Author Topic: Behavior Shield on Ask  (Read 12190 times)

0 Members and 1 Guest are viewing this topic.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72183
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Behavior Shield on Ask
« Reply #15 on: April 14, 2012, 05:00:53 PM »
Given that this thread has had no entries in about 2 1/2 months, I was wondering what other people were experiencing (or have learned) about how best to set the behavior shield.   (If it makes any difference, I'm working under XP/SP3... remaining security per my signature.)

I'm on Ask as well and never ever got asked about anything.
But this is because of D+, which jumps in first and never gives the BHS a chance to ask me. ;)
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.670] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Behavior Shield on Ask
« Reply #16 on: April 14, 2012, 08:23:09 PM »
DavidR,
Your suggestion/usage, to set the Behavior Shield to ASK, but to UNcheck "Monitor the system for unauthorised modifications", looks like it may work as an optimal solution for me.   I am testing it now, and hope to keep that setting (unless I see some adverse results in the future).
[Like you, I have WinPatrol (PLUS)... but in contrast, I'm only using the built-in Windows firewall.]
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85746
  • No support PMs thanks
Re: Behavior Shield on Ask
« Reply #17 on: April 14, 2012, 09:08:19 PM »
Well for me it is a very workable solution as I have that area well covered, whilst you should be OK, I would certainly be looking at getting a third party firewall. The reason the XP firewall has ZERO outbound protection and for me that is a weakness.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Behavior Shield on Ask
« Reply #18 on: April 14, 2012, 09:26:40 PM »
Yes, I realize the XP firewall offers only inbound protection... which is why I specifically pointed it out as a key difference between our setups (and the rationale used in making your choice).

The problem for me here is that, if I leave the "unauthorized modifications" box checked, the behavior shield is questioning lots of things ; for example, when something in Firefox activates its "plug-in container".   Granted, I guess I can "train" the behavior shield (like one would train an outgoing firewall or other HIPS program), but I'm debating if it's really worth it.   As noted, the behavior shield set to ASK in v6 never really bothered me, except when installating DotNet updates [when it went berserk].   So I'm trying to figure out what Avast did to it in v7.  It's fascinating to read how some here find ASK "too noisy", while other say it's not doing enough!   Guess there's no way to satisfy everyone.

By the way, how would you compare the relative security levels of:   
Behavior Shield set to ASK, with "unauthorized modifications" UNchecked; vs:
Behavior Shield set to AUTO-DECIDE, with "unauthorized modifications" CHECKED ??
These seem to be the "practical alternatives" for me to pick between (unless I want to put up with "noise", or train the shield).
« Last Edit: April 14, 2012, 09:28:54 PM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7458
  • No soporte por PM.
Re: Behavior Shield on Ask
« Reply #19 on: April 14, 2012, 09:49:24 PM »
Ky331

I can not answer about the Firefox plugin since I barely use FF, but as I told you before I have BhS in " Ask " and I had given trusted status to a half dozen progs so now my BhS is quite.

I also found out that it is better to switch BhS to auto-decide for Microsoft Thusday updates. This is only if one is running XP and there are DotNet updates availables.

Myself, like Asyn, I am running D+ and Comodo alerts are faster and a few more than Avast! so I do not notice if Avast! is realy noisy or not.
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85746
  • No support PMs thanks
Re: Behavior Shield on Ask
« Reply #20 on: April 14, 2012, 09:57:31 PM »
@ ky331
I can't make a direct comparison as there is no real way to tell as there is insufficient data to do that as on Auto decide here isn't any easy means of checking what has been checked and the action taken.

Even looking at the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\BehaviorShield.txt file doesn't show any worthwhile information as you have no expert settings where you can change the data recorded in the report file.

To even begin that comparision process you would have to remove all of your trusted processes and I have a whole slew of those. The plugin-container.exe is one of those I have in the trusted processes.
« Last Edit: April 14, 2012, 09:59:23 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Behavior Shield on Ask
« Reply #21 on: April 15, 2012, 12:37:58 AM »
The irony for me:  I have ALL avast shields set to ASK, yet none ever alert me (except for the rare F/P, which I'm prepared to analyze and properly act upon)... but the v7 Behavior Shield, in contrast, seems to be intrusive.  I do my best to practice "safe-surfing", and have several layers of protection that, combined, serve me well.

Iroc wrote:   "I had given trusted status to a half dozen progs so now my BhS is quite".
DavidR wrote:  "I have a whole slew of those [trusted processes]".
I guess I can try to see what happens... if all it takes is adding "a half dozen" to a white-list, that's really not too bad.   But I'd hate for it to extend to "a whole slew".   As Iroc knows, I consider myself an advanced user, and I can handle the ASKing.   But I'm also concerned about how "average" users --- friends that I try to help --- will fare if avast 7 does this to them.... maybe that's why "auto-decide" is the default???  [My wife wanted to completely turn-off the behavior shield on her machine(s), until I found the "compromises" I'm questioning/considering here.]
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline Gargamel360

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2346
  • Memento Mori
Re: Behavior Shield on Ask
« Reply #22 on: April 15, 2012, 12:44:16 AM »
But I'm also concerned about how "average" users --- friends that I try to help --- will fare if avast 7 does this to them.... maybe that's why "auto-decide" is the default???
Exactly  ;)

Defaults are the best setup for an average (meaning largely clueless) user.   Meant to be as "hands-free" and light on resources as possible, while still maintaining the best security possible.
Signature?  But I gots no pen....

