I have password protection set (and working) to open the UI and make changes to settings. But I – anyone – can disable shields from the systray icon WITHOUT entering any creds – which is the equivalent to bypassing password protection completely. Shouldn’t there be a way to prevent ANY access to Avast functionality without the password? This seems a huge oversight, would love to hear it’s mine, and I just missed the setting, but – ??
You actually set password protection for Avast, so I’m not sure if what you are seeing is an ‘enhancement’ to the default avast self-defence module settings.
The avast self-defence module shouldn’t be preventing temporarily disabling shields from the UI/Tray icon by default.
If anyone who can access my computer – by direct physical contact or remotely – can disable a security application without knowing the password, that security application’s self-defense is lessened by definition, IMHO. Contrast with it my firewall (Comodo) which cannot be disabled without the password. Contrast it with basic Windows functions monitored by UAC: the idea is you need the password.
You can make the argument that having access to my computer is the ultimate source of this vulnerability, but I would disagree: if you’re going to offer password protection you should [at least have the option to] protect the entirety of the application’s functionality (again, Windows UAC). At best the current state is halfway to that goal, and it seems a clear point of unauthorized access which is easily changed (again, Comodo).
The difference being you and others in your home have physical access to your system and the Avast settings, etc. This is somewhat different from external attacks on your system and or avast and that is different.
If you install Avast on a multi user system you really need to ensure that those people have limited user accounts.
I run as a limited user unless I need to switch and I can disable all shields with zero credential input. I’ve also shut off other people’s Avast shields thru TeamViewer (which requires consent, I admit) to make sure it wasn’t just me. Look, you don’t agree it’s an issue, I get that. I still say it is, or should be.
I don’t know if what you are experiencing is down to your running Avast as a limited user or not.
How would these other users access your avast installation to modify your settings ?
If they are using your computer they really should have their own windows limited user accounts (set up bu you the owner/administrator), so the only settings they could access would be theirs but not yours which should be on a different windows user account.
All of this is besides the point, which is (A) password-protecting an application is of limited utility if the password is not required to effectively shut the application off; (B) there is no technical reason why password protection cannot extend to any application access. For a security application to do this in half-measures strikes me as odd and not well thought out. Consider it a feature request.
Upgraded in place to 20.2.2401 ~ no problems ~ but there is still no requirement to enter my password to disable shields. I find it strange that I need to enter it to read the About screen, but not to turn the application off. Guess it’s just me. Hope it’s addressed eventually.
Hello, it should be fixed in 20.2. Can you please let me know, if you have protected whole UI or only setting? +when you open the UI and enter the password and keep it opened, the password should not be wanted till Avast UI is opened, Is not it this case?
Password required “to open Avast and access settings” – top selection item. Each time the main UI window is closed the password is required to reopen. Avast requires the password to read the About page and make any permanent settings changes from within the main UI; it does not require it to select any “disable shields” choices, including “permanently”. Right-clicking the systray icon and selecting any “disable” choice only brings up an OK / CANCEL dialog, and selecting “OK” performs the action without requiring the password.
If that does not answer your particular question please let me know. THX
Thank you very much for the answer. May I ask what UI version do you have? Is it 502? It can be found in about window. Plus one more question, if you have UI v 502, can you please remove the password and set it again and try it? I’m not able to induce it. I think your description is clear and simple. But in my case password is needed when I want to disable shield via tray icon.
Yes, UI version 502. On your advice I disabled the password and, for good measure, rebooted. Glad to report that on re-enabling password it is now enforced correctly on all access, including disabling shields from the systray icon. Thanks for your help. Will mark SOLVED.
Avast Free 25.5.6116 (build 24.5.9153.849) / UI version 1.0.809
Windows 10 Pro 22H2 x64
This bug has returned: anyone with physical access to the PC can disable all Avast shields without having the program password. I consider this a serious vulnerability, I know the assumption is that anyone with physical access can wreak havoc anyway, but I still say that the entire point of password protection is denial of access to any actions without it. Comodo free firewall, eg, still requires the password to do anything. Can this be rectified?
I’m not able to induce it on current beta 24.6.9241.848. I was trying open UI and disable shields, both from tray icon menu. Are there any special steps?
OK as of 24.6.6121 (build 24.6.9241.851) / UI v 1.0.810 said bug has been squashed again. I hope it doesn’t rear its ugly head after some future update only to require an even more future update THX
If you look a few posts below yours, you will see there is a major flaw running through Avast.
I’m not able to get into my settings screen because Avast keeps asking for Authorization with a password.
Problem is - I know my password. I entered my password. I even was able to change my password, and I still can’t get into my Settings screen.
In either case, it would seem Avast is having a security issue