Behavior Shield Info Please

[hayc59]

Why if you have a program lets say like OA firewall
in 'exclusions' under avast! and running Behave Shield
set at 'ask' and not allow would you get any pop-ups
for OA Firewall at all?
I had to set it back to allow because of all the pop-ups
I am getting!

[Lisandro]

BeS is not a HIPS. It will only alert IF a program is a malware or "unknown". It analyses the behavior of the program/file. OA firewall is a legit one, so, no alert.
BeS shows very little popups.

[hayc59]

Tech, Not true..I jut got two of them and then went back to allow
because of those pop-ups
see image

[Lisandro]

Thanks for reporting Hay.
Maybe you need to boot?
If it does not work, maybe the programmers could take a look in the exclusions and at BeS.

[hayc59]

your welcome and this is after a few re-starts
and surfing for a day 

[ky331]

I receieved two BeS warnings (when set to ASK) about my Wireless Connector:

C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

One about my firewall:
C:\Program Files\Comodo\Firewall\cmdagent.exe

and one more about my clock-synchronization:
C:\Program Files\D4\D4.exe

At that point, I switched back to the default of ALLOW

[stevejrc]

Im using OA free and don't get any BeS popups with it set to Ask. I know BeS is working cause the Analyzed count goes up. I haven't excluded OA and Avast from each other.

[stevejrc]

Does BeS consult the persistent cache? If it does then some of these pop ups people are seeing maybe because you excluded those applications from scanning in other shields and so there not cached and "white listed", hence their unknown.??

[Mele20]

I have OA++ but I had ver 4.0 and no problems with Behav shield set to ask. I just updated OA++ to 4.5.1.351 and zero problems. I have not needed to exclude OA. I am amazed at this version of OA. Not a single pop up yet! I had upgraded a few months ago to 4.4 and had terrible problems and had to go back to 4.0. As for the latest Avast this is the first version where Behav Shield is working. It has analyzed 6364 events in the few minutes since Vista Ultimate rebooted to finish the OA++ update.

[igor]

Does BeS consult the persistent cache?

Yes, it does.

If it does then some of these pop ups people are seeing maybe because you excluded those applications from scanning in other shields and so there not cached and "white listed", hence their unknown.??

No, that's not the case - actually, an "opposite", in a certain sense of the word, might be more true. So, we may trigger a special "refresh" (of specific items) of the persistent cache in the next few days.

[sded]

The exclusions only apply for on-demand scans (see description).  When otherwise using "ask", you should get one popup and then if you "allow &trust" should never see it again.  Check your BeS report file under Program Data/..../Reports.

Example:  Got a popup, allowed it, no more popups
Reports file says:

1/1/2011 6:18:01 AM   Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Internet Explorer\Main\Save Directory
    By:  C:\Program Files (x86)\Online Armor\oawatch64.dll
    Via: C:\Program Files (x86)\CCleaner\CCleaner64.exe
         -> Action allowed

But I also get entries like

2/31/2010 5:19:29 AM   Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
    By:  C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
    Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, December 31, 2010 5:20:56 AM
*

12/31/2010 9:57:28 AM   Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
    By:  C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
    Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, December 31, 2010 9:58:50 AM
*

12/31/2010 10:00:20 AM   Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
    By:  C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
    Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
         -> Action allowed
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, December 31, 2010 10:01:37 AM
*

12/31/2010 3:34:16 PM   Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
    By:  C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
    Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
         -> Action allowed
*

which didn't generate popups, but you can't tell that from the report.  Or do the trusted processes get cleared at every boot?  Or Update?

[DavidR]

For me the Trusted processes that I added (from the behaviourshield.txt as I don't use Ask) remained after reboot. As far as update goes I guess they too survive updates (certainly VPS) and possibly if you do a program update from the UI.

[sded]

For me the Trusted processes that I added (from the behaviourshield.txt as I don't use Ask) remained after reboot. As far as update goes I guess they too survive updates (certainly VPS) and possibly if you do a program update from the UI.

Thanks David,
I didn't think they got cleared, but scratching around for and explanation of the repeated allows.  Maybe I got popups and forgot?  doubtful, but it was with a previous version.