Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: RejZoR on April 09, 2006, 07:59:58 PM
-
Now as you might already notice i'm a great fan of proactive protection.
Proactive protection is undeniably a good thing. avast! is no exception to a certain level. Some features are disabled by default and some are not designed that well.
But in general this guide should increase security level by few % if not more :)
This guide is recommended only for advanced users that know stuff mentioned here and what it does.
Please note that this guide is meant only for Windows XP and Windows 2000 (all editions supported by avast!). Please do not use these settings on Windows 98 or Windows Millenium systems since they won't work as expected!
Switching to "Detailed Mode"
(http://i14.photobucket.com/albums/a348/rejzor/normalprov.png)
Left click on avast! tray icon (that spinning blue "a" icon near the clock).
In case if you haven't already switched to "More detailed mode"...
Behavior Blocker Proactive protection
(http://i14.photobucket.com/albums/a348/rejzor/stdshield.png)
Select Standard Shield and click Customize button on the right.
(http://i14.photobucket.com/albums/a348/rejzor/block_set.png)
Now select Blocker tab.
Set all settings the same as shown on screenshot above, except field under number 2. This will come in next few lines...
Add entire line below into field number 2 (Additional Extensions):
SCR,VBS,VBE,WSH,PIF,CPL,BAT,COM,CMD,WMF,OCX
Extensions list is dated 2006.04.10
It is partially visible on screenshot how it should look like when entered in there.
These extensions are meant for regular user environments where you most probably won't encounter or run such filetypes (which are all possibly dangerous).
If you work with VBS scripts day by day you may want to remove VBS extension from the list. Same applies for other. In general it should provide nice balance between protection and number of warnings.
When you'll get warning about such possibly dangerous file you'll get such message:
(http://i14.photobucket.com/albums/a348/rejzor/blocker_test.png)
This way you'll be notified about possibly dangerous file being created on your hard drive. It will also detect whether these filetypes try to format your hard disk. By clicking "Deny" button you'll stop the creation of that file/formatting. Clicking Allow will allow it's creation/formatting. Best option for most would be Deny.
Web Shield Proactive protection
(http://i14.photobucket.com/albums/a348/rejzor/webshldpro.png)
Select Web Shield provider and click Customize....
Then select URL Blocking tab.
(http://i14.photobucket.com/albums/a348/rejzor/webshldext.png)
Check Enable URL Blocking and click Add button on the right.
Add following strings into the list, each in it's own line (same way like shown below).
Extensions:
*.cmd
*.cpl
*.pif
*.scr
*.vbe
*.vbs
*.wmf
*.wsh
Extensions list is dated 2006.04.09
So when you'll encounter such possibly dangerous files you'll get similar warning inside your browser...
(http://i14.photobucket.com/albums/a348/rejzor/webtest.png)
In case it's not blocked by Web Shield, there is very big chance that Behavior Blocker will block it.
Internet Mail Proactive protection
Now this last one is a bit special, so please be VERY specific about which way you'll select. It's very important!
I'm using POP3/IMAP based email client (like Outlook Express or Thunderbird)
So if you use POP3/IMAP based email client like Outlook Express or maybe Thunderbird you should leave things as they are. Even if you use just 1 POP3 email account and 5 others that are just webmails (to view with browser).
Just move the slider to High as shown on picture. Existing heuristics will take care for suspicious attachements and mails.
(http://i14.photobucket.com/albums/a348/rejzor/intmail.png)
I'm NOT using POP3/IMAP based email client (just webmail like Hotmail, Yahoo or GMail inside my browser)
In case if you DON'T use ANY POP3 mail at all, then you may still want to install Internet Mail provider.
It will most probably spot suspicious activities of mass mail worms that attempt to send large amounts of emails in small timeframe without user knowledge.
avast! will show Heuristics warning with option to Deny these activities.
This way you'll also be notified about malware that slipped past avast! signature detection and Behavior Blocker/Web Shield.
Select Internet Mail provider and click Customize... button on the right side. Scroll through tabs all the way to the right and select Heuristics tab.
(http://i14.photobucket.com/albums/a348/rejzor/heur1.png)
Select Custom preset as shown on image.
