Windows Update is not trustworthy? Says Avast.

[iroc9555]

Oh, I know how to configure Avast or any other AV software. My concern is when other people (see my first post) see such messages and don't know what to do. While it's merely bugging me, it's actually harming those people.

The default action in The Behavior Shield when installing Avast! is " Auto-Decide ". In this setting Avast! will allow files coming from Microsoft updates. Sample from my Behavior Shield for those updates:

 30/12/2011 9:17:08   Modification of: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322
    By:  C:\WINDOWS\Installer\MSI9C.tmp
    Via: C:\WINDOWS\system32\MsiExec.exe
         -> Action allowed
30/12/2011 9:17:08   Modification of: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322
    By:  C:\WINDOWS\Installer\MSI9E.tmp
    Via: C:\WINDOWS\system32\MsiExec.exe
         -> Action allowed
30/12/2011 9:19:43   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\aspnet_state\Type
    By:  C:\WINDOWS\Installer\MSI173.tmp
    Via: C:\WINDOWS\system32\services.exe
         -> Action allowed
30/12/2011 9:19:52   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Start
    By:  C:\WINDOWS\Installer\MSI17F.tmp
    Via: C:\WINDOWS\system32\services.exe
         -> Action allowed
30/12/2011 9:19:52   Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Start
    By:  C:\WINDOWS\Installer\MSI180.tmp
    Via: C:\WINDOWS\system32\services.exe

I do not know if the criteria that Avast! team has set for the behavior Shield will also allow other secure ( white list ) programs, But if the person who install Avast does not know zip about computers, and does not mess arround with Avast! setting I am pretty sure He/She will have no problems because of it.

On the other hand if the behavior shield is set to auto-decide and out of the blue come out an alert, well that is why people have a security program to alert them of something that is not right, and if in doubt better to block than to be sorry latter on.

Happy New Year.

[DonZ63]

The last thing you want in my opinon is your behavior anti-malware software interfering with Win Updates. If the "ask" option of Avast behavior shield is interfering with Win Updates, I would reset it to "auto decide."

I really don't know why Avast behavior shield is examining that activity in the first place. Most HIPS software I have used is smart enough to realize that activity from a valid(signed) system service with DEP is OK.

[DavidR]

Well iroc9555 has it set to Auto decide, as mentioned in his post - The examples given by iroc9555 show that the originating file/s aren't signed (as you imply), e.g. the .tmp files making the change/s to the registry via a third party file.

Under normal circumstances if someone told you that was happening in the viruses and worms forum you would consider it suspicious and investigate.

That is what the behavior shield is doing (because of its settings, Monitor the system for unauthorised modifications) in iroc9555's examples and obviously has the smarts as to allow it.and not block it.

[LonelyPixel]

The default action in The Behavior Shield when installing Avast! is " Auto-Decide ". In this setting Avast! will allow files coming from Microsoft updates.

Oh, does that mean that "Ask" will not start off with the same answer that it would "Auto-decide" itself? That doesn't quite increase my trust in that function. If I set something to auto-decide, I expect it to do exactly that what it would have recommanded (= defaulted) me in Ask mode before. If that differs, how am I supposed to learn what it would do in auto mode and gain trust in that it will be the right thing? Now I've seen "Deny" as default answer and so I assumed that this would have been the auto-decide action, which is not what I would accept.

I've heard about more false-positive chaos from AV software than it has actually saved me, so I am suspicios about AV software and really want to learn what it wants to do before I let it drive alone. Had that dialogue defaulted to "Accept", then everything would have been fine in the first place and I would have been a bit more confident that I can safely enable auto-decide mode.

[DavidR]

There is no preconceived answer. It just means that when the there is a suspicion (based on the areas the behavior shield is monitoring), rather than the user being 'Ask'(ed) the the Auto (decide) will run through its rule set/s for that area/action and will make the decision to allow or block.

The problem being if you set it to Ask, unless your are pretty switched on about what is on your system you are just as likely to make a wrong decision and allow something that should have been blocked (what is known as a false negative). For most people the automated decision process with its rule sets are better equipped that the end user.

There are many that actually complain that the behavior shield is not aggressive enough, whilst that may catch some unknown malware, there is then the possibility of a false positive on a legit function. So it is a fine balancing act not to be too passive or aggressive.

[YoKenny]

The problem being if you set it to Ask, unless your are pretty switched on about what is on your system you are just as likely to make a wrong decision and allow something that should have been blocked (what is known as a false negative). For most people the automated decision process with its rule sets are better equipped that the end user.

I definitly agree as "Ask" is not the way to go as I tried it and it was way too "chatty" and required a lot of my time to investigate why I was being 'Ask'(ed) about each item.