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85746
  • No support PMs thanks
Re: Behavior Shield on Ask
« Reply #23 on: April 15, 2012, 01:12:54 AM »
<snip>
Iroc wrote:   "I had given trusted status to a half dozen progs so now my BhS is quite".
DavidR wrote:  "I have a whole slew of those [trusted processes]".
I guess I can try to see what happens... if all it takes is adding "a half dozen" to a white-list, that's really not too bad.   But I'd hate for it to extend to "a whole slew".   As Iroc knows, I consider myself an advanced user, and I can handle the ASKing.   But I'm also concerned about how "average" users --- friends that I try to help --- will fare if avast 7 does this to them.... maybe that's why "auto-decide" is the default???  [My wife wanted to completely turn-off the behavior shield on her machine(s), until I found the "compromises" I'm questioning/considering here.]

For some considerable time there were nothing but complaints about the behavior shield wasn't doing/getting involved enough.

However, don't consider my system the norm as I have some tools/toys that I play with that I keep away from any potential interaction with the behavior shield. Plus the only reason I add those to the trusted processes is because I have set it to Ask. If set on Auto many of those may well be checked and passed through without further intervention.

For me a whole slew of them is in the region of a dozen programs/tools/files, etc.

That is why the default setting is Auto, so that the average user isn't bugged by pop-ups effectively asking questions that they may not be able to answer.

As has been mentioned the default settings are designed with the average user in mind, when you have over 150million active users, those defaults have to provide a balance between protection and performance.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Behavior Shield on Ask
« Reply #24 on: April 15, 2012, 02:42:32 PM »
Okay, here's the [preliminary] results of my testing which POPULAR programs/processes had to be added to the Behavior Shield's trusted processes list --- over and above those that I had already added in under v6 --- in order to avoid getting ASK-prompted each time:

Programs:
Adobe Reader
Auslogics Disk Defrag
Firefox
Internet Explorer
Open Office modules (e.g., Writer, Calc)
Sandboxie
Secunia PSI

Windows Processes:
csrss (Client Server Runtime proceSS)
explorer (windows explorer)
svchost (generic HOST process for win32 SerViCes

It appears that, with the above white-listed, the behavior shield is now essentially quiet under ASK mode.   However, given the popularity of the above (especially IE, FF, and Reader), I think that Avast is asking way too much, if "average" users will have to whitelist them all (for ASK to be "quiet").   Surely Avast knows about, and should tolerate these mainstream programs/processes, without users having to declare them "exceptions".
(Note that some of the above programs had to be added, only for the sake of checking for their updates.)
(Also, I am intentionally not mentioning here one or two "unpopular" programs that I have/use, as I fully understand why the behavior shield questions them).

I'm curious if Iroc and DavidR can take a moment to look at their whitelists, to see if they needed to add any/all of the above... or is something weird happening on my system.
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7458
  • No soporte por PM.
Re: Behavior Shield on Ask
« Reply #25 on: April 15, 2012, 03:02:38 PM »
Ky this is my list:

Uphclean.exe
MIDIDEF.EXE
Ctregrun.exe
CTCMSGoU.exe
regutils.dll
JavaRa.exe
ISUSPM.exe

Most of them are for Sonic and Crative software. Upclean is from Microsoft Hive Cleanup Service, Java, and ISUSPM is from Install Shield.

I certainly have not had alerts for Explorer, svchost, or csrss which as you know are Microsoft files.
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Behavior Shield on Ask
« Reply #26 on: April 15, 2012, 03:14:26 PM »
Iroc,

UPHClean is also on my whitelist --- but that's one that I had added under v6, so I did not mention it here.
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85746
  • No support PMs thanks
Re: Behavior Shield on Ask
« Reply #27 on: April 15, 2012, 04:20:09 PM »
@ ky331
I don't add any windows system processes to the trusted processes.

Many of the programs you have added I don't use. For the browsers I don't add those and have also removed the plugin-container.exe I added as a test to see if it made things any quicker.
I don't use sandboxie on this system, I use DropMyRights and have added that. On my win7 system I have sandboxie and that is added.
I use PuranDefrag as my defrag option and add its two processes.

I have removed several of my tools (ones no used frequently) so as not to confuse issues by making it look like you have to add loads of processes to the trusted processes list.

But remember I don't have the monitor unauthorized modifications option checked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Behavior Shield on Ask
« Reply #28 on: April 15, 2012, 05:37:01 PM »
DavidR wrote:  "But remember I don't have the monitor unauthorized modifications option checked."

That's the big difference:   I believe CONFIRMED:  that with that box UNchecked, I would not have had to add ANY of the programs/processes I listed above!
« Last Edit: April 15, 2012, 07:12:01 PM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline Dch48

  • Massive Poster
  • ****
  • Posts: 3150
Re: Behavior Shield on Ask
« Reply #29 on: April 15, 2012, 11:33:17 PM »
When I had it on Ask, I did not have to add any browsers or any other part of Windows. It was only things  like driver updates for known and widely used hardware that should not trigger any alert. AMD graphics drivers were one example. It also alerted on some legacy applications but the most bothersome things were the drivers and updaters for my games that interrupted things and made them fail. I just can't put up with that so it's staying on auto decide.
Avatar FX6327X desktop, FX-6300 CPU, RX 470 GPU, 8GB RAM, Windows 10 Home 64 bit
HP dv6-6140us laptop, A8-3500M APU, 8GB RAM, Windows 7 Home Premium 64 bit
RCA W101 v2 10" tablet, Intel Atom Bay Trail Z3735F processor, 2GB RAM, Windows 10 Home 32 bit