Author Topic: Behavior Shield - once upon a time  (Read 9383 times)

0 Members and 1 Guest are viewing this topic.

vv5204

  • Guest
Behavior Shield - once upon a time
« on: January 28, 2010, 07:58:52 PM »
I use Comodo Firewall (V4) Defense+ behavior analyst. I get a lot of pop-up window.
And in avast? No one! Would like for decoration on the GUI.  ;D
I did test with leak test program, the result of near-zero.

How does it work avast Behavior Shield? And when?
« Last Edit: January 28, 2010, 08:01:14 PM by vv5204 »

Hermite15

  • Guest
Re: Behavior Shield - once upon a time
« Reply #1 on: January 28, 2010, 08:04:46 PM »
Comodo Defense+ is not a behavior analyzer, it's a HIPS (Host Intrusion Prevention System), watching process movements, while the behavior shield in Avast is pretty silent: it's just watching the system (with some sets of rules) and will report anything not normal to Avast. It won't send you pop ups, won't prompt you for any sort of action. If something happens and there a report sent to Avast, they might modify the next update to protect your system against the threat that was detected. Just adding that right now, the behavior shield is only effective on 32 bit systems.

vv5204

  • Guest
Re: Behavior Shield - once upon a time
« Reply #2 on: January 28, 2010, 08:32:42 PM »
All right, thank you!

Make and send a report to avast?
So, avast BS just a watcher? Will nothing any suspicious behavior blocked?  :-X

Hermite15

  • Guest
Re: Behavior Shield - once upon a time
« Reply #3 on: January 28, 2010, 08:36:55 PM »
All right, thank you!

Make and send a report to avast?
So, avast BS just a watcher? Will nothing any suspicious behavior blocked?  :-X


no, I should have added that, the BS won't block anything, but the new rules Avast might include in the next update if a threat was detected and reported will block this threat.

Mikos

  • Guest
Re: Behavior Shield - once upon a time
« Reply #4 on: January 28, 2010, 08:41:19 PM »
the behavior shield is only effective on 32 bit systems.

Does that mean the Behavior Shield will not work on Windows 64 bit systems?

Just asking... I am not too familiar with it yet.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Behavior Shield - once upon a time
« Reply #5 on: January 28, 2010, 08:45:01 PM »
Behavior Shield works under 64bit OS, but in a very limited way. It's not really a fault from ALWIL part, it's how Microsoft designed the OS. 64bit systems are much safer by default, especially against rootkits.
Visit my webpage Angry Sheep Blog

Hermite15

  • Guest
Re: Behavior Shield - once upon a time
« Reply #6 on: January 28, 2010, 08:52:30 PM »
yeah that's what I said, it works on 64 bit, ie it's active, but not effective as there are no rules at all set for it....yet. And that sounds complicated (I'm posting again something I posted very recently "sigh") because of patchguard on win/64 making it very hard for security software to interfere with the OS at kernel level, not mentioning as said that win/64 is by nature better protected against rootkit (for now...) and might not need this sort of protection at all.

vv5204

  • Guest
Re: Behavior Shield - once upon a time
« Reply #7 on: January 28, 2010, 08:54:59 PM »
Quote
...BS won't block anything...will block this threat.

We are approaching, but we're not even close.  :)

If BS don't blocked anything, then what does the block?

Hermite15

  • Guest
Re: Behavior Shield - once upon a time
« Reply #8 on: January 28, 2010, 08:56:10 PM »
Quote
...BS won't block anything...will block this threat.

We are approaching, but we're not even close.  :)

If BS don't blocked anything, then what does the block?


it's all in this post:
http://forum.avast.com/index.php?topic=54557.msg461960#msg461960

norel

  • Guest
Re: Behavior Shield - once upon a time
« Reply #9 on: January 28, 2010, 10:21:19 PM »
I think the Behavior Shield must block or it wouldn't make any sense. From the avast!5 Help Center:

"Behavior shield - monitors all activity on your computer and detects and blocks any unusual activity that might indicate the presence of malware. It does this by continuously monitoring your computer's entry points using special sensors to identify anything suspicious."

It must block silently though because others have reported that the Behavior Shield notifies when malware is detected but doesn't say anything about it being blocked. It must be something that's just taken for granted.

The Behavior Shield works in concert with Community. If you have Community on, a report is generated and sent automatically to Alwil; all you'll see is a notice that malware was detected but that's it. If Community is off, you should be given the option to manually send a report ot not, though I'm not 100% sure on this part.

