Author Topic: Behavior Shield: No "Deny & add to untrusted list" option  (Read 3396 times)

0 Members and 1 Guest are viewing this topic.

VanguardLH

  • Guest
Behavior Shield: No "Deny & add to untrusted list" option
« on: November 10, 2011, 04:22:39 AM »
Windows XP Pro SP-3
Avast Free 6.0.1289

I configured the Behavior Shield to enable the "Monitor the system for unauthorized modifications".  If, for example, a installer or program dynamically defines a new NT service, I get a prompt asking me for what action to take (because I configured Avast to ask instead of guess).  If I want to allow that action, I can allow it once or I can remember that choice by selecting  "Allow and add to trusted programs".  Okay, that works great to remember my choice if the same scenario happens later.

What is missing is if I want to remember a deny action for when it recurs later.  For example, when I visit web pages that have Quicktime content, Apple's Quicktime plug-in (needed to view QT content at a web site since I never got VLC to work for that) wants to reinstate its qttask.exe startup item (i.e., it tries to re-add it to the Run registry key).  I deny that action because I'm not interested in having the superfluous qttask program load and unload on Windows startup.

In the past, I've used WinPatrol (and still do) to monitor for changes to startup items.  If I disable an item in WinPatrol (not in msconfig), WinPatrol will re-disabled the startup item if it reappears.  That let me disable a startup item and keep it disabled.  Many programs will check for their startup item when you load them and then try to reinstate them.  So I can use WinPatrol to step on these rude programs.  Alas, Avast presents its popup asking for my action before WinPatrol gets around to squashing the attempting change (I use the free version of WinPatrol that polls at intervals for changes instal using the paid real-time monitor version).

I could disable Avast's Behavior Shield and hope WinPatrol checks for the same changes; however, WinPatrol is polling for changes which means it finds them late (and tries to undo the change).  Avast is detecting the change as it happens (and why it can show who is trying to make the change).  I suspect (but don't know) that Avast may cover more system modifications than may WinPatrol.

Even if I didn't use WinPatrol or didn't even knew it existed and relied solely on Avast's Behavior Shield to detect unauthorized system modifications, it's silly that I have to repeatedly deny the same event everytime the program commits that event.  I can "Allow and add to trusted" to remember my choice so I'm not bothered again with the same prompt.  Yet there is no "Deny and add to untrusted" to remember that event is always to be denied when it occurs again later.

Yes, I suppose Avast is not considered a full HIPS (host intrusion protection system) product but if they're going to add some HIPS functionality then it should be complete within its limited feature set.  At this point, and because Avast refuses to remember my deny actions, I'll have to disable its Behavior Shield and hope WinPatrol will suffice (although it's not a real-time HIPS product).

VanguardLH

  • Guest
Re: Behavior Shield: No "Deny & add to untrusted list" option
« Reply #1 on: November 23, 2011, 12:06:04 AM »
Alas, no RFE (request for enhancement), feature request, or wishlist group to which this post might've been submitted or to where it could get moved.  With 165 new or updated threads after this post (as of this reply) without an authoritative reply, guess this issue languishes and dies.  It happens.  This forum certainly remains busy (which is both a good and bad thing).

Time to look elsewhere to find something that incorporates HIPS rather than emulate an incomplete portion of it; that is, to disable Avast's Behavior Shield and get something better.

ady4um

  • Guest
Re: Behavior Shield: No "Deny & add to untrusted list" option
« Reply #2 on: November 23, 2011, 01:02:51 AM »
So essentially, you are requesting for a complete HIPS feature / enhancement in the Behavior Shield of Avast?

VanguardLH

  • Guest
Re: Behavior Shield: No "Deny & add to untrusted list" option
« Reply #3 on: November 23, 2011, 01:40:02 AM »
Well, even a non-lopsided selection of user selections for what action to commit would help.  For the same reason that you don't want to get annoyed by having to repeatedly allow a process to commit a suspect action (i.e., you get to whitelist the event so it is remembered and you aren't asked again about it), why wouldn't you want the same remembrance feature for an unwanted action that you always will deny?  There's obviously a whitelist: Trusted Processes (although this is more about trusting the entire process' actions rather than a particular one).  Yet just as obvious that's missing is the converse: a blacklist of Untrusted Processes.

