Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Dch48 on January 26, 2012, 08:55:36 PM

Title: Behavior Shield on Ask
Post by: Dch48 on January 26, 2012, 08:55:36 PM
I had been running with the Behavior Shield on Ask to try it out. I just switched back to Auto-Decide because it got too annoying and HIPS like. I updated my video driver yesterday and got 3 warnings during the process. It's a signed driver from AMD so it shouldn't do that in my opinion. I had also gotten 4 or 5 other alerts about safe applications. I can confirm now that the Behavior Shield indeed does work but it's too aggressive in my humble opinion.
Title: Re: Behavior Shield on Ask
Post by: Gargamel360 on January 26, 2012, 09:04:00 PM
I had been running with the Behavior Shield on Ask to try it out. I just switched back to Auto-Decide because it got too annoying and HIPS like. I updated my video driver yesterday and got 3 warnings during the process. It's a signed driver from AMD so it shouldn't do that in my opinion. I had also gotten 4 or 5 other alerts about safe applications. I can confirm now that the Behavior Shield indeed does work but it's too aggressive in my humble opinion.
Yeah, whatever "magic pill" makes for effective behavior protection without being too aggressive, they have not found it. 

I had pretty much the same results when set on Ask, it seems to be pretty much HIPS-like, it alerts on everything (or at least most things) it scans and defers action to the user.
Title: Re: Behavior Shield on Ask
Post by: akama1 on January 27, 2012, 02:46:53 AM
my behaviour shield is set on ask and i find it tooo silent :/ btw how does the behaviour shield work when you set it on auto-decide?
Title: Re: Behavior Shield on Ask
Post by: Dch48 on January 27, 2012, 07:12:57 AM
It pretty much allows everything on auto-decide. I never had it question or block anything. I prefer a totally silent security product.
Title: Re: Behavior Shield on Ask
Post by: nsm0220 on January 29, 2012, 08:17:15 AM
It pretty much allows everything on auto-decide. I never had it question or block anything. I prefer a totally silent security product.

here is trouble with that its weakness is with rasomeware or if you are unlucky a rootkit if Behavior Shield doesn't tell you

btw please don't get rid of this post because sick and tried you guys getting in my life     
Title: Re: Behavior Shield on Ask
Post by: akama1 on January 29, 2012, 10:33:09 AM
so we shud put it on all block?
Title: Re: Behavior Shield on Ask
Post by: nsm0220 on January 29, 2012, 05:40:47 PM
so we shud put it on all block?

put it on ask
Title: Re: Behavior Shield on Ask
Post by: Dch48 on January 29, 2012, 06:01:21 PM
I say leave it on auto-decide unless you want to keep getting annoyed and interrupted by alerts for things that are perfectly safe. That kind of behavior was what made me move away from Comodo and anything else with a HIPS component. Avast just needs to improve heuristics and the behavior shield to the point where it only alerts for actual malware. If that's even possible. It should be as silent as Norton is and just as effective.
Title: Re: Behavior Shield on Ask
Post by: nsm0220 on January 29, 2012, 06:14:33 PM
I say leave it on auto-decide unless you want to keep getting annoyed and interrupted by alerts for things that are perfectly safe. That kind of behavior was what made me move away from Comodo and anything else with a HIPS component. Avast just needs to improve heuristics and the behavior shield to the point where it only alerts for actual malware. If that's even possible. It should be as silent as Norton is and just as effective.

im sorry thats going to be the way of the future
Title: Re: Behavior Shield on Ask
Post by: Dch48 on January 29, 2012, 08:37:07 PM
I say leave it on auto-decide unless you want to keep getting annoyed and interrupted by alerts for things that are perfectly safe. That kind of behavior was what made me move away from Comodo and anything else with a HIPS component. Avast just needs to improve heuristics and the behavior shield to the point where it only alerts for actual malware. If that's even possible. It should be as silent as Norton is and just as effective.

im sorry thats going to be the way of the future
I'm not sure what you mean. Which way is in the future in your opinion?
Title: Re: Behavior Shield on Ask
Post by: schmidthouse on January 29, 2012, 08:50:53 PM
It's definitely a matter of preference.
For me personally, if there is any question, I prefer to lean towards stronger control (hands on security) and less convenience.
I changed from 'auto decide' to 'Ask'
Just my preference. ;)
Title: Re: Behavior Shield on Ask
Post by: DonZ63 on January 29, 2012, 11:36:08 PM
HIPS software runs in two modes; trusted publisher and manual - trust nothing.

When you install new software in trusted publisher mode, you ar trusting the publisher's certificate that the software is malware free and legit. No one trusts certificates anymore since too many have been stolen or hacked.

