Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Tgell on January 01, 2011, 03:25:35 AM
-
Hello,
I have noticed that there are now Behavior Setting under Expert Settings. Listed are
Monitor the system for low-level rootkits
Monitor the system for malware-like behavior
Monitor the system for unauthorized modifications
Under Action my default was "Allow"
Shouldn't this be "Ask" or "Block"?
-
For the time being anyway the behaviour shield will be running in passive mode, so making any change as far as I'm concerned could be a moot point. If you are part of the avast community then that data will be sent to avast, the idea being so that they can gather information and tweak the filters/rules to prevent poor detections.
If you took part in the beta trial you would have seen that many who change it to Ask suffered many problems (system freeze), as some of the detections/decisions could be happening early in the windows boot. Whilst this issue was largely resolved in the beta testing, personally I really don't want to be potentially interrupting the boot and suffer any problem at all.
I also don't believe you should go tweaking avast within an inch of its life and find you have gone an inch too far until you have got more used to the program settings as they are in the default. I fee the avast developers are much cleverer than I in these matters, so I tend to leave the default settings unless I know exactly what any change is going to do.
-
Tgell, the BeS is on "passive" mode, just collecting data to the release of version 6, expected to February.
You can set it to "ask" if you want :)
P.S. David posted first.
-
Thanks for the heads up guys. :)
-
You're welcome, Happy New Year (it is hear).
-
Thank you Tgell for posting this question & DavidR & Tech for your responses it pretty much covered my queries.
I was just wondering if there is any published information explaining the behaviour shield? i expect there probably isn't as it is still early days.
Best wishes for the new year everyone
-
You're welcome Mitchell.
Happy New Year!
-
You're welcome Mitchell.
Unfortunately not, even in the avast Help Center, there is this basic information posted by one Avast Team:
- avast! Behaviour Shield, general information from an interview Softpedia - Ondrej Vlcek
Ondrej Vlcek: The Behaviour Shield that we shipped in version 5.0 is a new component that is going to be further developed moving forward. For example, in version 5.1, we will be adding more sensors that will allow for even finer-grain filtering.
For now, the Behavior Shield is focused on exploits coming via typical mechanisms (browser, PDF reader, and flash vulnerabilities, for example). It also closely monitors all kernel-mode code (drivers) loaded into the operating system, and is able to detect zero-day rootkits.
There may well be some more snippets in the forums, but there is no collated information on it.
A Happy New Year to you too.
-
The future of avast: http://forum.avast.com/index.php?topic=64382.msg546016#msg546016
At the first post of that thread I've mentioned the wish/necessity of having a better 0-day protection.
-
:) Thanks again you have both been most helpful i appreciate it
-
No problem, glad I could help.
-
"What may be of special interest, also, is that this is how it's going to work even in the free version (which means that the core functionality of the sandbox will likely be moved to the free AV)."
i very like this sentence!
sandbox in free version, nice!
-
That doesn't mean what you think it means, it won't be the same as the process virtualisation in the Pro and AIS versions.
-
DavidR noted above the "problems" people encountered when changing from the default ALLOW to ASK.
I tested things myself... while not having an actual "problem", I was indeed subject to several prompts for permissions:
I receieved two BeS warnings (when set to ASK) about my Wireless Connector:
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
One about my firewall:
C:\Program Files\Comodo\Firewall\cmdagent.exe
and one more about my clock-synchronization:
C:\Program Files\D4\D4.exe
At that point, I switched back to the default of ALLOW... and will be leaving it that way.
-
I also qualified that point, that this was during the beta trials. What I do is monitor the BehaviourShield.txt file that contains what would probably be the same applications as if you had set it to Ask.
C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\BehaviourShield.txt (for XP)
Then I add these applications into the Behaviour Shield, Expert Settings, Trusted processes section. Once that is one they shouldn't feature in the report again.