Now select next tab named Heuristics - Advanced and set marked settings as shown on image below.
(http://i14.photobucket.com/albums/a348/rejzor/heur2.png)
This will set Internet Mail provider to very high sensitivity level. Setting such settings in case if you're using any POP3 email client will most probably result in large amounts of warning messages! Make sure you selected the right way as described above!
NOTE: I currently don't have image of Internet Mail heuristics warning, but will add it as soon as i find one.
Additional help
In case you don't understand something or you might have a question about anything related with my Proactive settings, please ask here in this thread.
I'll try to do my best to help anyone. Alwil tech support team is already very busy with other things so we shouldn't bother them with these things as they are my unofficial tweak settings.
I hope these settings will serve you well in upcoming avast! adventures in world of internet! 8)
RejZoR
PS: Is there any chance someone would make this thread as Sticky?
-
***
Thanks for those setting, RejZor. :) I am sure those will help many.
I only use web-based email and before now had the settings on high for much the same reasons as you state here. Now, I have increased this with your custom settings as they make sense in quick detection of some spambot should one ever make it into my system. I have always had Internet Mail provider running for this reason.
***
-
Exactly, default settings are quiet relaxed because they are meant to be used with POP3 clients. These my settings are super sensitive and will spot any kind of outbound mail sending right away.
-
RejZor.. I have a question. :)
I use Outlook Xpress for my email.
I have it pull my mail (which can also be accessed thru the Isp's website)
but I also have it pull mail from a Gmail account.
Which option would I choose? ???
edit: fixed stupid typos
-
If you use ANY kind of POP3 based email client then use the first one (just move the slider to High). You should also use first method if you use POP3 and webmail.
As long as you use any kind of POP3, even if just for 1 POP3 mail account and 5 webmail based, you have to go with first mode.
-
Updated the Internet mail part to be more clear. Hope it's better marked now :)
-
I note that the default settings in Blocker in Standard Shield (at least in mine) are not to tick any of the four boxes in 'blocked opearions'. Does that mean Blocker is not active? Sorry if this is a silly question, but I didn't look at some of the options before until I read your posts here.
-
Yes, if you UNCHECK all checkboxes in Blocker page you will DISABLE Behaviour Blocker. Checking just one of them will enable it with certain degree of protection.
Formatting protection is hovever the most non intrusive setting and should always be checked.
-
Great Guide RejZoR thank you
Hope Alwil make this thread Sticky
-
RejZoR,
thanks for this interesting and valuable thread (I would vote for it being made sticky - but what value my vote?).
In response to a recent thread that highlighted the unfortunate vulnerabillity of non-scanning of http imports by the rendering of html in email clients I switched on power mode with AEC.
After reading this thread I also implemented the recommendation (as a POP3 user) to set the sensitivity of the Internet Mail scanner to high.
I then followed up with sending some relatively large attachments (6-8Mb) through my Hotmail account using a POP3<>WebDav converter (that had no problems prior to the changes I mentioned). In this case the mail is being scanned by avast outbound and the port 80 traffic to Hotmail is also being scanned. Anyway the net result was consistent transmission failure on repeated attempts. I need to do so more testing to confirm, but it appears to me that the transmission is successful only if the mail scanner sensitivity is left at medium.
I just report this in case any others experience similar issues ... if I find anything definitive I will report back.
-
I hope that the Awill staff will include the rules for the Standard and the Webshield in the new version of avast!.
Of course it's not difficult to add them manually, but it'll provide some nice extra protection out-of-the-box. With a whole load of rules, it might can get a little like Panda's TruePrevent. Or am I wrong?
-
This thread will soon end up into oblivion... and if RejZoR needs to post some new extension list entries we all would like to see them and be informed as soon as he posts them... so...
Alwil, please make this thread sticky. It doesn't cost anything ;)
@RejZoR - thanks for all the effort ! ;) :: thumbs up ::
-
I've emailed Support to confirm our request that this excellent thread be made a 'sticky'.
-
Thanks RejZoR.
If I add *.ocx and *.cab (related to ActiveX) to the URL Blocking so will it provide any proactive protection against some ActiveX-based adware/spyware?
