Why on earth does C:\Program Files\Alwil Software\Avast4\DATA and its contents grant Full Control security permission to Everyone ?!
Is their some obscure reason for this bizarre insecurity?
Could you please elaborate a bit more why you think this is a “security hole” (or even “bizarre insecurity”)?
Thanks 
Vlk
Bizarre in the sense that, AFAIK, it shouldn’t be necessary. For example, I’ve installed many, many applications (consumer, for development, etc.) and can’t recall, at the moment, any others even involving the Everyone role, let alone granting it a full set of permissions.
So, what is the rationale for the …/DATA directory’s security assignments?
Can I remove Everyone?
Does a member of the User group need write permission?
If so, why isn’t each user’s user.dir / isolated storage used instead of opening up the location under Program Files?
Some antivirus (like ClamWin or AVG) use the Documents & Settings folder (personal profile) to store files that need to be written by common users (I suppose).
OK, so did anyone ever figure out if that is actually a big security hole, or if it is anywhere near being a bizarre insecurity?
Wendy
What!? Excuse my sincerity, but you asked.
The security hole in giving full control to everyone to Avast folders can be exploited by malicious users with no privileges at all to remove files or replace them with malwares, escalation of privileges and so on.
If the info posted by Wendy is true, the bizarre could be how easily this issue passed by two Avast evangelists without apparent fireing the red alert in the comunity.
Like it matters? I mean we all run in Admin mode? What difference does it make?
avvidro: What escalation of privileges in DATA folder? What malware replacements in DATA folder? Etc…
OK so now I don’'t know if I should be waving a red flag, banging my head on my desk, or just sitting here crying.
Has anyone from Avast! been able to make a determination as to whether this is actually “A Big Security Hole” or not?
Wendy
Can you give some concrete examples to help me figure it better, please??
Shortly, there isn’t 8)
Is or isn’t this to do with the escalation of privileges vulnerability where this was previously possible (effecting several AVs including avast), however, recent program update have or were supposed to correct this issue. So much so that some users couldn’t view the avast4 folder (they didn’t even have read permission) corrected by another program update.
Currently I believe it is only read permissions to all in the Data folder so this begs the question are you using the latest version of avast (current version 4.7.844).
Using v844 and everyone has full access here and yes it’s a problem :-X
If running on a PC with a single admin user, well then no problem, but if running on a pc, lets say eg. in a company or on a school where the user has restricted permissions on the computer, it’s a huge security hole.
Please look into this “avast”.
Still not getting what’s the problem.
Avast sets whole directory as read-only. Except for data folder. What’s the problem with that again?
I don’t really see the problem either. :-\
only what can be done this way is someone from this “Everyone” group to read,modify or damage Avast! Data folder files … in that case he can maximally read logs or cause Avast! to not operate correctly …
there are no executables nor loaded libs so infection with trojans not come to place …
YET another problem could be ability of “Everyone” to place file there and then execute (full control right)
- but that would mean anywhere in filesystem on actual PC is “Everyone” set to READ ONLY right… ie schools like someone mentioned
in such case Avast! DATA folder rights could turn into 'issue`
possible solution for future, while installing / updating avast! there should be dialog asking about directory access rights allowing to choose Everyone or Custom … or st like that …
i’m i missing something 
Please also note that this is only a “feature” of avast Home/Pro.
Network Editions of avast have all folders locked down (including DATA or the logs) - because it must be tamper-proof. That is, resulat users should not be, in any way, able to influence avast’s operation.
Cheers
Vlk
Two points:
- Why aren’t the common users allowed only to read and execute files into the avast folders? (like, for instance, MS Office folder under Program files)
- At schools, most probably, they’re not allowed to be using avast! Home version :-[
It is a sign of bad software design.
I think Windows Vista is much more strict about this and most Unix and Linux programmers would giggle, but they are used to a better user privilige culture.
Lately Windows have gotten seperate folders for Programs and their settings and user data.
C:\Program Files
C:\Documents and Settings%username%\Application Data\
Would it be much work to rewrite Avast4 Home/Pro to use this directory for settings instead?
I myself prefer programs that keep settings in their own dir and does not touch the registry and doesn’t have to be reinstalled if I have to reinstall Windows. Saves a lot of time.
http://jooh.no/programs_on_d.html
The security focused site Secunia (wich is one of the most active sites in identifying Microsoft Internet Explorer flaws) has more details about this issue.