Ransomware Shield in Avast Free - Limited Function?

[DougCuk]

The update to Avast Free v20.5 added the Ransomware Shield as an installed module.
The release notes state this is now a fully functional module even in the Free version of Avast.

However with "Smart Mode" protection selected I can not trigger any protection response. I tested using a 20 year old Hex Editor with no digital signature and from a random author (not a named company) and was able to freely change file contents without triggering a response.

Can anyone confirm that "Smart Mode" is actually functional?
Have you found an App that this Shield will block?
Exactly what types of program does this Shield consider suspect?

If you select "Strict Mode" then the Shield becomes active and queries any attempt to change files in the protected folders. However you would need to whitelist all your Apps (and Windows Explorer) to avoid being queried on every change to your own data files. Fortunately the Block/Allow Apps functionality is fully active - so you can Blacklist and Whitelist as many programs as you need.

[Asyn]

-> https://forum.avast.com/index.php?topic=235377.0

[DougCuk]

Asyn you posted in the other thread that you had to whitelist the command line program 7zG.exe from the 7-zip program as it was being blocked by the Ransomware Shield (in Smart Mode I assume). Was that a particularly old version of that file?

I have just tested with v15.2 of that file (7zG.exe) dated Nov 2015 and can't get a reaction when adding files to a 7z archive that is supposedly protected by the Ransomware Shield under Smart Mode. I tested both the x86 and x64 versions and both are ignored by the Shield under Smart Mode - and that version also has no digital signature to validate its origin.

If I activate "Strict Mode" the action is blocked with a red Avast popup warning and if I blacklist 7zG.exe I get a Windows error popup saying Access Denied. So the system is active but doesn't consider my version of 7zG.exe a threat under Smart Mode.

But (as per my original test) if the Shield doesn't react to a 20 year old Hex Editor from a random author with no digital signature then I am not sure what would qualify as a non-trusted app. Still not convinced it is doing anything when set to  Smart Mode.

[Asyn]

Hi, I'd suggest to continue the discussion in the other thread, else it might be hard to follow. Cheers

[DougCuk]

Asyn the other thread was started to discuss a different Ransomware Shield question - so I think it would make more sense to conclude the discussion about the Free version of this Shield here.

I just triggered a Ransomware Shield (Free version) warning under the default Smart Mode - for a 2013 version of FFMPEG.EXE - so it appears the Smart Mode is working in Avast Free. And it allows you to permanently whitelist the detected program from the warning popup - which is nice.

I have to assume the internal "Trusted Apps" list is either very large (and includes obscure 20 year old Hex Editors) or it is using some other specific criteria to classify an app as "UnTrusted". I will leave the Ransomware Shield running for now and see if it gives me any problems - it will be a nice additional layer of security if it plays well with everything else on the computer.