ashDisp process

[sidrom]

Hello, I got one question: why my ashDisp.exe process is running under USER, not under SYSTEM? anyother process can kill this ashDisp.exe and leave my computer without defender!!

[alanrf]

ashdisp is the user interface ... it is not one of the defending processes.

[Lisandro]

Hello, I got one question: why my ashDisp.exe process is running under USER, not under SYSTEM? anyother process can kill this ashDisp.exe and leave my computer without defender!!

No, like Alan said, the ashdisp.exe is only the icon on system tray 
The resident providers are ashServ.exe (main) and the mail (ashMaiSv.exe) and web shields (ashWebSv.exe).

[DavidR]

Hello, I got one question: why my ashDisp.exe process is running under USER, not under SYSTEM? anyother process can kill this ashDisp.exe and leave my computer without defender!!

Since the ashDisp.exe is an interface only there is no security implication of it not running.

What it does do however, if it isn't there is access the on-access provider settings screen where you can customise those settings. So this customisation would effect that user it makes sense that it runs under the User account (just my take on this).

If however, you run ashDisp.exe as System perhaps the customisations would effect every user on the system. Some might say this is a good idea, but perhaps not if you have multiple users with different preferences.

[sidrom]

But after killing this process in Taskmanager avast! was not able to defend my computer!! I have just checked this way:
- open Taskmanager;
- kill ashDisp.exe;
- run RavMon.exe or other trojan for example;
- see nothing, avast! keep silence until ashDisp is running again!!

[DavidR]

I don't know how many other ways to say this the ashDisp.exe provides zero protection it is an interface only.

Check task manager for ashServ.exe the main scanning engine, check for other avast processes they begin with ash or asw.

If this is the case (avast! keep silence until ashDisp is running again!!) there is something wrong with your installation of avast. I just ended the task of ashDisp.exe and tested one of the firewall bypass tols usually detected by avast and guess what it alerted, see image.

[sidrom]

I catch your point, but we’re talking about different things: you are talking about on-demand scanning (you use Quick Scanner, as shown on image in your post, and you are right - it works and detects without ashDisp.exe process), but I am talking about on-access scanning (on executing RavMon.exe for example, as I’ve written above), it still doesn't work. I'm sure, my installation is correct. This problem appears on other computers in local network. Try to run your D:\Data\zabypass.exe with ashDisp.exe process and repeat this after killing ashDisp.exe process, and I hope you won’t see any message from avast!.

[DavidR]

Tried that, first avast didn't alarm when I copied it out of my exclusions folder into the data folder, and no alarm when trying to execute and no running of zabypass.exe either. So it would appear that avast intercepts the execution to scan it but no result/alarm is shown, explorer then displays an error, presumably because the the standard shield intercepts the call to scan it.

So it is a little different for me, but there does seem to be something going on with the avast alerts/notifications when ashDisp.exe is disabled/terminated. At least it isn't being executed, very strange.

I also tested the Web Shield provider using the eicar site and web shield obviously intercepts the download, it doesn't alarm but doesn't allow the download either and firefox displays a warning that 'The connection has been reset' or similar, the same message you get if you get an alert from the web shield and choose abort connection, so the background protection seems intact but no alert.

[Lisandro]

At least it isn't being executed, very strange.

At least... the protection is there...
But, ok, it's strange that alerts should depend just on ashdisp.exe being running 

[sidrom]

Yes, the protection is there, but it is useful to know everything about protection/alerts. IMHO

[alanrf]

I think we all agree with YHO and I hope we will hear from the avast team about what may be upcoming to overcome that issue, but it's a long way away from the concern of your original post.

[Vlk]

What's issue, exactly?

When ashDisp.exe is killed, no dialog is displayed and avast on-access scanner behaves like if the user pressed the OK (or, in case of Web Shield, Abort Connection) button.

In no case the virus gets activated.

[igor]

And, to answer the original question, ashDisp.exe is running under the user account simply because it's the component that interracts with the user (displays warnings, popups, requests input, etc. - all on the particular user's desktop)

[DavidR]

It just seems strange that if the ashDisp.exe is disabled that the alert messages aren't displayed and you can't choose any action. So you are blissfully unaware you have a problem that might be virus related (or ashDisp.exe was killed if you didn't notice it missing from the systray) as you only see system or browser related errors.

I've just done another test with ashDisp.exe killed, using ashSimpl.exe to start the S.U.I., I select folder selection, I select my exclusions folder, standard scan no archives (having removed the program settings, exclusion) and run an on-demand scan, and the alert displays. Now why should it display for an on-demand scan and not for a resident scan when ashDisp.exe is killed. If it can display for one, why not for the other ?

I appreciate what Igor said about user displays, input, etc. But, ashSimpl.exe is also running under me as the user, so in theory it shouldn't display an alert either if all desktop alerts require ashDisp.exe to be running ?

I assume the anti-kill/self-protection feature proposed for version 5 will make this issue a thing of the past ?

[igor]

OK, correction: ashDisp.exe is the component responsible for user interraction with the resident protection part (which runs as system service). Simple/Enhanced UI runs under the current user's account completely, so there's no need for such splitting (though it might actually change soon, but that's another story).