Author Topic: in Vista, Avast allows non-admin user to disable protection or change settings  (Read 18241 times)

0 Members and 1 Guest are viewing this topic.

tuttle

  • Guest
Hello all:

Vista Home Premium, Service Pack 1
UAC enabled
Avast Home Edition 4.8.1201.80611

Why is Avast coded to allow a Standard user to right-click the Avast tray icon to open it and to change settings? In Vista, Avast permits a Standard user to Stop On-Access Protection, to Stop Providers, and to make other risky changes. This seems contrary to the protection intended in Vista.

As an Administrator account, I install and configure systems and software for my non-technie friend. We do not want him to have the ability to harm the system. Vista's User Access Control (UAC) helps with that, as I as Administrator can setup things but he as Standard user account cannot modify or disable things that could reduce system security. In this regard, I would expect that Avast should allow Administrators to access its settings (which it correctly does) but that it should not allow a Standard user to diable or modify Avast settings.

Is this by design, or is there a setting I can toggle to prevent a Standard user from changing or disabling Avast settings?

Thanks

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
A toggled option to limit 'User' control of avast! could be useful, though it sounds to me like your "non-technie friend" is seriously accident prone if he/she can ignire the warnings while "inadvertantly" disabling avast! providers. ;D

Have you tried just customising the tray icon to "always hide"?
« Last Edit: July 04, 2008, 09:28:33 AM by Vladimyr »
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
avast! resident protection settings can be protected by a password...

tuttle

  • Guest
I'll look into that password protection, thanks. It wouldn't be necessary if a new update of Avast were coded to operate with the principles of Vista's User Access Control: Standard users aren't permitted to directly run critical software; they require an Administrator elevation and password.


tuttle

  • Guest
Hi:

Newbie here, and I've read help files and browsed the forums, but I'm still confused on some things.

In instructions for installing the latest Avast beta, Vlk wrote:
Quote
go to avast settings, and on the Troubleshooting page, disable the avast self-defense module

Is that the method that will disable all Avast scanning and protection? It's prudent to disable anti-virus prior to installing large software applications, so I want to be sure that I know how to fully disable Avast before installing other software. 

I had been using the tray icon to Stop On-Access Protection, to Stop Providers.
Does  Troubleshooting | select "Disable avast! self-defense module" disable all of the application and scanning from running? Even when I do that, the tray icon still reports that the On-Access Scanner has providers running.

1. Is there a function to immediately disable of the application and scanning, e.g. to prepare for installing software packages.

2. If I hide the Avast tray icon (to prevent Standard users from changing settings), how can I still open the On-Access Scanner panel to check or customize various providers? I can't seem to find access to On-Access Scanner panel from the Simple User Interface.

3. Help file says I can set password to protect resident protection settings (and termination). Is that different from the On-Access Protection and other scanning? I want to be able to configure things as a Vista Administrator, but prevent a Standard user from changing or disabling protection.

Thanks

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Is that the method that will disable all Avast scanning and protection?
No, the antivirus will stay on. It's just for the self-defense module.

It's prudent to disable anti-virus prior to installing large software applications, so I want to be sure that I know how to fully disable Avast before installing other software. 
It's not prudent to disable the anti-virus for ANY installation, on contrary.
You'll temporarily disable this particular module, update the antivirus, turn on again the self-defense module.

I had been using the tray icon to Stop On-Access Protection, to Stop Providers.
Does  Troubleshooting | select "Disable avast! self-defense module" disable all of the application and scanning from running? Even when I do that, the tray icon still reports that the On-Access Scanner has providers running.
No, it disables only the self-defense module.

1. Is there a function to immediately disable of the application and scanning, e.g. to prepare for installing software packages.
Yes, there is. But you shouldn't do that.

2. If I hide the Avast tray icon (to prevent Standard users from changing settings), how can I still open the On-Access Scanner panel to check or customize various providers? I can't seem to find access to On-Access Scanner panel from the Simple User Interface.
Run ashdisp.exe from avast folder and the icon will be back (temporarily).

3. Help file says I can set password to protect resident protection settings (and termination). Is that different from the On-Access Protection and other scanning? I want to be able to configure things as a Vista Administrator, but prevent a Standard user from changing or disabling protection.
The password blocks avast disabling or changing the resident protection status.
The best things in life are free.

tuttle

  • Guest
Thank you for the reply and the information.

Quote
It's not prudent to disable the anti-virus for ANY installation

That is contrary to the advice of many experts, and also contrary to the instructions that appear in the installers for many software packages. They recommend to disable anti-virus prior to installation.

Is there a function to immediately disable of the application and scanning?
Quote
Yes, there is. But you shouldn't do that.

Where is that function? How would I turn off everything temporarily?


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Well I would take the work of the developers of avast over any unknown expert.

Not to mention why do these programs want you to disable your AV, what is it that they are doing that would incur the wrath of an AV, what are they trying to hide, if they aren't doing anything dodgy why would they need you to disable your AV ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
That is contrary to the advice of many experts, and also contrary to the instructions that appear in the installers for many software packages. They recommend to disable anti-virus prior to installation.

I don't believe any expert would recommend it. And yes, the installers say that - but there is no reason to do that. I'd say 15 years ago somebody put that message into an installer, and since then everybody repeats it.
Installation of a program is exactly the moment when the antivirus should be active - more then the rest of the time, probably. If you'd be an author of a malicious program - wouldn't you put such a message into your installer to make the users switch off their antiviruses?

ardvark

  • Guest
I don't believe any expert would recommend it. And yes, the installers say that - but there is no reason to do that. I'd say 15 years ago somebody put that message into an installer, and since then everybody repeats it.
Installation of a program is exactly the moment when the antivirus should be active - more then the rest of the time, probably. If you'd be an author of a malicious program - wouldn't you put such a message into your installer to make the users switch off their antiviruses?

Hi...

Bingo! And this is one of the reasons why I've never been prone to do that, apart from not wanting to bother with it ;D

Best Regards...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Where is that function? How would I turn off everything temporarily?
Right click the 'a' blue icon and stop the on-access protection.
But you were warned... bad made software, stupid, yes, stupid technicians will say "disable your antivirus"... technicians? Not so sure...
The best things in life are free.

tuttle

  • Guest
Thank you for all the advice.

Given how important Avast's protection is, it would be good if Avast would become fully compliant with Vista's User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
It appears you have discovered that they just followed the policy they've had for years under XP and where those who did not care to allow the non-administrators to make changes could use the password option. 

In my years in the forum I have not seen many other users clamoring for the change you propose - nevertheless I am sure the avast team have noted your view.       

olddog

  • Guest
tuttle,

As I understand it, this forum is primarily about Avast free Home Edition. I would equate the degree of control you are advocating to a business or commercial environment, not a home situation. Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.
 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Given how important Avast's protection is, it would be good if Avast would become fully compliant with Vista's User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.
Fully agree. I would be glad to see that only admin accounts could change avast settings, not the common users. The password blocking could be, easily, by-passed by the way...
The best things in life are free.