Avast self defense setting access flags where it shouldn't.

[michkov]

I'm on Windows 10. I have Avast installed to C:\Programs\Avast. Which is the folder where all my other programs are installed as well. Naturally, the other programs need read and write access to their own folders within C:\Progams. The following issue has occurred to me within a span of about 2 months, maybe less. Something restricted the access flags in C:\Programs to read only. I discovered this at first when Notepad++ crashed and the restored session was from 2 weeks earlier. N++ runs from C:\Programs\N++ on my machine, and writes the session backup files in a subdirectory under that path. At the time I found that I needed special privileges to delete files and folders from C:\Programs and that running N++ with admin privileges resolved the problem. That is not really a way I want to run it. Trying to give my user permission to write in C:\Programs ran into Avast throwing an error, as did giving write permissions to only the other folders in C:\Programs didn't work. So I tried to disable Avasts self defense, and the change of permission went through without a hitch, N++ would save backups again. I even enabled the self defense and all seemed to work as it should. That was until the middle of this week. By chance, I discovered the same symptoms today again. And it appears that the same thing happened again. I could "fix" it in the same manner as last time, but it leaves me in a position where I have to be paranoid of Avast setting flags where it shouldn't and causing loss of data and work as a result. I'm fine with Avast restricting access to C:\Programs\Avast, but I need it to stay out of C:\Programs way as several programs there need to write to subfolders therein. The second point is that I don't know when this happens. I'm assuming it is a silent update that is causing the issue, but that is a guess. I know from the first time this happened that a restart won't fix the issue, and that the manual fix sticks through a restart as well.

So what do I do? Am I turning off self defense? Do I uninstall Avast and install it to C:\. Neither are options I like very much.

PS: This seems to be a similar issue

[Spec8472]

Hello Michkov,

the Avast is not setting read-only flag on your "C:\Programs" folder. Although some operations are restricted (applies only to "C:\Programs" folder itself, not to "C:\Programs\*"):

• setting attribute other then FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_ARCHIVE
• setting case-sensitivity info
• modifying security descriptor

Operations above are blocked by self-defense, because they can cause inaccessibility of the Avast AV subfolder. The "C:\Programs\N++" file-system operations are ignored by Avast self-defense.

Also, grating unprivileged user write access to a folder where your program files resides is not good idea from security point of view.

The folder read-only flag seems to be used by OS itself to mark special folders, see https://support.microsoft.com/en-us/topic/you-cannot-view-or-change-the-read-only-or-the-system-attributes-of-folders-in-windows-server-2003-in-windows-xp-in-windows-vista-or-in-windows-7-55bd5ec5-d19e-6173-0df1-8f5b49247165

Can you please send support package, so i can elaborate further? It can be done by using "SEND LOGS" button in Avast Troubleshooting settings.

[michkov]

To clarify C:\Progams seem to stem from the ALL APPLICATION PACKAGES and ALL RESTRICTED APP PACKAGES groups. Not sure how it even got those groups since it is a user created folder. Those two show up as read only access when the issue occurs. What makes me suspect Avast is that I got a virtually identical setup with C:\Games which contains my game executables, rather than just general purpose programs. Both folders were created by me over 5 years ago. I never had this issue and Games doesn't even show the two groups mentioned above. The only difference is that Programs contains Avast, hence me suspecting the AV being a bit overeager.

If it isn't the AV, what am I looking for to tell me what is making these changes?

Support ID :Q52EJ

[Spec8472]

Hello Michkov, now I understand your issue. I was confused with your previous (read-only C:\Programs folder) statement and I thought something is setting read-only flag on that folder. What you meant is that something is changing your "C:\Programs" security descriptor so only privileged users have write access and you need to be admin to delete files from it.
This is really work of our installer, which tries to secure your "C:\Programs" folder, because it is dangerous to allow unprivileged users to modify program files which can be executed also by admin/system. This subverts Windows Security model and allows attacker to gain admin/system rights very quickly.
If you insist on this user writable "C:\Programs" folder I'd recommend to reinstall Avast AV into default program location "C:\Program Files", so our installer wouldn't bother you again.