Author Topic: Windows Update is not trustworthy? Says Avast.  (Read 10150 times)

0 Members and 1 Guest are viewing this topic.

Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7464
  • No soporte por PM.
Re: Windows Update is not trustworthy? Says Avast.
« Reply #15 on: January 01, 2012, 03:35:24 PM »
Oh, I know how to configure Avast or any other AV software. My concern is when other people (see my first post) see such messages and don't know what to do. While it's merely bugging me, it's actually harming those people.

The default action in The Behavior Shield when installing Avast! is " Auto-Decide ". In this setting Avast! will allow files coming from Microsoft updates. Sample from my Behavior Shield for those updates:

 30/12/2011 9:17:08   Modification of: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322
    By:  C:\WINDOWS\Installer\MSI9C.tmp
    Via: C:\WINDOWS\system32\MsiExec.exe
         -> Action allowed
30/12/2011 9:17:08   Modification of: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322
    By:  C:\WINDOWS\Installer\MSI9E.tmp
    Via: C:\WINDOWS\system32\MsiExec.exe
         -> Action allowed
30/12/2011 9:19:43   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\aspnet_state\Type
    By:  C:\WINDOWS\Installer\MSI173.tmp
    Via: C:\WINDOWS\system32\services.exe
         -> Action allowed
30/12/2011 9:19:52   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Start
    By:  C:\WINDOWS\Installer\MSI17F.tmp
    Via: C:\WINDOWS\system32\services.exe
         -> Action allowed
30/12/2011 9:19:52   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Start
    By:  C:\WINDOWS\Installer\MSI180.tmp
    Via: C:\WINDOWS\system32\services.exe

I do not know if the criteria that Avast! team has set for the behavior Shield will also allow other secure ( white list ) programs, But if the person who install Avast does not know zip about computers, and does not mess arround with Avast! setting I am pretty sure He/She will have no problems because of it.

On the other hand if the behavior shield is set to auto-decide and out of the blue come out an alert, well that is why people have a security program to alert them of something that is not right, and if in doubt better to block than to be sorry latter on.

Happy New Year.
« Last Edit: January 01, 2012, 03:44:41 PM by iroc9555 »
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie

Offline DonZ63

  • Poster
  • *
  • Posts: 469
Re: Windows Update is not trustworthy? Says Avast.
« Reply #16 on: January 01, 2012, 04:51:49 PM »
The last thing you want in my opinon is your behavior anti-malware software interfering with Win Updates. If the "ask" option of Avast behavior shield is interfering with Win Updates, I would reset it to "auto decide."

I really don't know why Avast behavior shield is examining that activity in the first place. Most HIPS software I have used is smart enough to realize that activity from a valid(signed) system service with DEP is OK.
AMD QUAD 945, 8 GB, NVidia GTS 450, 3 HDDs
Dual boot, MBAM Pro - both OSes, WIN 7 x64 SP1, NAV 2012, IE9; XP SP3, NIS 2011, IE8

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83791
  • No support PMs thanks
Re: Windows Update is not trustworthy? Says Avast.
« Reply #17 on: January 01, 2012, 05:13:10 PM »
Well iroc9555 has it set to Auto decide, as mentioned in his post - The examples given by iroc9555 show that the originating file/s aren't signed (as you imply), e.g. the .tmp files making the change/s to the registry via a third party file.

Under normal circumstances if someone told you that was happening in the viruses and worms forum you would consider it suspicious and investigate.

That is what the behavior shield is doing (because of its settings, Monitor the system for unauthorised modifications) in iroc9555's examples and obviously has the smarts as to allow it.and not block it.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline LonelyPixel

  • Newbie
  • *
  • Posts: 5
Re: Windows Update is not trustworthy? Says Avast.
« Reply #18 on: January 01, 2012, 11:45:34 PM »
The default action in The Behavior Shield when installing Avast! is " Auto-Decide ". In this setting Avast! will allow files coming from Microsoft updates.

Oh, does that mean that "Ask" will not start off with the same answer that it would "Auto-decide" itself? That doesn't quite increase my trust in that function. If I set something to auto-decide, I expect it to do exactly that what it would have recommanded (= defaulted) me in Ask mode before. If that differs, how am I supposed to learn what it would do in auto mode and gain trust in that it will be the right thing? Now I've seen "Deny" as default answer and so I assumed that this would have been the auto-decide action, which is not what I would accept.

I've heard about more false-positive chaos from AV software than it has actually saved me, so I am suspicios about AV software and really want to learn what it wants to do before I let it drive alone. Had that dialogue defaulted to "Accept", then everything would have been fine in the first place and I would have been a bit more confident that I can safely enable auto-decide mode.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83791
  • No support PMs thanks
Re: Windows Update is not trustworthy? Says Avast.
« Reply #19 on: January 02, 2012, 12:27:58 AM »
There is no preconceived answer. It just means that when the there is a suspicion (based on the areas the behavior shield is monitoring), rather than the user being 'Ask'(ed) the the Auto (decide) will run through its rule set/s for that area/action and will make the decision to allow or block.

The problem being if you set it to Ask, unless your are pretty switched on about what is on your system you are just as likely to make a wrong decision and allow something that should have been blocked (what is known as a false negative). For most people the automated decision process with its rule sets are better equipped that the end user.

There are many that actually complain that the behavior shield is not aggressive enough, whilst that may catch some unknown malware, there is then the possibility of a false positive on a legit function. So it is a fine balancing act not to be too passive or aggressive.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8786
Re: Windows Update is not trustworthy? Says Avast.
« Reply #20 on: January 02, 2012, 01:12:32 PM »
The problem being if you set it to Ask, unless your are pretty switched on about what is on your system you are just as likely to make a wrong decision and allow something that should have been blocked (what is known as a false negative). For most people the automated decision process with its rule sets are better equipped that the end user.
I definitly agree as "Ask" is not the way to go as I tried it and it was way too "chatty" and required a lot of my time to investigate why I was being 'Ask'(ed) about each item. 
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS