Author Topic: [Guide] avast! Proactive Protection  (Read 35590 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
[Guide] avast! Proactive Protection
« on: April 09, 2006, 07:59:58 PM »
Now as you might already notice i'm a great fan of proactive protection.
Proactive protection is undeniably a good thing. avast! is no exception to a certain level. Some features are disabled by default and some are not designed that well.
But in general this guide should increase security level by few % if not more :)

This guide is recommended only for advanced users that know stuff mentioned here and what it does.

Please note that this guide is meant only for Windows XP and Windows 2000 (all editions supported by avast!). Please do not use these settings on Windows 98 or Windows Millenium systems since they won't work as expected!

Switching to "Detailed Mode"


Left click on avast! tray icon (that spinning blue "a" icon near the clock).
In case if you haven't already switched to "More detailed mode"...

Behavior Blocker Proactive protection



Select Standard Shield and click Customize button on the right.



Now select Blocker tab.

Set all settings the same as shown on screenshot above, except field under number 2. This will come in next few lines...

Add entire line below into field number 2 (Additional Extensions):
SCR,VBS,VBE,WSH,PIF,CPL,BAT,COM,CMD,WMF,OCX

Extensions list is dated 2006.04.10

It is partially visible on screenshot how it should look like when entered in there.
These extensions are meant for regular user environments where you most probably won't encounter or run such filetypes (which are all possibly dangerous).
If you work with VBS scripts day by day you may want to remove VBS extension from the list. Same applies for other. In general it should provide nice balance between protection and number of warnings.

When you'll get warning about such possibly dangerous file you'll get such message:


This way you'll be notified about possibly dangerous file being created on your hard drive. It will also detect whether these filetypes try to format your hard disk. By clicking "Deny" button you'll stop the creation of that file/formatting. Clicking Allow will allow it's creation/formatting. Best option for most would be Deny.

Web Shield Proactive protection



Select Web Shield provider and click Customize....
Then select URL Blocking tab.



Check Enable URL Blocking and click Add button on the right.
Add following strings into the list, each in it's own line (same way like shown below).

Extensions:
*.cmd
*.cpl
*.pif
*.scr
*.vbe
*.vbs
*.wmf
*.wsh

Extensions list is dated 2006.04.09

So when you'll encounter such possibly dangerous files you'll get similar warning inside your browser...


In case it's not blocked by Web Shield, there is very big chance that Behavior Blocker will block it.

Internet Mail Proactive protection

Now this last one is a bit special, so please be VERY specific about which way you'll select. It's very important!

I'm using POP3/IMAP based email client (like Outlook Express or Thunderbird)
So if you use POP3/IMAP based email client like Outlook Express or maybe Thunderbird you should leave things as they are. Even if you use just 1 POP3 email account and 5 others that are just webmails (to view with browser).
Just move the slider to High as shown on picture. Existing heuristics will take care for suspicious attachements and mails.



I'm NOT using POP3/IMAP based email client (just webmail like Hotmail, Yahoo or GMail inside my browser)
In case if you DON'T use ANY POP3 mail at all, then you may still want to install Internet Mail provider.
It will most probably spot suspicious activities of mass mail worms that attempt to send large amounts of emails in small timeframe without user knowledge.
avast! will show Heuristics warning with option to Deny these activities.
This way you'll also be notified about malware that slipped past avast! signature detection and Behavior Blocker/Web Shield.

Select Internet Mail provider and click Customize... button on the right side. Scroll through tabs all the way to the right and select Heuristics tab.



Select Custom preset as shown on image.

Now select next tab named Heuristics - Advanced and set marked settings as shown on image below.



This will set Internet Mail provider to very high sensitivity level. Setting such settings in case if you're using any POP3 email client will most probably result in large amounts of warning messages! Make sure you selected the right way as described above!

NOTE: I currently don't have image of Internet Mail heuristics warning, but will add it as soon as i find one.

Additional help

In case you don't understand something or you might have a question about anything related with my Proactive settings, please ask here in this thread.
I'll try to do my best to help anyone. Alwil tech support team is already very busy with other things so we shouldn't bother them with these things as they are my unofficial tweak settings.

I hope these settings will serve you well in upcoming avast! adventures in world of internet! 8)

RejZoR

PS: Is there any chance someone would make this thread as Sticky?
« Last Edit: April 12, 2006, 09:34:20 PM by RejZoR »
Visit my webpage Angry Sheep Blog

CharleyO

  • Guest
Re: [Guide] avast! Proactive Protection
« Reply #1 on: April 09, 2006, 10:16:17 PM »
***

Thanks for those setting, RejZor.    :)   I am sure those will help many.

I only use web-based email and before now had the settings on high for much the same reasons as you state here. Now, I have increased this with your custom settings as they make sense in quick detection of some spambot should one ever make it into my system. I have always had Internet Mail provider running for this reason.


***

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Guide] avast! Proactive Protection
« Reply #2 on: April 09, 2006, 10:27:40 PM »
Exactly, default settings are quiet relaxed because they are meant to be used with POP3 clients. These my settings are super sensitive and will spot any kind of outbound mail sending right away.
Visit my webpage Angry Sheep Blog

Hopismum

  • Guest
Re: [Guide] avast! Proactive Protection
« Reply #3 on: April 09, 2006, 10:52:25 PM »
RejZor..   I have a question.   :)     

I use Outlook Xpress for my email.
I have it pull my mail  (which can also be accessed thru the Isp's website)

but I also have it pull mail from a Gmail account.

