a' blue icon and stop the on-access protection.
But you were warned... bad made software, stupid, yes, stupid technicians will say "disable your antivirus"... technicians? Not so sure...
-
Thank you for all the advice.
Given how important Avast's protection is, it would be good if Avast would become fully compliant with Vista's User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.
-
It appears you have discovered that they just followed the policy they've had for years under XP and where those who did not care to allow the non-administrators to make changes could use the password option.
In my years in the forum I have not seen many other users clamoring for the change you propose - nevertheless I am sure the avast team have noted your view.
-
tuttle,
As I understand it, this forum is primarily about Avast free Home Edition. I would equate the degree of control you are advocating to a business or commercial environment, not a home situation. Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.
-
Given how important Avast's protection is, it would be good if Avast would become fully compliant with Vista's User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.
Fully agree. I would be glad to see that only admin accounts could change avast settings, not the common users. The password blocking could be, easily, by-passed by the way...
-
Given how important Avast's protection is, it would be good if Avast would become fully compliant with Vista's User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.
Fully agree. I would be glad to see that only admin accounts could change avast settings, not the common users. The password blocking could be, easily, by-passed by the way...
FWIW: Take this reply as another vote for implementing this.
-
Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.
I, and many others, strongly disagree. A home PC may be used by many non-informed users including children. Microsoft designed Vista to allow Administrators to configure and protect the system, allowing Standard users to perform normal daily tasks but not to disable protection or alter system settings.
Many software developers follow this model, thus requiring Administrator access to reconfigure sensitive applications such as security or antivirus software. Avast should follow that model.
At the same time, Avast should provide access to the On-Access Protection and On-Access Scanners settings from the main program window. If I choose to hide the tray icon, so that Standard users can't change or disable settings, then I no longer have access to On-Access Protection and On-Access Scanners settings. It would be logical to expect access to those functions from the main Avast interface. The full range of functions available from the tray icon should also be available from the main Avast interface.
-
If I choose to hide the tray icon, so that Standard users can't change or disable settings
No, they can... just run ashdisp.exe.
You need to set a password.
-
You need to set a password.
I think I will do that, but that is awkward to require a separate password for this one application, instead of properly using User Access Control which has already logged me in as Administrator. Besides, you said that the tray icon password can easily be bypassed.
No, they can... just run ashdisp.exe.
How does that work? I just ran ashdisp.exe (double-clicked ashdisp.exe) but nothing happened - I do not have access to the tray icon menu.
Even if it did work, however, that would not be a good solution. It would not be expected that one would have to run a separate executable just to access some functions of this software. One would expect that those functions would be available from the main Avast interface.
I think that this one aspect of Avast has not been well thought out: in Vista, Avast requires a UAC elevation prompt to access the main program interface ashAvast.exe, and yet it does not contain some important functionality. To access that functionality, one must either open a separate executable ashdisp.exe or allow the tray icon to display in which case it allows any non-Administrator user to access those functions.
Added: I just discovered something else. A Standard user can open not only the tray icon commands, but also can open the main program interface ashAvast.exe without any User Access Control prompt. Avast developers have not properly worked with User Access Control, since the Administrator must at least undergo a UAC elevation prompt yet a Standard user can open both interfaces without any warning or prompt.
-
You're mixing too many things together.
ashAvast.exe is not the main program interface (on contrary, actually), and I don't even know what you mean by main program interface.
Anyway, let's say this is by desing (at least for avast! Home/Pro, i.e. desktop versions - the manged clients, used in network environments, work more like you expect). If you (as an administrator) want to prevent users from changing avast! settings or stop the resident protection, you must set the password (which I don't think can be that easily bypassed from a limited user account).
-
You're mixing too many things together.
ashAvast.exe is not the main program interface (on contrary, actually), and I don't even know what you mean by main program interface.
Perhaps I am not using correct terms, as I am new to this software. The Start menu shortcut that Avast's installer created launches ashAvast.exe which display splash screen "avast! 4.8 home edition", so one would naturally conclude that is the main interface. If it is not, then where is the main interface? Where is the interface that will allow access to all menus and functions?
let's say this is by desing (at least for avast! Home/Pro, i.e. desktop versions - the manged clients, used in network environments, work more like you expect).
If it is by design, it doesn't seem to make much sense. It doesn't make sense to require an elevation prompt before allowing an Administrator to access the program, but not require any prompt for a Standard user. Other security software has implemented this properly, so I think Avast just needs to fix this area.
Thank you for your reply.
-
Which I don't think can be that easily bypassed from a limited user account.
Yes, Igor. You're right. I was thinking as being an administrator. Sorry.
-
The Start menu shortcut that Avast's installer created launches ashAvast.exe which display splash screen "avast! 4.8 home edition", so one would naturally conclude that is the main interface. If it is not, then where is the main interface? Where is the interface that will allow access to all menus and functions?
ashAvast.exe is just the splash screen - after it performs the memory test, it launches the corresponding interface (ashSimpl.exe, ashSimp2.exe, or ashEnhcd.exe in the Professional version).
I'm not saying all the options are there, especially in the Home version - the resident protection options are accessible through the tray icon.
It doesn't make sense to require an elevation prompt before allowing an Administrator to access the program, but not require any prompt for a Standard user.
Actually, it makes sense to me.
The thing is that the ordinary user is not expected to know the administrator credentials - i.e. there's no reason the request elevation here. Of course, the scanner will scan only the objects the current user has access to.
If the scanner is started under administrator account, however, it can access all files, all processes, etc. - but only if the token is elevated first; therefore the UAC prompt.
-
Allowing a standard user to disable protection is not good design.
-
tuttle,
As I understand it, this forum is primarily about Avast free Home Edition. I would equate the degree of control you are advocating to a business or commercial environment, not a home situation. Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.
I can understand that many home users do not want to bother with good security, but people are trying to make it clear that it is dangerous for even home users to use administrator privileges by default. It is entirely possible to drive a car without insurance, but when an accident happens, you will then wish you had insurance. It is entirely possible to use a computer without ever making backups, but when an accident happens or a drive goes bad, you could easily learn too late that backups are a necessity. Even home users should make backups, not just commercial users. Limiting use of administrator privileges is something you might discover has value, but when you do, it might be too late.
-
Firstly, thank you Alwil for producing and allowing free usage of your excellent software.
Secondly, I am a disappointed that Standard User is allowed to Pause or Stop Providers... This is against Vista philosophy where non-Administrator Account should never be allowed to modify system behaviour. [Writing logs and database to c:\Program Files\Alwil Software\Avast4\DATA\ is also the wrong place.]
The basic assumption should always be that non-Administrator Users should be protected from themselves. I fully appreciate that allowing system changes (even with passwords) was OK for 95/98/2000/XP, but in Vista and 7 (and hopefully forever more), UAC is the standard.