Author Topic: what Avast is critically missing...  (Read 23368 times)

0 Members and 1 Guest are viewing this topic.

Randissimo

  • Guest
what Avast is critically missing...
« on: December 23, 2013, 01:12:08 PM »
... is a feature to directly exclude files from the "actions to take" window.
It's unreasonable having to go to the chest with every false positive detection or to turn of some of the protection just to start a download with a fp detected file.
It's inconvenient to exclude files in advance.

Like I've written in another topic:
What if Avast finds a legit Windows file suspicious and when it gets removed or send to chest, you instantly get a BSOD and from then on can't even boot up Windows anymore?
With the recent increase of false positives since Avast 2014 came out and because even with Avast 8 you can't directly exclude files which are categorized as viruses - only suspicious (evo_gen32 something in Avast 2014) files and downloads - I've lost all my longstanding trust and that's why I've already moved on to another anti-virus.

Avast used to be good in my opinion when the false positive rate was almost non-existent and there was a an option to directly allow file access to false positives which would be rather rated as suspicious than as virus threats, but with the state it is in now (regardless of version 8 or 2014), I don't want to think about that there might be a high possibility that one day, Avast will detect a harmless Windows system file or itself, move it to the chest and as a result, I would either need to re-install or to use some image backups which would mean wasted time if I need to update Windows and/or programs again even with the process of having to revert to an older system image.

So my question is, why does Avast exclude this option and made it even worse in Avast 2014, because you can't exclude suspicious rated files and downloads on demand anymore?



 
« Last Edit: December 23, 2013, 01:26:55 PM by Randissimo »

AdrianH

  • Guest
Re: what Avast is critically missing...
« Reply #1 on: December 23, 2013, 01:31:07 PM »
There are plenty of ways within avast to exclude URL's, processes and applications.

Adding a "do nothing "  scenario to the actions on finding a virus would be madness.

You would soon be back here screaming at avast when your machine is crippled and avast failed to do anything.

Randissimo

  • Guest
Re: what Avast is critically missing...
« Reply #2 on: December 23, 2013, 02:22:24 PM »
Quote from: AdrianH
There are plenty of ways within avast to exclude URL's, processes and applications.
They mean nothing if a legit system file triggers a false positive. Or do you think it would be a good idea to exclude the whole Windows folder in advance?

Quote from: AdrianH
Adding a "do nothing "  scenario to the actions on finding a virus would be madness.
No, from my point of view it is madness not having a "do nothing" scenario.
I'd rather scream at Avast if my machine were crippled because of some false positive alarm than because of my own decision.
If I can have a choice, I will never regret it, because that's something that I myself have decided, however, if I can't have a choice
and things screw up, I will put the blame on the program which robbed me of my decision and I believe, others would do the same.
 

zorgon

  • Guest
Re: what Avast is critically missing...
« Reply #3 on: December 23, 2013, 02:39:30 PM »
That is why on the File Shield settings, I set everything to ASK first then Repair and then if that fails, Remove to Chest. During ask, I can decide for myself if it looks like a false positive, especially if it a critical system file ( I have run into that once already with avast) because I always have an disk and system image backup available. But, not that many people could or would do that.

Randissimo

  • Guest
Re: what Avast is critically missing...
« Reply #4 on: December 23, 2013, 03:56:43 PM »
That is why on the File Shield settings, I set everything to ASK first then Repair and then if that fails, Remove to Chest.
I had only set it to ask, because I always want to have the time to evaluate it and because I don't trust the repair or chest,
however, the problem is that during ASK I can't decide to let the file through if it's a false positive so I would end up using a system image and most users won't even have that, so they would even need to re-install windows in the worst case.
Or another solution would be to hard shutdown your computer and to try making exclusions in safe mode or to uninstall it, before it can delete or move something to chest but that might be risky for the hardware or I could force shutdown Avast by terminating the processes with the right tool and immediately halt all file shields on restarting it before excluding the file but that would leave a really bad impression.
I mean, you shouldn't need to disable any shield just to make an exception on demand. That's just stupid.

« Last Edit: December 23, 2013, 03:58:55 PM by Randissimo »

thekochs

  • Guest
Re: what Avast is critically missing...
« Reply #5 on: December 23, 2013, 04:03:16 PM »
I have not taken the V9 plung yet so here is pic from v8......this is in my custom scan I have running daily.

