ARA Security Considerations

Hello Avast community. It’s a while I’ve been using the Avast 6 version. Now it updated to version 7. Great great, until I notice that there’s a new “Feature” called Remote Assistance. >:(

The problem with this “feature” is that ANYONE who can open the avast interface can allow ANYONE to completely control the computer. It also proudly says it “bypasses firewalls” and “routes through avast servers”. :-[

Say a library has avast installed, they nicely put in admin passwords etc, but forgot AVAST PASSWORD! Then a user clicks on REMOTE ASSISTANCE code, calls his criminal friends, and BAM!! Post-exploitation fase. Or if a employee with industrial secrets with all his files encrypted has AVAST, but in all his troubles didn’t password protect it, a criminal could activate REMOTE ASSISTANCE, install a bootkit/rootkit, and VOILA! :cry:

Avast, a company protecting “150 000 000” users, must be VERY proud how it uses malware techniques for “convenience” of its user. ???

How many of those “150 000 000” users have a password for avast, hm? Even if they all would have a 7 word diceware phrase, this “feature” is another added complexity which can be exploited.

SO, Avast, if you actually CARE about the security of your users, and not how GOOD you LOOK for CONVENIENCE, REMOVE this “Feature” from avast. If you want, you can make it available as a separate package for users who, despite the above, want this “Feature”.

THANKS!

Indoctor

EDIT: Finally, after 5 pages of senseless arguing, avast developers show some transparency.

http://forum.avast.com/index.php?topic=93989.msg749530#msg749530

Topic subject edited.

I think you miss that the real problem is that someone you don’t trust is using the PC physically.
There’s nothing a remote user can do that couldn’t be done by a local intruder.

If you thought for 5 seconds prior to posting it just might have occurred to you that this “Remote Access” feature is a CHOICE just like all the other features available in avast!

Don’t want it ? Then simply don’t install it, end of problem! ::slight_smile:

I did some further testing, and as it seems, the remote assist code is NOT PROTECTED.

Even LUA accounts could easily intercept it by making a screenschot. I tried it w/ paint as a limited user, and guess what ! plainly visible. So malware could easily use it for privilige escalation.

I think you miss that the real problem is that someone you don't trust is using the PC physically. There's nothing a remote user can do that couldn't be done by a local intruder.

Oh really? So if you go 20 seconds from otherwise well locked down, strongly passworded, LUA etc. computer, a criminal can install a bootkit? Without you noticing ANYTHING? Every malware under limited accounts etc. can install bootkits you think? I think YOU miss the point here.

Don't want it ? Then simply don't install it, end of problem
Plus, I could not see the option to NOT install this "Feature". It automatically installed with my update. Read before you " ::)" Howmany of the "150 000 000" users have "auto-update" on avast?

I don’t see an issue here. As it is you need two people working together to do this. If a person has physical access to a machine there are more effective and efficient ways to cause a problem.

Avast will still be protecting from malicious code attempting to run on the local machine.

Like you said the avast program can be password protected.

Also a library or business should be using the Business Protection/ Business Protection Plus software for ease of management and security purposes.

Look at the installer for avast… as always the feature set is selectable via a custom install. All users can change the features they have loaded at any time.

Let’s face it you haven’t thought this through, you are complaining about security here and yet you tell us that you blindly allow an auto install? You have not read the Help Files and found out that you can select which features you wish to use? This is hardly new, avast has given you the choice in all the versions I have seen.

https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1139

9. Besides 'Typical' and 'Minimum' installation with predefined Configuration, you can also select 'Custom' on the next screen, where it is possible to add or remove individual program components and features in a checkbox tree. Then click 'Next' to continue.

For years, there has been a remote assistance feature installed with every copy of Windows that I have seen. And there are many more Windows users than there are Avast users. Are you going to protest Windows too? Just turn it off/uninstall it if you don’t like it.

A bad guy would have to physically be sitting at the computer to enter the code. Why would he need a remote assistance connection if he is already physically at the computer?

I will tell you what. You use the remote assistance feature in avast! to hack into my computer. I would like to see how far you get. According to you, it’s easy to do, right?

Where exactly is the privilege escalation?
The remotely connected user can only do the same as the local user can - the remote assistance is not running under any privileged account.

How can he install a bootkit? He’s running under the very same account as the user that invoked the remote assistance - so if this powerful criminal can do that, it means that the original user can do it as well, so your machine is obviously not that strongly protected after all.
I mean, you are making overcomplicated scenarios with remote control where the same can be achieved locally (and if it can’t, then it can’t be achieved remotely either).