Hermite15

  • Guest
Re: Behavior Shield - once upon a time
« Reply #10 on: January 28, 2010, 10:28:48 PM »
Quote
"Behavior shield - monitors all activity on your computer and detects and blocks
...might be in the help files but that's not what has been described by the devs - concerning the blocking ability.

Quote
The Behavior Shield works in concert with Community...
where you got that from ???

Quote
It must block silently though because others have reported that the Behavior Shield notifies when malware is detected but doesn't say anything about it being blocked. It must be something that's just taken for granted
pure speculation  ;D

edit: nothing mentioning the behavior shield there:
Quote
Community
By checking the box on this page, you can participate in the avast! community and share information of a technical nature on a need-to-know basis. This does not concern personal information of any sort and is strictly security-related information concerning, for example, malware that avast! has detected while running on your computer, actions that have been blocked etc. This information will be used by avast! to improve its detection ability and technical support for the benefit of the whole avast! community. By participating in the avast! community, you will also have access to all the community information and statistics about the latest malware attacks.

from what I read, behavior shields reports will/would be sent just the way Chest content is sent, during the next update...
« Last Edit: January 28, 2010, 10:32:36 PM by Logos »

norel

  • Guest
Re: Behavior Shield - once upon a time
« Reply #11 on: January 28, 2010, 10:48:37 PM »
This is from avast.com:

"avast! Community IQ

Most samples we process come from sensors deployed throughout the avast! community in the Behavior shield and anti-rootkit modules. This is a unique source of data made possible only thanks to our huge user base. Most of the collected samples are analysed by a number of automated processes and only a small fraction of the samples need to be processed manually by our virus analysts."

This is describing the automated Community function is it not? If not, then what?

From the bit you posted about Community:

"This does not concern personal information of any sort and is strictly security-related information concerning, for example, malware that avast! has detected while running on your computer, actions that have been blocked etc."

If nothing has been blocked, why would the report have information concerning it?

Having a shield that does nothing but watch defies all logic and common sense.
« Last Edit: January 28, 2010, 11:04:38 PM by norel »

olddog

  • Guest
Re: Behavior Shield - once upon a time
« Reply #12 on: January 28, 2010, 10:57:06 PM »
It would help if the action of the Behavior Shield were clarified officially.

The help file says "Behavior shield - monitors all activity on your computer and detects and blocks any unusual activity that might indicate the presence of malware. It does this by continuously monitoring your computer's entry points using special sensors to identify anything suspicious.

Logos in this thread says "the BS won't block anything, but the new rules Avast might include in the next update if a threat was detected and reported will block this threat.

Norel says "It must block silently though because others have reported that the Behavior Shield notifies when malware is detected but doesn't say anything about it being blocked. It must be something that's just taken for granted.

The Behavior Shield works in concert with Community. If you have Community on, a report is generated and sent automatically to Alwil; all you'll see is a notice that malware was detected but that's it. If Community is off, you should be given the option to manually send a report or not, though I'm not 100% sure on this part".

So after initially accepting that this shield would directly add to my protection by blocking some malware on the basis of behaviour that might otherwise have been missed by the other shield, an element of doubt now exists.

How about someone from the Alwil team giving an official explanation of its function.

Edit. Norel, you slipped your last post in whilst I was typing mine. I agree with your statement that "Having a shield that does nothing but watch defies all logic and common sense".
« Last Edit: January 28, 2010, 10:59:50 PM by olddog »

Hermite15

  • Guest
Re: Behavior Shield - once upon a time
« Reply #13 on: January 28, 2010, 10:59:56 PM »
Quote
Having a shield that does nothing but watch defies all logic and common sense
I never said it did nothing, read my posts again...mentioning that unfortunately it won't do anything on 64 bit OS as described above...at least for now. Just watching and reporting on 32 bit...

 Concerning the "community" thing in connection with sensors module, including the Behavior Shield, I just didn't know it  ??? that's news for me. I do not remember anyone from the team ever mentioning it on the forums...or I missed a few posts on this topic, which is possible.


norel

  • Guest
Re: Behavior Shield - once upon a time
« Reply #14 on: January 29, 2010, 01:06:21 AM »
olddog...Yes it would have been nice to have a thorough description of how this shield is supposed to function before avast!5 was released, especially since it's a brand new feature. The Alwil team seem to have their hands full right now with getting the bugs worked out so I'm not anticipating anything anytime soon. But I do applaud the work they're doing to rectify the problems people are having. I suspect there will eventually be a fully-updated PDF User's Guide. They might be waiting to figure out where this is all gonna end up. :)