Author Topic: [SOLVED] Require password to disable shields from systray icon?  (Read 1782 times)

0 Members and 1 Guest are viewing this topic.

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Windows 10 v1909 / Avast Free 20.1.2397

I have password protection set (and working) to open the UI and make changes to settings. But I -- anyone -- can disable shields from the systray icon WITHOUT entering any creds -- which is the equivalent to bypassing password protection completely. Shouldn't there be a way to prevent ANY access to Avast functionality without the password? This seems a huge oversight, would love to hear it's mine, and I just missed the setting, but -- ??
« Last Edit: April 03, 2020, 07:29:35 PM by JLJ-o-matic »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85967
  • No support PMs thanks
Re: Require password to disable shields from systray icon?
« Reply #1 on: March 25, 2020, 09:11:18 PM »
You actually set password protection for Avast, so I'm not sure if what you are seeing is an 'enhancement' to the default avast self-defence module settings.

The avast self-defence module shouldn't be preventing temporarily disabling shields from the UI/Tray icon by default.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #2 on: March 25, 2020, 11:22:17 PM »
If anyone who can access my computer -- by direct physical contact or remotely -- can disable a security application without knowing the password, that security application's self-defense is lessened by definition, IMHO. Contrast with it my firewall (Comodo) which cannot be disabled without the password. Contrast it with basic Windows functions monitored by UAC: the idea is you need the password.

You can make the argument that having access to my computer is the ultimate source of this vulnerability, but I would disagree: if you're going to offer password protection you should [at least have the option to] protect the entirety of the application's functionality (again, Windows UAC). At best the current state is halfway to that goal, and it seems a clear point of unauthorized access which is easily changed (again, Comodo).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85967
  • No support PMs thanks
Re: Require password to disable shields from systray icon?
« Reply #3 on: March 26, 2020, 12:28:36 AM »
The difference being you and others in your home have physical access to your system and the Avast settings, etc.  This is somewhat different from external attacks on your system and or avast and that is different.

If you install Avast on a multi user system you really need to ensure that those people have limited user accounts.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #4 on: March 26, 2020, 01:17:55 AM »
I run as a limited user unless I need to switch and I can disable all shields with zero credential input. I've also shut off other people's Avast shields thru TeamViewer (which requires consent, I admit) to make sure it wasn't just me. Look, you don't agree it's an issue, I get that. I still say it is, or should be.
« Last Edit: March 26, 2020, 01:22:16 AM by JLJ-o-matic »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85967
  • No support PMs thanks
Re: Require password to disable shields from systray icon?
« Reply #5 on: March 26, 2020, 02:12:47 AM »
I don't know if what you are experiencing is down to your running Avast as a limited user or not.

How would these other users access your avast installation to modify your settings ?
If they are using your computer they really should have their own windows limited user accounts (set up bu you the owner/administrator), so the only settings they could access would be theirs but not yours which should be on a different windows user account.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #6 on: March 26, 2020, 05:11:59 AM »
All of this is besides the point, which is (A) password-protecting an application is of limited utility if the password is not required to effectively shut the application off; (B) there is no technical reason why password protection cannot extend to any application access. For a security application to do this in half-measures strikes me as odd and not well thought out. Consider it a feature request.
« Last Edit: March 26, 2020, 06:21:36 PM by JLJ-o-matic »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72963
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Require password to disable shields from systray icon?
« Reply #7 on: March 26, 2020, 08:22:22 AM »
Known issue. You could try the latest beta: https://forum.avast.com/index.php?board=15
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.683] - EEK - Firefox ESR 91.4 [NS/uBO/PB] - TB 91.4
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #8 on: March 26, 2020, 06:24:16 PM »
Thanks. Don't see this mentioned specifically in the recent beta changelogs, but I'm happy to wait if it's in the pipeline.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72963
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Require password to disable shields from systray icon?
« Reply #9 on: March 27, 2020, 06:44:05 AM »
You're welcome.
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.683] - EEK - Firefox ESR 91.4 [NS/uBO/PB] - TB 91.4
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #10 on: April 01, 2020, 10:29:51 PM »
Upgraded in place to 20.2.2401 ~ no problems ~ but there is still no requirement to enter my password to disable shields. I find it strange that I need to enter it to read the About screen, but not to turn the application off. Guess it's just me. Hope it's addressed eventually.

Offline petr blatny

  • Avast team
  • Jr. Member
  • *
  • Posts: 77
Re: Require password to disable shields from systray icon?
« Reply #11 on: April 02, 2020, 09:30:01 AM »
Hello, it should be fixed in 20.2. Can you please let me know, if you have protected whole UI or only setting? +when you open the UI and enter the password and keep it opened, the password should not be wanted till Avast UI is opened, Is not it this case?

Upgraded in place to 20.2.2401 ~ no problems ~ but there is still no requirement to enter my password to disable shields. I find it strange that I need to enter it to read the About screen, but not to turn the application off. Guess it's just me. Hope it's addressed eventually.

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #12 on: April 02, 2020, 07:04:43 PM »
Hello, it should be fixed in 20.2. Can you please let me know, if you have protected whole UI or only setting? +when you open the UI and enter the password and keep it opened, the password should not be wanted till Avast UI is opened, Is not it this case?

Password required "to open Avast and access settings" -- top selection item. Each time the main UI window is closed the password is required to reopen. Avast requires the password to read the About page and make any permanent settings changes from within the main UI; it does not require it to select any "disable shields" choices, including "permanently". Right-clicking the systray icon and selecting any "disable" choice only brings up an OK / CANCEL dialog, and selecting "OK" performs the action without requiring the password.

If that does not answer your particular question please let me know. THX


Offline petr blatny

  • Avast team
  • Jr. Member
  • *
  • Posts: 77
Re: Require password to disable shields from systray icon?
« Reply #13 on: April 03, 2020, 08:51:37 AM »
Thank you very much for the answer. May I ask what UI version do you have? Is it 502? It can be found in about window. Plus one more question, if you have UI v 502, can you please remove the password and set it again and try it? I'm not able to induce it. I think your description is clear and simple. But in my case password is needed when I want to disable shield via tray icon.

Thank you again

Hello, it should be fixed in 20.2. Can you please let me know, if you have protected whole UI or only setting? +when you open the UI and enter the password and keep it opened, the password should not be wanted till Avast UI is opened, Is not it this case?

Password required "to open Avast and access settings" -- top selection item. Each time the main UI window is closed the password is required to reopen. Avast requires the password to read the About page and make any permanent settings changes from within the main UI; it does not require it to select any "disable shields" choices, including "permanently". Right-clicking the systray icon and selecting any "disable" choice only brings up an OK / CANCEL dialog, and selecting "OK" performs the action without requiring the password.

If that does not answer your particular question please let me know. THX

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 41
Re: Require password to disable shields from systray icon?
« Reply #14 on: April 03, 2020, 07:29:13 PM »
Thank you very much for the answer. May I ask what UI version do you have? Is it 502? It can be found in about window. Plus one more question, if you have UI v 502, can you please remove the password and set it again and try it? I'm not able to induce it. I think your description is clear and simple. But in my case password is needed when I want to disable shield via tray icon.

Yes, UI version 502. On your advice I disabled the password and, for good measure, rebooted. Glad to report that on re-enabling password it is now enforced correctly on all access, including disabling shields from the systray icon. Thanks for your help. Will mark SOLVED:D