Which option would I choose?     ???



edit:  fixed stupid typos
« Last Edit: April 09, 2006, 10:54:37 PM by connie »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Guide] avast! Proactive Protection
« Reply #4 on: April 09, 2006, 11:13:06 PM »
If you use ANY kind of POP3 based email client then use the first one (just move the slider to High). You should also use first method if you use POP3 and webmail.
As long as you use any kind of POP3, even if just for 1 POP3 mail account and 5 webmail based, you have to go with first mode.
« Last Edit: April 09, 2006, 11:52:39 PM by RejZoR »
Visit my webpage Angry Sheep Blog

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Guide] avast! Proactive Protection
« Reply #5 on: April 10, 2006, 10:08:01 AM »
Updated the Internet mail part to be more clear. Hope it's better marked now :)
Visit my webpage Angry Sheep Blog

greenhatch

  • Guest
Re: [Guide] avast! Proactive Protection
« Reply #6 on: April 10, 2006, 10:26:22 AM »
I note that the default settings in Blocker in Standard Shield (at least in mine) are not to tick any of the four boxes in 'blocked opearions'. Does that mean Blocker is not active? Sorry if this is a silly question, but I didn't look at some of the options before until I read your posts here.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Guide] avast! Proactive Protection
« Reply #7 on: April 10, 2006, 10:30:52 AM »
Yes, if you UNCHECK all checkboxes in Blocker page you will DISABLE Behaviour Blocker. Checking just one of them will enable it with certain degree of protection.
Formatting protection is hovever the most non intrusive setting and should always be checked.
Visit my webpage Angry Sheep Blog

Offline TedNelly

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1538
  • Trust No-One!
Re: [Guide] avast! Proactive Protection
« Reply #8 on: April 10, 2006, 11:25:51 AM »
Great Guide RejZoR thank you
Hope Alwil make this thread Sticky
Windows 10 Pro | Intel I7 CPU | 16 Gig 2133 RAM | Avast beta 17.5.2295 | Firefox 54 b9(64-bit) | Cyberfox 52.1 | T-Bird 52.1.1 | SpyWareBlaster 5.5 | MalwareBytes 3.0.0.865 | WinPatrol 35.5.2 | GlassWire 1.2.100 | Cybereason Ransomfree 2.2.7 |  Pulla-dePlug Final!

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: [Guide] avast! Proactive Protection
« Reply #9 on: April 10, 2006, 11:34:00 AM »
RejZoR,

thanks for this interesting and valuable thread (I would vote for it being made sticky - but what value my vote?).

In response to a recent thread that highlighted the unfortunate vulnerabillity of non-scanning of http imports by the rendering of html in email clients I switched on power mode with AEC. 

After reading this thread I also implemented the recommendation (as a POP3 user) to set the sensitivity of the Internet Mail scanner to high. 

I then followed up with sending some relatively large attachments (6-8Mb) through my Hotmail account using a POP3<>WebDav converter (that had no problems prior to the changes I mentioned).  In this case the mail is being scanned by avast outbound and the port 80 traffic to Hotmail is also being scanned.  Anyway the net result was consistent transmission failure on repeated attempts.  I need to do so more testing to confirm, but it appears to me that the transmission is successful only if the mail scanner sensitivity is left at medium.   

I just report this in case any others experience similar issues ... if I find anything definitive I will report back.

StyleWarz

  • Guest
Re: [Guide] avast! Proactive Protection
« Reply #10 on: April 10, 2006, 12:31:20 PM »
I hope that the Awill staff will include the rules for the Standard and the Webshield in the new version of avast!.
Of course it's not difficult to add them manually, but it'll provide some nice extra protection out-of-the-box. With a whole load of rules, it might can get a little like Panda's TruePrevent. Or am I wrong?

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6957
Re: [Guide] avast! Proactive Protection
« Reply #11 on: April 10, 2006, 01:59:38 PM »
This thread will soon end up into oblivion... and if RejZoR needs to post some new extension list entries we all would like to see them and be informed as soon as he posts them... so...

Alwil, please make this thread sticky. It doesn't cost anything ;)

@RejZoR - thanks for all the effort ! ;) :: thumbs up ::
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

greenhatch

  • Guest
Re: [Guide] avast! Proactive Protection
« Reply #12 on: April 10, 2006, 02:07:38 PM »
I've emailed Support to confirm our request that this excellent thread be made a 'sticky'.

TAP

  • Guest
Re: [Guide] avast! Proactive Protection
« Reply #13 on: April 10, 2006, 03:34:39 PM »
Thanks RejZoR.

If I add *.ocx and *.cab (related to ActiveX) to the URL Blocking so will it provide any proactive protection against some ActiveX-based adware/spyware?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9401
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Guide] avast! Proactive Protection
« Reply #14 on: April 10, 2006, 04:55:56 PM »
Yes, adding OCX also works. I've tested with Creative AutoUpdate and OCX file was intercepted. Web Shield however did not block it.

I think it's enough if you use it just in Behavior Blocker.

I've also updated the blocker extension list (now includes OCX extension)!
Visit my webpage Angry Sheep Blog