When I apply a VPS update via the .EXE download (http://avast.com/eng/updates.html), and possibly also through updating/iAVS update, the updater adds an ACL granting the “Users” group full control over the C:\Program Files\Alwil Software\Avast4\DATA folder . While it appears that one of Avast’s drivers prevents unauthorized writes to this folder, the “full control” ACL still creates potential vulnerabilities should the driver malfunction.

Also, the “full control” ACL permits any user to read the DATA\log folder, the DATA\chest folder, and possibly other data that the administrator might not want ordinary users to read.