At first when I saw the remote thing I panicked also, I thought for sure it could be exploited but then I figured, Avast knows what they are doing, there was probably a lot of work that went into making sure this feature was safe, it may sound naive to have this kind of blind faith, but security is kind of their thing.

hxxp://www.pcmag.com/article2/0,2817,2400609,00.asp

Don’t know much about the remote security, but any word from Avast about how to prevent a similar scenario like the ongoing fiasco of Symantec pcAnywhere which is also remote tool? Hope it is me being oversensitive, I was hoping to use it, it remote my families computers b/c they will sooner or later they will be upgraded to Avast 7.

as always the feature set is selectable via a custom install. All users can change the features they have loaded at any time.

Nonsense. Only ADMINs can change the install, all users can only install program updates (which include the full package).

you are complaining about security here and yet you tell us that you blindly allow an auto install?

Barely. I used to the “update” button in the interface, as most users I would think do. There is no “custom” install on the update.

Where exactly is the privilege escalation? The remotely connected user can only do the same as the local user can - the remote assistance is not running under any privileged account.

We’ll see how long that will remain so … after an exploit’s been found :wink:

Don't know much about the remote security, but any word from Avast about how to prevent a similar scenario like the ongoing fiasco of Symantec pcAnywhere which is also remote tool? Hope it is me being oversensitive, I was hoping to use it, it remote my families computers b/c they will sooner or later they will be upgraded to Avast 7.

A good point.

I’m not familiar with pcAnywhere and I don’t know what exact vulnerabilities there were in the Symantec code, so I’m just speculating.
If the software (when installed) is listening for network connections, and if the handling of those network connections is vulnerable (so it’s possible to bypass the authentication somehow), then anybody with the knowledge of the exploit can connect to your machine and control it (unless blocked by a firewall somewhere on the way, of course).

avast! is not listening for any connections, the communication is outbound - and it starts only when you click the “Allow remote control” button. So, noone can connect to your machine without you allowing that first (before you click the big button, avast! behaves just like it did when there was no remote assistance).

Symantec had a network breach and had their source code stolen. If this happened to avast I would jump ship because by that point they couldn’t be trusted with security.

This system seems like any remote assistance programs available except it is integrated into the antivirus program itself. In my opinion this is a good idea.

To the op - no system is 100% secure. A system on the internet can be compromised and a system that is not connected to the internet can be compromised. Your best bet for 100% computer security is to not buy the computer in the first place. With that said you can’t ensure protection of information not stored in electronic form either.

I’ve been testing the Remote Assistance and I find it pretty safe.
There’s a always on top window at the bottom right corner telling you the computer is being controlled remotely. That window can’t be closed or moved.
The controlling computer can not send files to the controlled computer, and it can not use its keyboard (you can still use an on-screen keyboard).

So it can’t be used as a hidden spy and it can’t be used to send a virus to the controlled computer.

If you try to stop Avast shields, the warning window asking you for permission only appears in the local computer.
However, you can disable the advanced settings without any warning. That could be improved, although it can also be done by a local intruder anyway.

There is not a security breach and the poll is evidently biased.
The remote access has the same rights and privileges of the local user.

But I would like to have another way to exchange the password besides phone, email and chat.
I think this could be improved like it is on TeamViewer (unattended session that requires registration of the computer being controlled remotely and also can manage UAC-like messages).

Exploit for what? To get out of the ordinary user’s account avast! UI is running in?
You are basically saying you need an exploit in Windows - to use it via avast! to exploit Windows. OK, but since it’s already there, you don’t need avast!, you can use it directly.

Remote assistance feature is there but that doesn’t mean you have to use it. ;D

I believe it wasn’t their network, but rather one of their partners?
I would probably argue about the idea that something like that can fully be prevented if you just try hard enough (I mean, if one of the developers packs the code and gives/sells it someone… you can only prevent it by not having any developers or no source code ;)), and I also don’t think that when it comes to antivirus applications, the bad guys can learn from the source code anything new they don’t already know… but I’d be getting off topic here, so I won’t :slight_smile:

The poll was posted by someone that simply has not even learned how to use Avast correctly.

If anyone feels there is a security issue or does not want to use the feature they can remove it. It is already a “separate” download as it is a user choice within the installer.

Nice Poll, :-[
No mater how you vote, you’re voting his way. Typical pole to prove your own point.
I personally am extremely happy this feature is available.
I no longer have to rely on a third party application to help someone who has a problem and can’t fix it on their own.
Since the person needing the help has to start this feature, I don’t see where there is a security breach ???
If they don’t trust me, they simply don’t ask for the help and don’t allow access.