The inject is happening before/without consulting that option
Thanks for taking the time to reply back again! Please let me explain though why it still upsets me a lot:
1) Injecting at all when the WebShield is
not even installed is, pardon my French, just lazy.
2) Installing modules like Webshield or removing them requires a restart.
3) When a module is missing, inject should
never happen (check settings/what is installed).
So explaining from a point of view where WebShield is installed doesn't do any justice.
The explanation is like: "Yes I opened your letters, but I didn't read them."
I don't like it, it destroys trust, no matter how hard someone promises not to read.
Being unable to tell what listens on that output, it completely destroys the idea of ephemeral ECDH and forward secrecy.
Yes I understand that you promise it is not reading any data when WebShield is off, but adding 10 lines of code to the injector binary is this hard that you rather have the program behave suspiciously?
People's trust in AV vendors is at a new low, especially after the green "K" from Russia was caught recently injecting JS in every website with a trackable user ID.
I know Avast is not like that, so please don't take programming shortcuts in your code. I know for granted that your developers can implement a function to the injector binary that checks if WebShield is installed.
What is less than 1 hour of work worth, compared to having users not trust your software?
Please fix it soon! Yes I am serious, it creates exposure, especially when it's not used and needlessly runs. "Trust me, user." Is the worst PR approach.