NoelC

  • Guest
Re: what Avast is critically missing...
« Reply #6 on: December 23, 2013, 05:27:06 PM »
YES!  The software needs the capability to ALLOW THIS FILE THIS TIME, and also an IGNORE THIS RULE UNTIL NEXT (DEFINITIONS OR PROGRAM) UPDATE feature. 

Maybe not available as the default, but power users need to be able to configure it as an option to the "Ask" option.

I started out asking for exactly this a month or so ago when I was fighting a false positive as well.  I was told, as some are telling in this thread, that there are other ways to do it.  Those other ways are not sufficient!

Here's a scenario that the current "exclude after the fact" measures do not work with.

1.  You're building software sources into executables.

2.  Avast triggers a false positive and kills an intermediate file that has a temporary name assigned by the build software.

3.  You can't tell it to IGNORE THIS FILE, THIS TIME, so the build fails, interrupting your productivity.  Neither can you tell it to exclude the particular (flawed) rule that made the false positive happen in the first place.  This forces you to deal with the Avast! problem immediately.

4.  You go to the Chest and try to exclude that file from there, but next time you build the file is given a different temporary name, so the build fails and you spin your wheels some more.  This forces you to have to move from "set it and forget it" to "expert" level in Avast configuration.

5.  You finally, in disgust, exclude your entire development folder structure so you can get back to work after having been distracted for a good long time figuring out the convoluted Avast! UI.  Hopefully you haven't been fired yet, and you have to work late to catch back up.

6.  You submit the file as a false-positive, wasting more of your time that you could be working.

7.  Some weeks / months later, MAYBE some other Avast issue makes you remember that you've excluded an entire block of your disk from all protection and you remove the exclusion (and maybe the false-positive detection has been corrected).  Hopefully some malware hasn't found a way to use that exclusion to its advantage.

How do I know this is such detail?

-Noel
« Last Edit: December 23, 2013, 05:30:54 PM by NoelC »

zorgon

  • Guest
Re: what Avast is critically missing...
« Reply #7 on: December 23, 2013, 08:23:59 PM »
Am I missing something or did avast drop the setting to exclude low prevalence files in the sandbox section(now Deepscan)?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: what Avast is critically missing...
« Reply #8 on: December 23, 2013, 08:51:37 PM »
Locked (running) system files cannot be removed, you wouldn't isnatntyl get BSOD. Besides, there are safeguards that preventdeleting and quarantining of files in system folders (generic location based and whitelisting along with digital signatures).
Visit my webpage Angry Sheep Blog

Randissimo

  • Guest
Re: what Avast is critically missing...
« Reply #9 on: December 23, 2013, 09:28:42 PM »
I have not taken the V9 plung yet so here is pic from v8......this is in my custom scan I have running daily.
We're talking about the exclusion of files after a file system scanner detection, not about the exclusion during/after a custom/full/boot-time scan.

Locked (running) system files cannot be removed, you wouldn't isnatntyl get BSOD. Besides, there are safeguards that preventdeleting and quarantining of files in system folders (generic location based and whitelisting along with digital signatures).
Sorry, but I've already lost my trust in those "safeguards":

http://forum.avast.com/index.php?topic=141737.0
http://forum.avast.com/index.php?topic=143299.0
http://forum.avast.com/index.php?topic=126814.0
http://forum.avast.com/index.php?topic=138386.0
http://forum.avast.com/index.php?topic=143092.0
http://forum.avast.com/index.php?topic=142987.0

and that's only a small amount of topics. However, even if I could trust Avast on this matter, when it comes to deleting/moving files without an option to leave them alone, I still wouldn't want to continue using it, just take a look at NoelC's example.

Is there any official wording as to why Avast doesn't offer an exclude on demand feature in the system file shield and in the web shield when set to ask?
« Last Edit: December 23, 2013, 09:45:18 PM by Randissimo »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: what Avast is critically missing...
« Reply #10 on: December 23, 2013, 10:11:28 PM »
Hi Randissimo,

But not a lot of users are able to make these advanced user decisions to discriminate between FP or genuine detection or even to the nature of the detection.
Seems a lot of users do not really trust the av solution they choose. Whenever a detection is made they go into denial or do like to ignore because it interferes with whatever they like to do at that very moment. Users are generally more irritable nowadays  Some go into denial, some blame avast, but they never start from the PEBKAC point of view. In a lot of cases it is not "What is avast critically missing?", but "What is this user critically missing?".
We even had users here that started to defend developers of insecure code despite the infection was being fully and extensively explained to them.