I suspect why there is no blacklist is that a specific event that you want to disallow for a process doesn't mean you want to disallow all events for that process - and that means having to record the specific event for the specific process that you want to disallow.  Avast doesn't seem to record to that level.  Trusting a process means you trust everything it does, not just the event that caused the popup.  Well, to be frank, just because I want to allow a process to commit one event for which Avast generated a popup doesn't really mean that I want to trust every event capable by that process.  But, hey, at least I get a coarse granularity in regulating trusted processes.  I get nothing for an unstrusted or unwanted event.

If I don't want a process to repeatedly restore its registry startup item everytime it is running or loaded, why would I want to see that same prompt EVERY time?  I can allow and ignore repeat events in Avast but I cannot disallow and ignore repeat events.

Think about it.  If you loved filet mignon but had to pick out sewing needles every time you wanted to eat it, how long before you gave up eating the filet mignon?  I certainly wouldn't use a word processor where I had to hit the Insert key after every keystroke to get back into insert mode.  Similarly, how often will you tolerate getting repeatedly nuisanced by Avast before making a correction (in this case, disabling the Behavior Shield or the portion of it that generates the repeated nuisance).  Security products should be background processes and not something you waste your time time continaully reconfiguring.  The more time you waste on a security product then the less time you have for actually using your computer.  Avast isn't why I have a computer.

For now, I've disabled the "system" option in Behavior Shield because I'm fed up with the repeated prompts.  Getting nuisanced to the point of disabling features in a product is why OnlineArmor, Comodo, and other security products provide white/blacklists of processes so users don't have to waste time with all those prompts on already known good/bad processes.  I've had to disable Avast's script shield, too, (actually I did a reinstall with it excluded) since it never did get fixed to stop interferring with scripts internal to programs.  It caused too much nuisance so it got turned off.  That's what happens with a feature that doesn't work well - or works too well but without options to remember the prior choice by the user.

I have a DVD player that stupidly has its Power LED on when the unit is off and the LED is off when powered up.  Well, obviously I know when the unit is powered up because I see video output so I don't need an LED to tell me the unit is powered up.  When the unit is powered off, I don't need a reverse functioning LED that is on to tell me the unit is off.  Solution is to put black tape over the LED.  So I put black tape over the offending/incomplete Behavior Shield option (and, for now, will let WinPatrol alert me to [most of] the same changes - but the free version makes detections late and why I'll have to look for something realtime).  To get rid of the nuisance, I disable an option under the Behavior Shield so, yes, I have that choice.  That I made that choice exhibits that the option is missing something, namely the converse of remembering allowed repeated events so it remembers disallowed repeated events.

I don't remember in which version of Avast when the Behavior Shield first appeared.  At that time, there were no user configurable options but this shield was very passive.  Then options were added and this shield became more aggressive.  Alas, with incomplete user selectable actions, it could become overly nuisancesome.  So Avast may very well improve on the HIPS functionality of their Behavior Shield but obviously if they don't their customers/users want the enhancement.  It's a pity they mix a help forum with a request forum since requests are not bug reports or asking for help but requests to improvement.  I see lots of posts about deficiencies reported by users that would be appropriate in a Requests forum.

I reported a deficiency.  Are you claiming that the deficiency doesn't exist?  Yes, there's a workaround but that doesn't obviate the deficiency.

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: Behavior Shield: No "Deny & add to untrusted list" option
« Reply #4 on: November 23, 2011, 11:00:00 PM »
We did at one time have a "wish list" topic, but that got badly out of hand because it went so far back that the vast majority of "new" features requested had already been incorporated into avast many versions back.  Or else someone from avast staff would reply that such-and-such was unfeasible, often with a good understandable explanation of why.

I guess they eventually decided it was simpler to just terminate the topic rather than wading thru hundreds of pages of postings trying to trim out what was no longer relevant.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent