Ransomware Shield Issue and Wish List

[fssbob2]

A concern and a wish list item for the Ransomware Shield (Mac Avast Security Pro).

Concern: I have checked "Trust Apple and App Store applications". But so far I've had to add Terminal and Finder to the Allowed Apps list after Avast raised block action dialogs for them. I had to add them manually--they weren't available in the list of apps Avast identifies automatically.

Wish List: A "trust this app from now on" option when a Ransomware alert pops up. Right now I have to OK the action and then go add the app as a separate step.

I'm on MacOS 10.13.2.

Thanks.

[suster]

Hello fssbob2,

Ad the wish:
This is unfortunately not possible, the feature functionality is based on processes. This means that the decisions are flushed every time you quit/restart the app. However, you can add your app to the Allowed apps to solve your problem.

Ad the concern:
Terminal and Finder applications are blacklisted on purpose. They can be scripted by other processes (e.g. some malware). Allowing these apps is a potential risk for your Mac.

Hope this helps.

Filip
Mac QA

[fssbob2]

Re optionally adding to Allowed Apps at time of alert: So you're saying it's not possible to identify which executable is behind the process and adding it to the Allowed Apps list at that point (assuming the user checks a box saying they want to do so)?

Re Terminal and Finder: I understand the concern. But:

• I think many/most customers are going to find that having to respond to a prompt every time they delete, move, or rename a file is extremely cumbersome. For Finder, at least, I think it would be worthwhile for Avast to do some brainstorming and see if there's another option.
• This should be clearly documented. It's misleading to have a checkbox that says "Trust Apple applications" and then not trust Finder!
• I think these should be available in the Apps list (maybe in a special section) rather than forcing the user to locate them manually.
• One more to add to this list: DiskImageMounter.

Thanks for considering.

Bob

[ondrej.kolacek]

Hi Bob,
thanks yet again for great feedback.

regarding "Trust Apple and App Store applications": that caption is wrong and changing it is in the pipeline. While this option causes us to trust App Store applications, trusting Apple applications is not an option; we now have a (rather too short) whitelist of apps we trust. The issue is that "when it can be coerced to damage files, we can not trust it". Eg. we can not trust unlink even though it is an apple binary.

As an addition, adding stuff like bash to a whitelist will basically allow script based ransomware to wreak havoc. And Finder is even worse - any process can delegate work to the common instance of Finder process without us having a clue on whose behalf it is working; and since osascript can turn Finder into "unlink"... I am afraid there is no alternative to current implementation.

regarding wish "Trust this app from now on": it is something we want to have and it is in the pipeline, but due to issues with the current implementation of the popups (we are working on a rewrite but it takes time) we are not able to add it there in the immediate future.

regarding disk image mounter: generic solution for these popups when mounting read only images seems possible; I will add it to the pipeline.

In general, Ransomware Shield is meant to protect rather static data, as only modification and deletion of files can (well, should...) trigger popups. Ideally the files should be edited by specialised applications which avast should ideally trust by default or which can be whitelisted manually. Any other usecase will lead to popups; it is the user's decision if it is worth it. Of course we will attempt to make it as seamless as possible and welcome any input from the users, but there is only so much that can be done.

Kind regards,
Ondrej Kolacek

[fssbob2]

Got it. Thanks for the detailed explanation Ondrej--that completely makes sense. I was naively assuming that it was possible to configure the Shield so its pop-ups are a rare event--I now understand why that's not feasible.

One more future feature request: I believe the pop-ups give you 30 seconds to decide whether to allow the action or not. Depending upon the process involved and situation under which that process gets called, I find 30 seconds isn't always enough time to make a decision. Would it be possible to add a "Wait" or "More Time" option to the popup. If I click it, the Ransomware Shield stops the countdown and waits for me to make my decision.

Bob