-
Yes, adding OCX also works. I've tested with Creative AutoUpdate and OCX file was intercepted. Web Shield however did not block it.
I think it's enough if you use it just in Behavior Blocker.
I've also updated the blocker extension list (now includes OCX extension)!
-
About OCX extension, won't it block Windows Updates?
-
Yes, if you UNCHECK all checkboxes in Blocker page you will DISABLE Behaviour Blocker. Checking just one of them will enable it with certain degree of protection.
Formatting protection is hovever the most non intrusive setting and should always be checked.
Ok I enabled the default Blocker and ticked the 1st and 4th options. Amusingly, the first Trillian message that I received from a buddy got a Writing alert! I allowed it and it was just a straightforward message in text format, hardly needing to be blocked. Does that not sound strange?
-
Hi RejZoR...
I'm missing something....do you have the Professional version?
On my "On-Access Scanner" window, I only have two choices for the sensitivity level, Normal and high. How do you get custom?
Best Regards...
-
Yes, if you UNCHECK all checkboxes in Blocker page you will DISABLE Behaviour Blocker. Checking just one of them will enable it with certain degree of protection.
Formatting protection is hovever the most non intrusive setting and should always be checked.
Ok I enabled the default Blocker and ticked the 1st and 4th options. Amusingly, the first Trillian message that I received from a buddy got a Writing alert! I allowed it and it was just a straightforward message in text format, hardly needing to be blocked. Does that not sound strange?
hi! since I use Trillian as well, what does it meas? That everytime you recive a message you'll get a warning? Or was that an attached txt file you friends was sending you? Thanks
-
It was just an ordinary message containing type, nothing else; that's why the alert seemed so strange. Unfortunately I failed to screenshot it before I allowed it :o My messager was a girl I wouldn't keep waiting :)
-
It was just an ordinary message containing type, nothing else; that's why the alert seemed so strange. Unfortunately I failed to screenshot it before I allowed it :o My messager was a girl I wouldn't keep waiting :)
sorry...what do you mean containing type. that she did a copy and paste from a txt file to a trillian message? Did the warning stopped after you gave the ok? I don't want to get too many pop outs when i chat. that's why i'm asking. Sorry.
-
On my "On-Access Scanner" window, I only have two choices for the sensitivity level, Normal and high. How do you get custom?
Isn't just clicking the buttom Customize at left?
Did you click the buttom 'Details' in the first window of the avast! settings and you're seeing all providers or not?
-
It was just an ordinary message containing type, nothing else; that's why the alert seemed so strange. Unfortunately I failed to screenshot it before I allowed it :o My messager was a girl I wouldn't keep waiting :)
sorry...what do you mean containing type. that she did a copy and paste from a txt file to a trillian message? Did the warning stopped after you gave the ok? I don't want to get too many pop outs when i chat. that's why i'm asking. Sorry.
It was just a message like 'goodnight, it's late here'.
-
It was just a message like 'goodnight, it's late here'.
that's strange. Well...I'll guess I'll see what will happen the next time i'll use Trillian. Thanks
-
Well i don't know why would Trillian need to write into any of the listed filetypes. They are all possibly malicious. Tell us what exactly says on the warning message or or simply make a screenshot of it.
Also please read the guide regarding Detailed view. It's written there from the beginning, you just have to read it.
OCX blocking will block ActiveX stuff only at install point and will not obstruct it while using it. WIndows Update will work as usual once it's installed.
-
Ok, Let's try this again....
Hi RejZoR...
I'm missing something....do you have the Professional version?
On my "On-Access Scanner" window, I only have two choices for the sensitivity level, Normal and high. How do you get custom?
Best Regards...
-
It is there for all providers mentioned in this thread, however, if you don't expand the information displayed you won't see it.
Click on the Details... >> button to expand.
-
RejZoR,
For the Internet Mail provider proactive detections (regarding mass mailing worms specifically) you can also add additional ports to the avast4.ini file to cover other common e-mail ports.
Example:
[MailScanner]
PopRedirectPort=110,995
SmtpRedirectPort=25,587
I don't know if there are any additional ports that would be useful to add or not, or if any worms can use encrypted ports or not but I just thought of this so decided to post it anyways just in case it could be of any use.
