in Vista, Avast allows non-admin user to disable protection or change settings

Hello all:

Vista Home Premium, Service Pack 1
UAC enabled
Avast Home Edition 4.8.1201.80611

Why is Avast coded to allow a Standard user to right-click the Avast tray icon to open it and to change settings? In Vista, Avast permits a Standard user to Stop On-Access Protection, to Stop Providers, and to make other risky changes. This seems contrary to the protection intended in Vista.

As an Administrator account, I install and configure systems and software for my non-technie friend. We do not want him to have the ability to harm the system. Vista’s User Access Control (UAC) helps with that, as I as Administrator can setup things but he as Standard user account cannot modify or disable things that could reduce system security. In this regard, I would expect that Avast should allow Administrators to access its settings (which it correctly does) but that it should not allow a Standard user to diable or modify Avast settings.

Is this by design, or is there a setting I can toggle to prevent a Standard user from changing or disabling Avast settings?

Thanks

A toggled option to limit ‘User’ control of avast! could be useful, though it sounds to me like your “non-technie friend” is seriously accident prone if he/she can ignire the warnings while “inadvertantly” disabling avast! providers. ;D

Have you tried just customising the tray icon to “always hide”?

avast! resident protection settings can be protected by a password…

I’ll look into that password protection, thanks. It wouldn’t be necessary if a new update of Avast were coded to operate with the principles of Vista’s User Access Control: Standard users aren’t permitted to directly run critical software; they require an Administrator elevation and password.

Hi:

Newbie here, and I’ve read help files and browsed the forums, but I’m still confused on some things.

In instructions for installing the latest Avast beta, Vlk wrote:

go to avast settings, and on the Troubleshooting page, disable the avast self-defense module
Is that the method that will disable all Avast scanning and protection? It's prudent to disable anti-virus prior to installing large software applications, so I want to be sure that I know how to fully disable Avast before installing other software.

I had been using the tray icon to Stop On-Access Protection, to Stop Providers.
Does Troubleshooting | select “Disable avast! self-defense module” disable all of the application and scanning from running? Even when I do that, the tray icon still reports that the On-Access Scanner has providers running.

  1. Is there a function to immediately disable of the application and scanning, e.g. to prepare for installing software packages.

  2. If I hide the Avast tray icon (to prevent Standard users from changing settings), how can I still open the On-Access Scanner panel to check or customize various providers? I can’t seem to find access to On-Access Scanner panel from the Simple User Interface.

  3. Help file says I can set password to protect resident protection settings (and termination). Is that different from the On-Access Protection and other scanning? I want to be able to configure things as a Vista Administrator, but prevent a Standard user from changing or disabling protection.

Thanks

No, the antivirus will stay on. It’s just for the self-defense module.

It’s not prudent to disable the anti-virus for ANY installation, on contrary.
You’ll temporarily disable this particular module, update the antivirus, turn on again the self-defense module.

No, it disables only the self-defense module.

Yes, there is. But you shouldn’t do that.

Run ashdisp.exe from avast folder and the icon will be back (temporarily).

The password blocks avast disabling or changing the resident protection status.

Thank you for the reply and the information.

It's not prudent to disable the anti-virus for ANY installation
That is contrary to the advice of many experts, and also contrary to the instructions that appear in the installers for many software packages. They recommend to disable anti-virus prior to installation.

Is there a function to immediately disable of the application and scanning?

Yes, there is. But you shouldn't do that.
Where is that function? How would I turn off everything temporarily?

Well I would take the work of the developers of avast over any unknown expert.

Not to mention why do these programs want you to disable your AV, what is it that they are doing that would incur the wrath of an AV, what are they trying to hide, if they aren’t doing anything dodgy why would they need you to disable your AV ?