That leads manual mode which will give numerous alerts on any protected area activity. How do you stop that? You install drivers and trusted software in what is called "training mode." Usually envolves one mouse click for most HIPS's.

I would assume the procedure in Avast would be to set behavior shield to auto decide when installing and then turn it back to ask when the installation is complete. This sure doesn't seem a lot of effort to me and is much more secure that leaving it always in auto decide mode. I am with the camp that found they never once recieved an alert with bevaior shield set to auto-decide.

Title: Re: Behavior Shield on Ask
Post by: ky331 on April 14, 2012, 02:27:35 PM
I've finally gotten around to upgrading avast from v6 to v7.   

In terms of "first impressions", like several people in this thread, I've found the behavior shield "overly chatty" when set to ASK.   I had it set to ASK when using v6, and about the only time v6 ever prompted me was when downloading/installing DotNet updates.   But now, under v7, it indeed appears very HIPS-like, questioning just about everything I try to do.   While in general, I prefer to let avast allow me to decide what to do when a problem is found (i.e., I have ALL its other shields set to ASK), I have reluctantly set the behavior shield back to auto-decide.

Given that this thread has had no entries in about 2 1/2 months, I was wondering what other people were experiencing (or have learned) about how best to set the behavior shield.   (If it makes any difference, I'm working under XP/SP3... remaining security per my signature.)
Title: Re: Behavior Shield on Ask
Post by: crofty59 on April 14, 2012, 02:46:28 PM
I have behavior shield set to "ask" on both computers.
I do not get asked to often to allow anything.
What i have noticed is if you have Microsoft Netframewok installed, i change behavior shield back to Auto-Decide for any updates or installing Microsoft Netframewok etc otherwise you get lots of pop ups which you have to click Allow. That is the only time i change the setting in behavior shield.

Cheers :)
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 14, 2012, 04:03:12 PM
I too have it on Ask and rarely get asked, but I have unchecked the "Monitor the system for unauthorised modifications" as WinPatrol Plus and my Firewall also monitor that area.
Title: Re: Behavior Shield on Ask
Post by: Asyn on April 14, 2012, 05:00:53 PM
Given that this thread has had no entries in about 2 1/2 months, I was wondering what other people were experiencing (or have learned) about how best to set the behavior shield.   (If it makes any difference, I'm working under XP/SP3... remaining security per my signature.)

I'm on Ask as well and never ever got asked about anything.
But this is because of D+, which jumps in first and never gives the BHS a chance to ask me. ;)
Title: Re: Behavior Shield on Ask
Post by: ky331 on April 14, 2012, 08:23:09 PM
DavidR,
Your suggestion/usage, to set the Behavior Shield to ASK, but to UNcheck "Monitor the system for unauthorised modifications", looks like it may work as an optimal solution for me.   I am testing it now, and hope to keep that setting (unless I see some adverse results in the future).
[Like you, I have WinPatrol (PLUS)... but in contrast, I'm only using the built-in Windows firewall.]
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 14, 2012, 09:08:19 PM
Well for me it is a very workable solution as I have that area well covered, whilst you should be OK, I would certainly be looking at getting a third party firewall. The reason the XP firewall has ZERO outbound protection and for me that is a weakness.
Title: Re: Behavior Shield on Ask
Post by: ky331 on April 14, 2012, 09:26:40 PM
Yes, I realize the XP firewall offers only inbound protection... which is why I specifically pointed it out as a key difference between our setups (and the rationale used in making your choice).

The problem for me here is that, if I leave the "unauthorized modifications" box checked, the behavior shield is questioning lots of things ; for example, when something in Firefox activates its "plug-in container".   Granted, I guess I can "train" the behavior shield (like one would train an outgoing firewall or other HIPS program), but I'm debating if it's really worth it.   As noted, the behavior shield set to ASK in v6 never really bothered me, except when installating DotNet updates [when it went berserk].   So I'm trying to figure out what Avast did to it in v7.  It's fascinating to read how some here find ASK "too noisy", while other say it's not doing enough!   Guess there's no way to satisfy everyone.

By the way, how would you compare the relative security levels of:   
Behavior Shield set to ASK, with "unauthorized modifications" UNchecked; vs:
Behavior Shield set to AUTO-DECIDE, with "unauthorized modifications" CHECKED ??
These seem to be the "practical alternatives" for me to pick between (unless I want to put up with "noise", or train the shield).
Title: Re: Behavior Shield on Ask
Post by: iroc9555 on April 14, 2012, 09:49:24 PM
Ky331

I can not answer about the Firefox plugin since I barely use FF, but as I told you before I have BhS in " Ask " and I had given trusted status to a half dozen progs so now my BhS is quite.