Of course this attitude can be understood for miscreants and those that want to evade blackhat SEO spam detection or for instance users of crack code and illegal code.
Best policy is to check a detection for validity online or ask here on the forums and then act decidedly, report FPs as they can happen, but are a low percentage always and are known to soon be cured/repaired within a coming update.
Direct exclusions are often searched by gamers that like to cheat or developers that claim FPs on packer code or common users that do not know the workings of the av solution or how to allow potential unwanted programs.
Then finally there is a percentage of users that like to rant because of ranting and they fall into the category forum trolls,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

NoelC

  • Guest
Re: what Avast is critically missing...
« Reply #11 on: December 23, 2013, 10:22:36 PM »
Hey polonus,

Wow, so you're saying that if Avast! put in the ability to allow a file that's come up on Avast's radar to be used anyway, that everyone would just blithely choose to allow it anyway, despite the warning.

Are you really saying every user has so little sense or impulse control that he/she would choose to infect themselves even after being told their file has malware in it, and that even power-users cannot be trusted to enable the ability to bypass the detection under some conditions?

Do you think that excluding whole blocks of the disk structure is better?  Perhaps Avast! should remove that as well?

Who do you think owns the computer?

As someone who knows what he's doing with a computer, I'd pay extra for the options I noted.

-Noel
« Last Edit: December 23, 2013, 10:29:08 PM by NoelC »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: what Avast is critically missing...
« Reply #12 on: December 23, 2013, 11:28:55 PM »
Now you are taking my answer out of context. Whenever you start to use the av solution avast make a scan and gives you an ability to allow programs and tools you'd trust. If something happens as with what you describe, everybody is up in arms against avast detecting part of the valid OS as a FP. Believe me soon we are being flooded by messages. So that is not the point, why this thread has been started in the first place? Is the bottom line here? I like to use your av solution but only under my conditions only. Why use an av solution anyway? Avast does only detect a file when the solution finds malcode or takes some code to be that.
What if you have the freedom to exclude a nasty file infector and later only could use the computer for a door stopper. Excluding blocks of disk structure is because they cannot be scanned, and also sometimes happens to prevent cross detection as with MBAM code files for instance, etc.
You own the computer and avast owns the software you decided to have on it and you can choose to use that software or not. If a full detection pattern is not to your liking then choose something more to your liking - an inferior solution or an av sieve!  ;D

I am not against using a file that comes up on the avast radar. I strongly advise all users to report these file detections (file a FP reoprt from inside the file detection to avast) or report as FP in the virus and worms for a general discussion. What I am against is the possibility of users circumventing a valid detection. Malcreants would praise the day we allowed that and it would make the product quite worthless and unreliable. So until you exclude in advanced mode avast keeps alerting and detecting. You have so much options as to fine tune the av solution. So what is the bottom line of your critique?

polonus
« Last Edit: December 23, 2013, 11:35:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Re: what Avast is critically missing...
« Reply #13 on: December 24, 2013, 12:19:20 AM »
Well put polonus!

My main question which is better a false positive or a bad infection?

As far as avast being a good choice read on...http://www.av-comparatives.org/wp-content/uploads/2013/12/avc_prot_2013b_en.pdf
Compared to previous versions v2014 stands up well for itself.

If you are looking for an anti-virus that is built to each users preferences, ain't gonna happen.
There will always be someone wanting this and another that. There has to be some give and some take.
I don't know of "any" software which includes every individual want into their software.

If you want to exclude, then exclude and be done with it.
There is no way that even a complete nitwit is going to send a "vital" OS file to the chest.
avast will always ask before sending a vital file to the chest.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

NoelC

  • Guest
Re: what Avast is critically missing...
« Reply #14 on: December 24, 2013, 12:42:56 AM »
what is the bottom line of your critique?
Only this:  There are situations the current toolset doesn't handle well at all.  Having to exclude whole subsections of the disk in order to circumvent a temporary false positive is hitting a gnat with a sledgehammer.

Ignoring the possibility that false positives can happen is just silly.  They ARE happening.  More than ever now as the landscape evolves, from what I can see.

I laid out my suggestions to fix it above, in capital letters.  Seems to me an "ignore this rule until next update" would be an awesome way to keep 99.999% of the product intact while allowing a user to work nicely around a problem.  It's certainly less risky than just disabling shields or turning off protection on a block of disk space, and that IS happening now.

When observed reality doesn't match theory, one has to change.

-Noel