IOW, there would seem to be just one n-hour window during which that user would be vulnerable and only if they happened to download some brand new malware that had just been recognized by avast's cloud.
Yes... and these few hours would be enough for some (or many) computers to get infected.
Some or many at the world level though. The probability of many computers on earth being infected during such a "vulnerability window" could be 100%. However, the probability of "the average computer" falling victim to that would be much lower I think. If we're talking about a cautious user or admin who disables automatic updates (the installs, not the notifications of availability) and is careful about what they install and from where and when, I think the probability would be much much much lower. I seriously wonder if it would even register as a threat worth worrying about.
I don't know if I'm communicating the idea well, but what I'm trying to distinguish between is cloud enabled improvements to knowledge of malware vs cloud enabled improvements to detection of malware once that knowledge is gained.
It does both.
If by that you only mean the more frequent, "streaming updates" would count as "improvements to detection of malware once that knowledge is gained." because they would narrow the window of vulnerability then we are on the same page. If you are (also) trying to communicate that it isn't just a matter of how large the window of vulnerability is, I'd welcome clarification. For example, as BTIsaac just questioned, if some malware signatures/descriptors are only distributed when the cloud features are enabled that is a very important detail.
For many professionals, the cloud related features are just too much of a security/privacy issue and *cannot* be enabled *ever*.
If file uploads is involved... maybe. But what more could be a privacy issue?
Yes, the uploading of information (whole files, piece of them, hashes of them, file names, URLs, hostnames, whatever) is the key concern I was referring to. However, as the OP touched upon (and I don't think this part was explicitly answered by anyone), a related concern would be pushed changes to the software program and/or its settings. The conceptual idea being, that pushed "malware definitions" can't really put the target machine at risk (the common belief, maybe true maybe not) whereas pushed changes to the program and/or settings could (and thus need to be tested or at least sanity checked somehow).