Behaviour Shield Deficiency ...

[Anacunga]

Got following situation:

Behaviour Shield Question:

An untrusted program ist trying to modify a protected resource.

Program: C:/Programs/Program/Program.exe
Resource: System services and drivers

ACTIONS TO TAKE:

- Allow
- Allow and add to trusted programs
- Deny
- Deny and terminate the program
- Deny and move to chest

Target Object: /REGISTRY/MACHINE/System/CurrentControlSet/.../Services/...
Requested routed via: C:/WINDOWS/system32/services.exe

Problem: Why is there no Option to:
- Allow and remember this ("Targed Object")
(in the sense of: Applicatoin still remains under suspicion and is still observed, but only gets allowance to change exactly that only resource - and is reported again if it wants to do something else that could be considered critical. The only option here is either to get again that question everytime the program wants to change again that resource - or to allow the program everything)

Why not available?

Edit: end italics

[CraigB]

Do you have the BhS set to auto decide? if not then best to set it this way, also under actions to take you need to allow and add to trusted programs if you continue to get the alert after changing to auto decide.

[AntiVirusASeT]

quote from igor in http://forum.avast.com/index.php?topic=96562.msg770347#msg770347:  the main thing the Behavior Shield does is provide context information for other shields (mainly FileSystem Shield), i.e. making many of the heuristic detections work (i.e. something invisible, but important performed on background).

anyways, when set to ask mode, behaviour shield functions more like a hips (it does not throws a question at u based on overall behaviour of the app, just the fact that the app does a particular action, eg. modifying registry values, which may not be malicious at all)

based on igor's information, i think behaviour shield is mainly an assistant for complete functionality of other shields. 

[Anacunga]

The functionality of the Behaviour Shield is clear, and it works as it should - but: in such a case I only have two possibilities:
- either allow the application to do everything (including maybe unwanted things)
- or always see those warnings every time the app is changing that resource in registry.

What I want is: allow the program to change this specific resource in registry (so that I won't get that specific question anymore), but Behaviour Shield should continue to observe the app and report if the app wants to change some other resource or even do something different that AVAST considers as potential threat!

@craigb, you smoking ape: of course it's not set to autodecide - and that's clearly on purpose! it has to be so (that it is NOT set to autodecide, but to ask) becaus I don't want to add it to the trusted programs - but that single action is allowed. sorry, but your answer is obsolete and your advices not applicable ...

[CraigB]

@craigb, you smoking ape: of course it's not set to autodecide - and that's clearly on purpose! it has to be so (that it is NOT set to autodecide, but to ask) becaus I don't want to add it to the trusted programs - but that single action is allowed. sorry, but your answer is obsolete and your advices not applicable ...

You really dont know what your talking about  if your not going to set it to auto and you dont want to add to trusted programs then of course you are going to be continually bugged with notifications since the BhS doesn't have any kind of white list and turning off auto you are essentially turning the BhS into a hips without whitelist and you'll be pestered by it repeatedly.

Note that the next time you are rude i'll be pushing for a ban on yourself 

[AntiVirusASeT]

@Anacunga: u dun sound polite to craigb at all  hes trying to help u...

unless u change ur attitude when asking/replying, ppl are not going to be willing to help u.

[Gargamel360]

All I can say is leave it on auto.  I tried ask and it was not really optimal.  Because then it acts like a HIPS but as you noticed, it is not designed to be a HIPS and lacks the options of one.

Stray outside the default settings, and quite often you will find out why they are default settings.

[Lisandro]

unless u change ur attitude when asking/replying, ppl are not going to be willing to help u.

Please, avoid acronyms and abbreviations.

[Anacunga]

@Anacunga: u dun sound polite to craigb at all  hes trying to help u...

I'm sorry (and a special sorry also to him) - but if he is presenting himself as a smoking ape (in his avatar), it should be allowed to address him as such - isn't it ... 

unless u change ur attitude when asking/replying, ppl are not going to be willing to help u.

I'm sorry, but just from the description of the BhS-Question and my details to the case itself, it should have been clear that default settings (= autodecide) is not that what is the question about here.

Again: the thing is that the "popup-option"
- Allow only this specific change but report again (that's why set to ask!) if there is something else that program wants to do - and DO NOT add it to the trusted Apps

It's just the simple way of: "you, program, first you have to tell me what you want; if I see what it is, I'll give you the OK for THAT (but not for something else), and if you want to do something else, I get again a report that I'll can again decide whether that is OK or not; if it's OK, you'll get again your perimssion, if not, I could block THAT SPECIFIC thing (but not the whole application).
It would be similar to a desktop firewall where you can close very specific IPs, ports etc. BUT DO NOT HAVE TO BLOCK THE ENTIRE APP BECAUSE OF ONE SINGLE PORT OR IP.

That's the stuff here what it is about ... If "auto-decide" meets that, so much the better - but it's not clear whether it is so ...

@Gargamel: I would have hoped that it isn't really that way ... :/

[CraigB]

@Anacunga: u dun sound polite to craigb at all  hes trying to help u...

I'm sorry (and a special sorry also to him) - but if he is presenting himself as a smoking ape (in his avatar), it should be allowed to address him as such - isn't it ... 

As i dont personally know you and your not a friendly familiar you should respond to other's and myself by using there name, an avatar is simply that! just an avatar and is in no way a representation of anybody, it's there because i thought it looked funny and wanted a change of avatars.

Note that it was also the end of your paragraph that was also offensive ( your answer is obsolete and your advices not applicable )

[Anacunga]

@Anacunga: u dun sound polite to craigb at all  hes trying to help u...

I'm sorry (and a special sorry also to him) - but if he is presenting himself as a smoking ape (in his avatar), it should be allowed to address him as such - isn't it ... 

As i dont personally know you and your not a friendly familiar you should respond to other's and myself by using there name, an avatar is simply that! just an avatar and is in no way a representation of anybody, it's there because i thought it looked funny and wanted a change of avatars.

I respect your chosen avatar - but don't you think that you should have been aware of such an address (with pun intended!) when using such an avatar?

BTW: I know very well that in another context, my address would really not be polite - but I took the liberty to do that pun here. Please don't take it personally!

Note that it was also the end of your paragraph that was also offensive ( your answer is obsolete and your advices not applicable )

Again a sorry: I did not want to write in the thread-opening something like "please don't advise me to use default settings, as that problem is not covering default settings". I wanted to avoid someting like that. And just telling me "just use default settings then all will be fine" is no valuable answer as it does not point out the problem that was described, sorry. That's why my answer was "not in the finest way" ... I assume you understand what I mean. As turned out now it just gives big scribbling without coming nearer to the solution - and I didn't expect that it turns out that way, as wer'e far off topic. I did not want to provoke something like that, sorry that your'e the one who is gonna pony up that here ...

[Anacunga]

You really dont know what your talking about  if your not going to set it to auto and you dont want to add to trusted programs then of course you are going to be continually bugged with notifications since the BhS doesn't have any kind of white list and turning off auto you are essentially turning the BhS into a hips without whitelist and you'll be pestered by it repeatedly.

Back to topic: the question is WHAT notifications are coming (again). There should not be coming the same question again if you have the possibility to chose: - Allow THIS (but only this). That's what I consider missing!