Very knowledgeable and professional directions, by the way.
Edit: I wonder if it is possible to add those additional ports through the GUI on the Redirect tab, as opposed to modifying the avast4.ini file?
Cheers,
Dave
-
Edit: I wonder if it is possible to add those additional ports through the GUI on the Redirect tab, as opposed to modifying the avast4.ini file?
If fact, it will be better to add them by the GUI.
To change some parts of the avast4.ini file, it's necessary to stop the providers, make the changes, save the file, start the providers again.
On contrary, when you shutdown the computer, the non-changed settings at GUI will be saved over the avast4.ini file... :P
-
For the Internet Mail provider proactive detections (regarding mass mailing worms specifically) you can also add additional ports to the avast4.ini file to cover other common e-mail ports.
Example:
[MailScanner]
PopRedirectPort=110,995
SmtpRedirectPort=25,587
A word of warning on this recommendation (and Tech's very sensible suggestion that changes be made via the GUI).
If you are a user of a secure SMTP service - such as GMail using port 587 - then this recommendation will cause avast to prevent creation of a secure session. This recommendation should come with a warning that it be used by those not really trying to use the port.
-
Hi DavidR...
Ah, I see...got a little ahead of myself. Pardon my brusqueness earlier, just that I don't post here to hear my head rattle. I have questions at times and like to help out others when I can too.
Thanks :)
-
Hello! I did the customization but at start up Avast! gave me a warning with the same window you showed. It asked me to allow or block the writing of a file called ebd.chk by process wuaulct.exe.
Why? the file was in a microsoft windows folder. now i'm really tired of getting this warning. Is it a virus Avast didn't detected before? What should I do?
-
Just a blooper trying to do too many things at once my apologies
-
Here is a link to a site that should help answer some of your questions?
Wuauclt.exe is a process managing automatic updates for Windows
Hope it helps
http://help.lockergnome.com/index.php?showtopic=30026
Sorry I post the wrong URL the first time oops
-
Here is a link to a site that should help answer some of your questions?
Wuauclt.exe is a process managing automatic updates for Windows
Hope it helps
http://help.lockergnome.com/index.php?showtopic=30026
Sorry I post the wrong URL the first time oops
No problem! I googled for it and find out what exactly it is. So I wasn't overly concerend. but those warnings were aggravating. I couldn't rememeber the default settings so I jsut uninstalled and installed Avast again.
I think I'll not mess with it in the future.
-
(http://forum.campersheaven.de/images/newsmil/lol2.gif)
no worries emy80 you just had to untick Standard Shield/Customise/Blocker/
Blocked Operations/Untick Open file for writing ;)
-
Hello! I did the customization but at start up Avast! gave me a warning with the same window you showed. It asked me to allow or block the writing of a file called ebd.chk by process wuaulct.exe.
Why? the file was in a microsoft windows folder. now i'm really tired of getting this warning. Is it a virus Avast didn't detected before? What should I do?
Thats impossible. If you followed the guide you shouldn't get that message. CHK extension is not even on the list!
-
I think the problem is that he didn't uncheck default extension set. As I understand it must be unchecked otherwise you get a lot more warnings.
-
Yes, but people obviously don't read. I even used images for that matter...
(http://i14.photobucket.com/albums/a348/rejzor/block_set.png)
Now select Blocker tab.
Set all settings the same as shown on screenshot above, except field under number 2. This will come in next few lines...
This is what i wrote in the guide on first page...
-
Hello! I did the customization but at start up Avast! gave me a warning with the same window you showed. It asked me to allow or block the writing of a file called ebd.chk by process wuaulct.exe.
Why? the file was in a microsoft windows folder. now i'm really tired of getting this warning. Is it a virus Avast didn't detected before? What should I do?
Thats impossible. If you followed the guide you shouldn't get that message. CHK extension is not even on the list!
Well....there is a CH? in the default extension. My guess is that changing the Bloker action triggered that thing. I did an on-line scan with Trend Micro disabling the Standard Shield and the Web Shield.