I also found out that it is better to switch BhS to auto-decide for Microsoft Thusday updates. This is only if one is running XP and there are DotNet updates availables.

Myself, like Asyn, I am running D+ and Comodo alerts are faster and a few more than Avast! so I do not notice if Avast! is realy noisy or not.
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 14, 2012, 09:57:31 PM
@ ky331
I can't make a direct comparison as there is no real way to tell as there is insufficient data to do that as on Auto decide here isn't any easy means of checking what has been checked and the action taken.

Even looking at the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\BehaviorShield.txt file doesn't show any worthwhile information as you have no expert settings where you can change the data recorded in the report file.

To even begin that comparision process you would have to remove all of your trusted processes and I have a whole slew of those. The plugin-container.exe is one of those I have in the trusted processes.
Title: Re: Behavior Shield on Ask
Post by: ky331 on April 15, 2012, 12:37:58 AM
The irony for me:  I have ALL avast shields set to ASK, yet none ever alert me (except for the rare F/P, which I'm prepared to analyze and properly act upon)... but the v7 Behavior Shield, in contrast, seems to be intrusive.  I do my best to practice "safe-surfing", and have several layers of protection that, combined, serve me well.

Iroc wrote:   "I had given trusted status to a half dozen progs so now my BhS is quite".
DavidR wrote:  "I have a whole slew of those [trusted processes]".
I guess I can try to see what happens... if all it takes is adding "a half dozen" to a white-list, that's really not too bad.   But I'd hate for it to extend to "a whole slew".   As Iroc knows, I consider myself an advanced user, and I can handle the ASKing.   But I'm also concerned about how "average" users --- friends that I try to help --- will fare if avast 7 does this to them.... maybe that's why "auto-decide" is the default???  [My wife wanted to completely turn-off the behavior shield on her machine(s), until I found the "compromises" I'm questioning/considering here.]
Title: Re: Behavior Shield on Ask
Post by: Gargamel360 on April 15, 2012, 12:44:16 AM
But I'm also concerned about how "average" users --- friends that I try to help --- will fare if avast 7 does this to them.... maybe that's why "auto-decide" is the default???
Exactly  ;)

Defaults are the best setup for an average (meaning largely clueless) user.   Meant to be as "hands-free" and light on resources as possible, while still maintaining the best security possible.
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 15, 2012, 01:12:54 AM
<snip>
Iroc wrote:   "I had given trusted status to a half dozen progs so now my BhS is quite".
DavidR wrote:  "I have a whole slew of those [trusted processes]".
I guess I can try to see what happens... if all it takes is adding "a half dozen" to a white-list, that's really not too bad.   But I'd hate for it to extend to "a whole slew".   As Iroc knows, I consider myself an advanced user, and I can handle the ASKing.   But I'm also concerned about how "average" users --- friends that I try to help --- will fare if avast 7 does this to them.... maybe that's why "auto-decide" is the default???  [My wife wanted to completely turn-off the behavior shield on her machine(s), until I found the "compromises" I'm questioning/considering here.]

For some considerable time there were nothing but complaints about the behavior shield wasn't doing/getting involved enough.

However, don't consider my system the norm as I have some tools/toys that I play with that I keep away from any potential interaction with the behavior shield. Plus the only reason I add those to the trusted processes is because I have set it to Ask. If set on Auto many of those may well be checked and passed through without further intervention.

For me a whole slew of them is in the region of a dozen programs/tools/files, etc.

That is why the default setting is Auto, so that the average user isn't bugged by pop-ups effectively asking questions that they may not be able to answer.

As has been mentioned the default settings are designed with the average user in mind, when you have over 150million active users, those defaults have to provide a balance between protection and performance.
Title: Re: Behavior Shield on Ask
Post by: ky331 on April 15, 2012, 02:42:32 PM
Okay, here's the [preliminary] results of my testing which POPULAR programs/processes had to be added to the Behavior Shield's trusted processes list --- over and above those that I had already added in under v6 --- in order to avoid getting ASK-prompted each time:

Programs:
Adobe Reader
Auslogics Disk Defrag
Firefox
Internet Explorer
Open Office modules (e.g., Writer, Calc)
Sandboxie
Secunia PSI

Windows Processes:
csrss (Client Server Runtime proceSS)
explorer (windows explorer)
svchost (generic HOST process for win32 SerViCes

It appears that, with the above white-listed, the behavior shield is now essentially quiet under ASK mode.   However, given the popularity of the above (especially IE, FF, and Reader), I think that Avast is asking way too much, if "average" users will have to whitelist them all (for ASK to be "quiet").   Surely Avast knows about, and should tolerate these mainstream programs/processes, without users having to declare them "exceptions".
(Note that some of the above programs had to be added, only for the sake of checking for their updates.)
(Also, I am intentionally not mentioning here one or two "unpopular" programs that I have/use, as I fully understand why the behavior shield questions them).