I don’t believe any expert would recommend it. And yes, the installers say that - but there is no reason to do that. I’d say 15 years ago somebody put that message into an installer, and since then everybody repeats it.
Installation of a program is exactly the moment when the antivirus should be active - more then the rest of the time, probably. If you’d be an author of a malicious program - wouldn’t you put such a message into your installer to make the users switch off their antiviruses?

Hi…

Bingo! And this is one of the reasons why I’ve never been prone to do that, apart from not wanting to bother with it ;D

Best Regards…

Right click the ‘a’ blue icon and stop the on-access protection.
But you were warned… bad made software, stupid, yes, stupid technicians will say “disable your antivirus”… technicians? Not so sure…

Thank you for all the advice.

Given how important Avast’s protection is, it would be good if Avast would become fully compliant with Vista’s User Access Control philosophy. Namely, only Administrators should be able to use the tray icon to disable or reconfigure Avast. The fact that currently Avast allows any Standard user account to disable or reconfigure it is a security weakness.

It appears you have discovered that they just followed the policy they’ve had for years under XP and where those who did not care to allow the non-administrators to make changes could use the password option.

In my years in the forum I have not seen many other users clamoring for the change you propose - nevertheless I am sure the avast team have noted your view.

tuttle,

As I understand it, this forum is primarily about Avast free Home Edition. I would equate the degree of control you are advocating to a business or commercial environment, not a home situation. Perhaps it might be an option one would look for in a paid for commercially licenced package, but surely within the home environment, basic education on how to safely use the computer is a better approach.

Fully agree. I would be glad to see that only admin accounts could change avast settings, not the common users. The password blocking could be, easily, by-passed by the way…

FWIW: Take this reply as another vote for implementing this.

I, and many others, strongly disagree. A home PC may be used by many non-informed users including children. Microsoft designed Vista to allow Administrators to configure and protect the system, allowing Standard users to perform normal daily tasks but not to disable protection or alter system settings.

Many software developers follow this model, thus requiring Administrator access to reconfigure sensitive applications such as security or antivirus software. Avast should follow that model.

At the same time, Avast should provide access to the On-Access Protection and On-Access Scanners settings from the main program window. If I choose to hide the tray icon, so that Standard users can’t change or disable settings, then I no longer have access to On-Access Protection and On-Access Scanners settings. It would be logical to expect access to those functions from the main Avast interface. The full range of functions available from the tray icon should also be available from the main Avast interface.

No, they can… just run ashdisp.exe.
You need to set a password.

I think I will do that, but that is awkward to require a separate password for this one application, instead of properly using User Access Control which has already logged me in as Administrator. Besides, you said that the tray icon password can easily be bypassed.

How does that work? I just ran ashdisp.exe (double-clicked ashdisp.exe) but nothing happened - I do not have access to the tray icon menu.

Even if it did work, however, that would not be a good solution. It would not be expected that one would have to run a separate executable just to access some functions of this software. One would expect that those functions would be available from the main Avast interface.

I think that this one aspect of Avast has not been well thought out: in Vista, Avast requires a UAC elevation prompt to access the main program interface ashAvast.exe, and yet it does not contain some important functionality. To access that functionality, one must either open a separate executable ashdisp.exe or allow the tray icon to display in which case it allows any non-Administrator user to access those functions.

Added: I just discovered something else. A Standard user can open not only the tray icon commands, but also can open the main program interface ashAvast.exe without any User Access Control prompt. Avast developers have not properly worked with User Access Control, since the Administrator must at least undergo a UAC elevation prompt yet a Standard user can open both interfaces without any warning or prompt.

You’re mixing too many things together.
ashAvast.exe is not the main program interface (on contrary, actually), and I don’t even know what you mean by main program interface.

Anyway, let’s say this is by desing (at least for avast! Home/Pro, i.e. desktop versions - the manged clients, used in network environments, work more like you expect). If you (as an administrator) want to prevent users from changing avast! settings or stop the resident protection, you must set the password (which I don’t think can be that easily bypassed from a limited user account).