Author Topic: BehaviorShield asks about services.exe (Read 4499 times)

cska133 · « **on:** January 21, 2011, 04:09:53 PM »

hallo,

I just upgradet to 5.1.889 from 5.0. I dont remember if 5.0 did have option to change settings in behavior shield, but I changed the setting there to always ask about intrusted applications.

after that I got notification from Behavior shield (see attachment). Target is Registry\Machine}system\Controlset001\services\TrustedInstaller\start
Is this normal? Which action to take?
Why services.exe is not trusted?

danny96 · « **Reply #1 on:** January 21, 2011, 04:25:00 PM »

Quote from: cska133 on January 21, 2011, 04:09:53 PM

hallo,

I just upgradet to 5.1.889 from 5.0. I dont remember if 5.0 did have option to change settings in behavior shield, but I changed the setting there to always ask about intrusted applications.

after that I got notification from Behavior shield (see attachment). Target is Registry\Machine}system\Controlset001\services\TrustedInstaller\start
Is this normal? Which action to take?
Why services.exe is not trusted?

Allow and add to trusted processess.

This is normal process that you can safely allow

spg SCOTT · « **Reply #2 on:** January 21, 2011, 04:27:03 PM »

AFAIK, I think the main point is avast! is picking up on the changing of the reg key, causing the alert.

This is why avast! have elected to have the behavior shield in a "passive" mode for a while so that the lists can be populated and the shield can be calibrated better.

CraigB · « **Reply #3 on:** January 21, 2011, 04:31:05 PM »

I myself would just leave the setting's of the BhS on allow untill the shield is fully working in version 6, that way alot more of the system program's will have been added to the white list's.

What spg SCOTT said

Charyb-0 · « **Reply #4 on:** January 21, 2011, 04:42:22 PM »

I leave mine set to allow. Even when the behavior shield is fully functional I think I will keep it on allow unless there are any strange problems on my computer. I would have to get comfortable with it first.

This is interesting from pk in another post regarding the internal workings of the behavior shield.

Quote from: pk on January 18, 2011, 01:07:10 AM

New behavior shield in 5.1 monitors processes activity. This is done by using DLL injection into the most running processes and it monitors suspicious activity (several API functions are hooked: e.g. NtProtectVirtualMemory, LdrLoadDll, ...). Rapport checked the running process (web browser) and it found out it was somehow modified. Yes, it could be done by malware, keylogger, etc. Rapport doesn't know which application did it.

I don't know Rapport so I'm not really sure how to set it right... please tell me:
- The error is only in Rapport log and you can still use web browser for banking operations, Rapport doesn't block it. Is that correct?

It would be hard for Rapport to identify that the process was modified just by avast. I think the only remedy lies in avast's fix. Firstly, I'll need to install Rapport and get to know it better.

spg SCOTT · « **Reply #5 on:** January 21, 2011, 06:04:31 PM »

You want to change it back to allow? (and not get the alerts?)

Open avast! --> 'Real Time Shields' tab --> 'Behavior Shield' tab --> 'Expert Settings' Button --> Main Settings --> Change the action to 'allow'

Scott

cska133 · « **Reply #6 on:** January 21, 2011, 06:21:09 PM »

you mean change to "allow"

spg SCOTT · « **Reply #7 on:** January 21, 2011, 06:24:15 PM »

Yep, sorry about that

Author Topic: BehaviorShield asks about services.exe (Read 4499 times)

cska133

BehaviorShield asks about services.exe

danny96

Re: BehaviorShield asks about services.exe

spg SCOTT

Re: BehaviorShield asks about services.exe

CraigB

Re: BehaviorShield asks about services.exe

Charyb-0

Re: BehaviorShield asks about services.exe

spg SCOTT

Re: BehaviorShield asks about services.exe

cska133

Re: BehaviorShield asks about services.exe

spg SCOTT

Re: BehaviorShield asks about services.exe