First thing I got was a error message of Microsoft. I took a screenshot. Then the scan resulted clean. I just uninstalled and installed Avast again. i have the automatic update enabled so maybe that's why. The wuaulct.exe was running under a svchost.exe process pertaining the Updates. I checked it with Process Explorer.
I don't know why. I just decided to leave the default settings.
[edit] I'm really sorry. i guess I really didn't unchecked the default setting. I'm realy sorry for this. I wasn't saying that your guide is bad. i just guess, since i'm not an expert it's better if i leave the default setting, so i'll know for sure I haven't damaged the program. I'm sorry.
-
It's nice and clear now. To us noobs, it looked like the 'additional' extensions still needed the tick in the box to activate blocking. I now understand the tick is not needed. I certainly appreciate your help RejZoR and I trust this thread will be 'stickied'.
-
Noticed one small problem.
"Default extension set" will check itself if you run Avast! Antivirus. So eveytime you use it (which is not often - im talking about main antivirus, not on-access protection or explorer extension), you have to uncheck it.
-
Good, so we found a bug.
-
I just tried a quick scan but it didn't change my blocker settings (Default unticked, additional per RejZoR info post).
Oh and I found out what caused the blocker write alert in my Trillian yesterday: MSN message box icon!
-
Guys (RejZoR:) I appreciate your effort, but OTOH, I'm *reluctant* to making this thread sticky, for one simple reason - I *don't* think the settings RejZoR suggested are suitable for regular users...
Especially RE blocker - I would strongly recommend AGAINST turning it on, unless you know EXACTLY what you're doing... Blocking a (legitimate) file from being written can have very bad subsequences.
Cheers
Vlk
-
Like which one? VBS scripts? PIF shortcuts on 2k/XP systems? Maybe WMF files?
How often do you think regular users use CMD or COM files? OCX are those badass ActiveX controls that everyone fear.
Blocker won't affect those that are already on HDD. I'm working with such stuff more since i work with AVs nearly all my time and i haven't got a single warning. Ok, i lied.
I got one about VBS file in some modified NVIDIA drivers (DHzer0Point, some color correction script which i allowed and it worked fine after that).
You should also fix the Default extensions list checkbox in Blocker. Some user reported that it gets checked by itself when you run Simple interface. Still need to verify that...
-
Like which one? VBS scripts? PIF shortcuts on 2k/XP systems? Maybe WMF files?
How often do you think regular users use CMD or COM files? OCX are those badass ActiveX controls that everyone fear.
Any of those. When installing an application, you must not prevent it from writing any of its files. When you do so, the results are pretty much undefined.
E.g. *many* Microsoft apps use VBS, CMD and OCX files internally.
Blocker with Silent mode is especially deadly combination. Coz it can block those files right away, and you can only watch... :)
-
Any of those. When installing an application, you must not prevent it from writing any of its files. When you do so, the results are pretty much undefined. E.g. *many* Microsoft apps use VBS, CMD and OCX files internally.
I received some alerts when installing software but I answered 'yes' and everything goes fine.
In normal computer utilization, no alerts...
Blocker with Silent mode is especially deadly combination. Coz it can block those files right away, and you can only watch... :)
Fully agree with Vlk. I've tested an installation and it messed everything. Seems like PrevX, Process Guard or SSM blocking whatever in your computer to do anything... This is the only setting I will not make in anyway: block in silent mode.
-
I was searching in this forum for Avast! optimal settings or something like that and found this thread, I know big time passed nowone posted here, but I think this thread must be sticked.
I think there must be sticked such thread for users, who want set setting of Avast! such way. If last year something changed in Avast! settings author can update or edit this thread :)
What do you think about it?
-
What do you think about it?
There are better HIPS applications to be used... Behavior Block is not one of them... too noisy if you want protection. Users start to be bored and allow everything... no effective protection. More intelligent HIPS tools do it better, imho.
-
rejzor,thnx for this great topic..i have a question,in the "blocker" settings,do i have to uncheck the box "default extension set" coz in the screeinshot the box is unchecked..thnx in advance.. :D
oops...i read the replies 3min after i sent the reply..i'm rly sry guys..dont count this question.. :D