Does your firewall not ask, rather than simply block.
YES, it asks. But I have to see it. When I don't (screensaver, walked out ...) it's blocked automatically. Hey, that policy is to keep trojans at bay after all
My Firewall - Outpost Firewall Pro - also throws up a dialogue windows for it - I allow it the problem is having intercepted it, I don't know if it subsequently runs or not.
I suspect not. If Hake, who was concerned about this in Outpost, joins here, perhaps will tell us.
Bit of details since I was able to permit one yesterday in SSM when c010bfdb-128c-4b5f-b9a0-74bba3b79eb2.exe came in.
(1) If, in the firewall, behavior module is running, alert will look like this old one I have -
FW-BehaviorAlert.jpg, and that will be followed by the connection alert, like the one from yesterday, below. Similar to yours in Outpost. Kerio, Outpost - both from my experience, behave the same.
(2) When SSM runs (and firewall behavior is not running), then SSM alerts to the application start and create process - I have no screenshot, but a typical log when I allowed yesterday -
SSM-appStartAllowed.jpgBut when I'm not watching to answer, it's blocked as in this screen shot of log from before -
SSM-appStartMissed.jpg.
When the goofyname.exe is allowed, SSM issues a second alert about regitry, and I allowed this of course -
SSM-regAlert.jpg.
That's likely the step you mention when if blocked, it would write some value into that key to schedule, and in this instance it writes nothing.
(3) Finally, when SSM was happy, firewall took over the connection by the randomName.exe -
SSM-thenFwAlert.jpg(next post), through avast proxy port when the web shield is enabled, or directly to avast server port 80 if not.
What I have tried in the past is double clicking (running) the latest file name in the emupdate,
Clearly I can't rescue things this way since those files aren't here.
I have an idea just to compare notes. Next time Outpost throws you an alert, write down few letters of the random name or screenshot it, then DENY, and then see if the file gets into your \emupdate.
But all in all, since this new method (creation of RunOnce and creation of uniquely named executable) has caused a lot of grief for users, it is complex. If it is going to trigger tools like WinPatrol and a users firewall (any HIPS based settings), then it causes confusion and may well result in a failure of the emergency update (not being allowed to run).
My concern exactly.
Some of the differences we see might depend at what point the blocks occur, or release, some stuff - such as building the scheduled task and throwing those files into its own directory. Clearly, I have no such luck. Clearly, avast developers can't know what we run. But an invariant filename sure would be a good thing.