Author Topic: in Vista, Avast allows non-admin user to disable protection or change settings  (Read 18234 times)

0 Members and 1 Guest are viewing this topic.

drahnier

  • Guest
Given how important Avast's protection is, it would be good if Avast would become fully compliant with Vista's User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.
Fully agree. I would be glad to see that only admin accounts could change avast settings, not the common users. The password blocking could be, easily, by-passed by the way...

FWIW: Take this reply as another vote for implementing this.

tuttle

  • Guest
Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.
I, and many others, strongly disagree. A home PC may be used by many non-informed users including children. Microsoft designed Vista to allow Administrators to configure and protect the system, allowing Standard users to perform normal daily tasks but not to disable protection or alter system settings.

Many software developers follow this model, thus requiring Administrator access to reconfigure sensitive applications such as security or antivirus software. Avast should follow that model.

At the same time, Avast should provide access to the On-Access Protection and On-Access Scanners settings from the main program window. If I choose to hide the tray icon, so that Standard users can't change or disable settings, then I no longer have access to On-Access Protection and On-Access Scanners settings. It would be logical to expect access to those functions from the main Avast interface. The full range of functions available from the tray icon should also be available from the main Avast interface.
« Last Edit: July 05, 2008, 07:14:05 PM by tuttle »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
If I choose to hide the tray icon, so that Standard users can't change or disable settings
No, they can... just run ashdisp.exe.
You need to set a password.
The best things in life are free.

tuttle

  • Guest
You need to set a password.
I think I will do that, but that is awkward to require a separate password for this one application, instead of properly using User Access Control which has already logged me in as Administrator. Besides, you said that the tray icon password can easily be bypassed.

No, they can... just run ashdisp.exe.

How does that work? I just ran ashdisp.exe (double-clicked ashdisp.exe) but nothing happened - I do not have access to the tray icon menu.

Even if it did work, however, that would not be a good solution. It would not be expected that one would have to run a separate executable just to access some functions of this software. One would expect that those functions would be available from the main Avast interface.

I think that this one aspect of Avast has not been well thought out: in Vista, Avast requires a UAC elevation prompt to access the main program interface ashAvast.exe, and yet it does not contain some important functionality. To access that functionality, one must either open a separate executable ashdisp.exe or allow the tray icon to display in which case it allows any non-Administrator user to access those functions.

Added: I just discovered something else. A Standard user can open not only the tray icon commands, but also can open the main program interface ashAvast.exe without any User Access Control prompt. Avast developers have not properly worked with User Access Control, since the Administrator must at least undergo a UAC elevation prompt yet a Standard user can open both interfaces without any warning or prompt.
« Last Edit: July 05, 2008, 09:37:59 PM by tuttle »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
You're mixing too many things together.
ashAvast.exe is not the main program interface (on contrary, actually), and I don't even know what you mean by main program interface.

Anyway, let's say this is by desing (at least for avast! Home/Pro, i.e. desktop versions - the manged clients, used in network environments, work more like you expect). If you (as an administrator) want to prevent users from changing avast! settings or stop the resident protection, you must set the password (which I don't think can be that easily bypassed from a limited user account).

tuttle

  • Guest
You're mixing too many things together.
ashAvast.exe is not the main program interface (on contrary, actually), and I don't even know what you mean by main program interface.
Perhaps I am not using correct terms, as I am new to this software. The Start menu shortcut that Avast's installer created launches ashAvast.exe which display splash screen "avast! 4.8 home edition", so one would naturally conclude that is the main interface. If it is not, then where is the main interface? Where is the interface that will allow access to all menus and functions?

let's say this is by desing (at least for avast! Home/Pro, i.e. desktop versions - the manged clients, used in network environments, work more like you expect).
If it is by design, it doesn't seem to make much sense. It doesn't make sense to require an elevation prompt before allowing an Administrator to access the program, but not require any prompt for a Standard user. Other security software has implemented this properly, so I think Avast just needs to fix this area.

Thank you for your reply.



Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Which I don't think can be that easily bypassed from a limited user account.
Yes, Igor. You're right. I was thinking as being an administrator. Sorry.
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
The Start menu shortcut that Avast's installer created launches ashAvast.exe which display splash screen "avast! 4.8 home edition", so one would naturally conclude that is the main interface. If it is not, then where is the main interface? Where is the interface that will allow access to all menus and functions?

ashAvast.exe is just the splash screen - after it performs the memory test, it launches the corresponding interface (ashSimpl.exe, ashSimp2.exe, or ashEnhcd.exe in the Professional version).
I'm not saying all the options are there, especially in the Home version - the resident protection options are accessible through the tray icon.


It doesn't make sense to require an elevation prompt before allowing an Administrator to access the program, but not require any prompt for a Standard user.

Actually, it makes sense to me.
The thing is that the ordinary user is not expected to know the administrator credentials - i.e. there's no reason the request elevation here. Of course, the scanner will scan only the objects the current user has access to.
If the scanner is started under administrator account, however, it can access all files, all processes, etc. - but only if the token is elevated first; therefore the UAC prompt.

tuttle

  • Guest
Allowing a standard user to disable protection is not good design.

Sam Hobbs

  • Guest
tuttle,

As I understand it, this forum is primarily about Avast free Home Edition. I would equate the degree of control you are advocating to a business or commercial environment, not a home situation. Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.
 

I can understand that many home users do not want to bother with good security, but people are trying to make it clear that it is dangerous for even home users to use administrator privileges by default. It is entirely possible to drive a car without insurance, but when an accident happens, you will then wish you had insurance. It is entirely possible to use a computer without ever making backups, but when an accident happens or a drive goes bad, you could easily learn too late that backups are a necessity. Even home users should make backups, not just commercial users. Limiting use of administrator privileges is something you might discover has value, but when you do, it might be too late.

AlexFeren

  • Guest
Firstly, thank you Alwil for producing and allowing free usage of your excellent software.
Secondly, I am a disappointed that Standard User is allowed to Pause or Stop Providers... This is against Vista philosophy where non-Administrator Account should never be allowed to modify system behaviour. [Writing logs and database to c:\Program Files\Alwil Software\Avast4\DATA\ is also the wrong place.]
The basic assumption should always be that non-Administrator Users should be protected from themselves. I fully appreciate that allowing system changes (even with passwords) was OK for 95/98/2000/XP, but in Vista and 7 (and hopefully forever more), UAC is the standard.