Behavior alert question

[cooby]

Behavior is set to Ask, all options are checked. Avast Free 8.0.1489, Windows XP.

I was in Snagit (v8), annotating a screenshot for a friend, of some selection in SeaMonkey. SeaMonkey was running. As I selected to Save the screenshot, Behavior alert came up.
Not knowing what to do, and with the registry and winsock2 in the picture I decided to deny. Right? Wrong?

From Behavior log:

8/5/2013 9:53:59 PM   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\
    By:  C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80.dll
    Via: C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
         -> Action denied

Sometimes Avast misidentifies process, so while Snagit is being implicated it could have been activity in SeaMonkey, specifically, connection to yahoo mail.

I later repeated the entire process, no alerts this time.
 
When I denied, is that a one time decisions or a rule being made forever?
Is there anything I should do or check?

[cooby]

bump

in addition to the questions above, I have more, just trying to really learn Avast (finally):
- when Behavior Shield asks, and I have no idea how to respond, what will Avast do?
- how can I tell whether the example above is one of ormal or abnormal activity? Where else can I check?
- is Avast making a list someplace of thiings I allowed so they could be reviewed later?

[DavidR]

bump

in addition to the questions above, I have more, just trying to really learn Avast (finally):
1. - when Behavior Shield asks, and I have no idea how to respond, what will Avast do?
2. - how can I tell whether the example above is one of ormal or abnormal activity? Where else can I check?
3. - is Avast making a list someplace of thiings I allowed so they could be reviewed later?

1. Well by default it is set to Auto I believe, so perhaps this is a question you should have considered before changing the setting. Also see 2.

2. You need to have a general idea of what that particular behavior shield option is monitoring and and the action being carried out (and by what) as to how it might be considered suspicious, etc. only then can you truly answer the question 'Ask'ed.

3. The mfc80.dll (part of visual studio) is I believe being called by SnagIt, to try and change a registry setting relating to winsock2, why I don't know. I have had SnagIt for some considerable time around version 5 or 6 and now have SnagIt 10.2 and I haven't had any issues such as this.

You could try looking in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\BehaviorShield.txt file, but this may just record its start and stop times, that is all there is in mine. You could also check and see if there is a similar behavior shield file here C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log, but nothing in my folder.


Note: relates to I haven't had any issues such as this.
However, I have long since disabled the 'Monitor the system for unauthorised modifications' as I have WinPatrol Plus and my Outposts Firewall Pro, which both already monitor system changes.

[iroc9555]

@ cooby

Word of advice. Watch it next Microsoft Tuesday. Avast! Behavior Shield in Ask mode ( Under XP ) will give you tons of alerts with any .NETFramework update. Better to switch it to Auto mode and let Avast! handles the installment of those updates.

[cooby]

@iroc9555,
and you sat there saying Allow, Allow, Allow, ... right?
Thanks, I saw it once, ages ago, so it won't hit me again.  I usually set avast into its default auto decide mode before allowing win update to run. If I forget it, oh, well, it's my problem.
And it won't be on patch tuesday, 'cause I usually delay for a little bit.

@davidR,
I actually do know where the log is, that's how I was able to do post#1. As to your other comments, they're  valuable to me. I'm taking time studying and thinking a bit, since I really want to learn to use avast the best way I can.

Re your reponse 1 and 2: The only way I can learn what a particular shield does is to look at what it does. So your suggestion to know what it does before playing with the Ask setting worries me at this point, and is one of the reasons I ask on this forum.

Re 3: yup, that winsock2 is weird, still hasn't happened again, go figure. Visual studio might make sense.

Re "Monitor the system for unauthorised modifications" - hmm. When I used Outpost, I did the same, but Outpost doesn't like my laptop waking up from sleep in their every other version, so can't use it even though I have a lifetime license.
I've disabled, on purpose, all behavior blocking and HIPS in my firewall, so Avast system watch is essential for me. Also, I think, as I watch things, Avast might be watching more than my firewall did. So I need to get all that figured out.

If I'm back with more questions, plese don't be surprised, thank you.

[iroc9555]

@iroc9555,
and you sat there saying Allow, Allow, Allow, ... right?

Just when Avast! 6 came out back in April 2011 I reported it in the Spanish Forum.
http://forum.avast.com/index.php?topic=76168.msg630926#msg630926

I also have this reply in October 2011 to jayt. Since then, I switch BS to Auto when doing Microsoft Tuesday.
http://forum.avast.com/index.php?topic=86573.msg698029#msg698029

[cooby]

Excellent links, thank you!