I'm curious if Iroc and DavidR can take a moment to look at their whitelists, to see if they needed to add any/all of the above... or is something weird happening on my system.
Title: Re: Behavior Shield on Ask
Post by: iroc9555 on April 15, 2012, 03:02:38 PM
Ky this is my list:

Uphclean.exe
MIDIDEF.EXE
Ctregrun.exe
CTCMSGoU.exe
regutils.dll
JavaRa.exe
ISUSPM.exe

Most of them are for Sonic and Crative software. Upclean is from Microsoft Hive Cleanup Service, Java, and ISUSPM is from Install Shield.

I certainly have not had alerts for Explorer, svchost, or csrss which as you know are Microsoft files.
Title: Re: Behavior Shield on Ask
Post by: ky331 on April 15, 2012, 03:14:26 PM
Iroc,

UPHClean is also on my whitelist --- but that's one that I had added under v6, so I did not mention it here.
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 15, 2012, 04:20:09 PM
@ ky331
I don't add any windows system processes to the trusted processes.

Many of the programs you have added I don't use. For the browsers I don't add those and have also removed the plugin-container.exe I added as a test to see if it made things any quicker.
I don't use sandboxie on this system, I use DropMyRights and have added that. On my win7 system I have sandboxie and that is added.
I use PuranDefrag as my defrag option and add its two processes.

I have removed several of my tools (ones no used frequently) so as not to confuse issues by making it look like you have to add loads of processes to the trusted processes list.

But remember I don't have the monitor unauthorized modifications option checked.
Title: Re: Behavior Shield on Ask
Post by: ky331 on April 15, 2012, 05:37:01 PM
DavidR wrote:  "But remember I don't have the monitor unauthorized modifications option checked."

That's the big difference:   I believe CONFIRMED:  that with that box UNchecked, I would not have had to add ANY of the programs/processes I listed above!
Title: Re: Behavior Shield on Ask
Post by: Dch48 on April 15, 2012, 11:33:17 PM
When I had it on Ask, I did not have to add any browsers or any other part of Windows. It was only things  like driver updates for known and widely used hardware that should not trigger any alert. AMD graphics drivers were one example. It also alerted on some legacy applications but the most bothersome things were the drivers and updaters for my games that interrupted things and made them fail. I just can't put up with that so it's staying on auto decide.
Title: Re: Behavior Shield on Ask
Post by: akama1 on April 16, 2012, 01:00:08 PM
the bad thing about when i put on auto-decide is that it can't really block the malicious processes :/ it only starts blocking when i set it to block
Title: Re: Behavior Shield on Ask
Post by: Dch48 on April 16, 2012, 06:27:02 PM
the bad thing about when i put on auto-decide is that it can't really block the malicious processes :/ it only starts blocking when i set it to block
But---has it ever blocked any malicious processes? Or only ones that were safe and had to be allowed? I think having it on auto-decide in conjunction with all the other shields of avast! is pretty safe.

I also have a question for DavidR.  If you tell it not to scan for unauthorized modifications, aren't you effectively turning it off? What else would it scan for other than that?
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 16, 2012, 06:31:19 PM
No, because that is only one of the areas it is monitoring, check your expert settings and you will see the others areas.
Title: Re: Behavior Shield on Ask
Post by: Tetsuo on April 16, 2012, 09:36:49 PM
No, because that is only one of the areas it is monitoring


In fact (just for instance) with the "monitor unauthorized modifications" option unchecked, the Behavior Shield still scans plugin-container.exe (Firefox) - as already mentioned by DavidR.

The only relevant downside (apart from the not-monitored areas) could be the Script Shield activity - not zero but almost zero in most cases.
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 16, 2012, 10:00:18 PM
There are two other areas monitored by the behavior shield, but yes (as has been mentioned in script shield related topics) that would reduce the activity of the script shield. I effectively only get activity if I use IE and there is no way I would be using IE.
Title: Re: Behavior Shield on Ask
Post by: Tetsuo on April 17, 2012, 01:06:57 PM
I effectively only get activity if I use IE and there is no way I would be using IE.

Funny thing: here (with the "monitor unauthorized modifications" option unchecked) I get one of those rare Script Shield activities if I open the  Microsoft System Information tool (XP)... I guess it's somehow related to IE.
Title: Re: Behavior Shield on Ask
Post by: DavidR on April 17, 2012, 01:47:48 PM
There are a lot of internal windows functions that use IE for display purposes, this may be one of them.