Network Shield: WHY not configurable to "ASK"-mode???

[!Donovan]

Coming back to the infection itself called "JS:ScriptIP-inf [Trj]" ... If you google it, you don't really find what kind of malware that ought to be - and it really looks like a "preventive dummy alert" provocated by heuristics to ban disagreeable stuff.

Lets break it down.

JS:ScriptIP-inf [Trj] <-- We have a potentially malicious JavaScript element
JS:ScriptIP-inf [Trj] <-- The script contains a blacklisted IP by avast, presumably the potentially malicious site

avast! is blocking a potentially malicious javascript element that contains a blacklisted IP that is most likely the potentially malicious site you were trying to visit.

[polonus]

Hi !Donovan,

This is confirmed here: http://safeweb.norton.com/report/show?url=download-crack-serial.com

    Drive-bydownloads
Found threats 1

Name of Threat:    Malicious Site: Malicious Domain Request 2
Location:    htxp://download-crack-serial.com

polonus

[Anacunga]

Thanks - but again the question remains: WHY does the normal AVAST user not get more info than "Netshield: URL:Mal" Is AVAST really intended to be used only by stupid dummies???

[Gargamel360]

Is Avast! meant to be usable by dummies? Sure, yes.  Only by dummies?  Hardly, no.  As is clearly evident at how configurable it is.  A "dummie" can really bork things up by playing with the wrong settings.

I just don't see the issue here, unless you just want more Transparency. 

If you are informed enough to be making investigations into infected websites, you surely have some kind or fall-back plan (image?) and additional security (sandboxing/VM? HIPS?) and are doing so on a "secure" PC (minimal confidential data) so that turning off the Network Shield to go to a site is not an issue.

[Anacunga]

Is Avast! meant to be usable by dummies? Sure, yes.

That's part of the task – so there is nothing to say against – and it's fine if that condition can be fulfilled ...

Only by dummies?  Hardly, no.  As is clearly evident at how configurable it is.

Here problems could begin – also if you look at how much time the "non-dumb non-dummies" would need to spoil in case something does not run as fine as the default setting covers it ...

A "dummie" can really bork things up by playing with the wrong settings.

Also this is well known – but a "high quality software" should allow both; and AVAST! IS the number one!

I just don't see the issue here, unless you just want more Transparency.

... that's what I'm asking for!!!

If you are informed enough to be making investigations into infected websites, you surely have some kind or fall-back plan (image?) and additional security (sandboxing/VM? HIPS?) and are doing so on a "secure" PC (minimal confidential data) so that turning off the Network Shield to go to a site is not an issue.

Sure – but the question always is: how much time do you have to spoil just to get the minimal info for finding out what could be the cause for any flaw that caused Avast to show a warning window. And needing to disable some protection level JUST FOR GETTING SOME MINIMAL INFO WHY A WARNING HAD OCCURRED is an issue in the security concept. It NEVER should be necessary to disable ANY protection level just for getting the information about the cause for the avast-warning.

[polonus]

Hi Anacunga,

You would not get that information not even if you could override Networkshield. I try to explain. Some at avast decide on ground of blacklisting or on a persistent spawn of specific malcode that there is reason to block an IP or IP-range for instance. How would you know? If you established that there should be no reason for that block because the malware has been closed, response is dead or new malware is not being spawned from there (VirusWatch list etc.) and see that there is also no more reason for that site to get re-infected (site server software does no longer give out full server version to the world, website software has been fully updated and patched and so not vulnerable to possible hacks, you could file a FP report and whenever it is found to be a real FP with a next update the block could have been lifted.
An override-feature of the Networkshield would be dangerous in the hands of the unaware and malversants alike. Who wants to play Russian Roulette?

polonus

[mchain]

Posted by: polonus
« on: Today at 04:55:14 PM

An override-feature of the Networkshield would be dangerous in the hands of the unaware and malversants alike. Who wants to play Russian Roulette?

I certainly don't.  You never know when that chambered bullet will come around and kill you when you pull the trigger.  You've got to trust Avast! in that they know what they are doing, and doing it at a higher level than most a/v's available out there.  Very few false positives, too!

Remember, we are just avast! users here.  Hope we have helped you out somewhat.

[Anacunga]

You would not get that information not even if you could override Networkshield. I try to explain. Some at avast decide on ground of blacklisting or on a persistent spawn of specific malcode that there is reason to block an IP or IP-range for instance.

So far that's the funcionality of Avast and not to criticise.

How would you know?

That's one of the questions that Avast should be able to give an answer - in the sense of: alone from the warning itself should be determinable why the site was blocked. Inside the warning should be a link to the "protocol" of the day that the decision was taken to blacklist that site - with of course the reason why it was blacklisted. That can be some time ago - no prob. - but as it is now, you do not get ANY usable information than "Avast blocks this site (and as for you, you have to shut up and not to ask anything further)".

If you established that there should be no reason for that block

Sorry, no! I did only complain about the information policy of Avast. Again: that was also the reason that I first did not tell what site is concerned; it is just used as example here; nothing more! The question here is still the information policy of Avast and NOT that specific site!

because the malware has been closed, response is dead or new malware is not being spawned from there (VirusWatch list etc.) and see that there is also no more reason for that site to get re-infected (site server software does no longer give out full server version to the world, website software has been fully updated and patched and so not vulnerable to possible hacks, you could file a FP report and whenever it is found to be a real FP with a next update the block could have been lifted.

That would be a totally different story that is NOT topic here!

An override-feature of the Networkshield would be dangerous in the hands of the unaware and malversants alike. Who wants to play Russian Roulette?

That's clear and obvious - and that's why I propose to be able to override it only once without the necessity to disable the protection shield for that level - and OF COURSE that would mandatorily only be accessible by extended options/settings and of course default would be turned off!

[polonus]

I think it would be very unwise to bring that mode into the software, because it could also be (ab)used towards other ends. Besides the malversant is an opponent that cannot be underestimated. Well anyway that is my opinion. The time saving argument you give for checking flagged sites is non-existent, because an extensive check of a suspicious site needs somewhat more time and scanning. With a small group here I am doing this all the time so I am entitled to know. Maybe I could repeat the procedure, but then without any conclusive results,

polonus

[AntiVirusASeT]

the fact that sites blocked by network shield under blacklist provided by avast (not some heuristics method) is almost as good as saying u should obey it. because these websites have been analysed by experts.

this is also the reason why exclusions is possible in web shield (because there is potential that it makes mistakes using heuristics). there is almost no possibility for mistakes in network shield on the other hand.

besides, if any information to explain the block will likely to be very lenghty..perhaps something like what polonus stated?

There is a script there with recurring repeated //eval display() &  pre.js:249: InternalError: too much recursion
Insecure is the fact that the server gives away the full version of it out to the world and that should be remedied,
because these sites give away too much info to be eventually abused.

No alerts were detected but that IP still is listed with

2012-05-10 17:04:19   85.159.233.95   urlQuery Client   ET RBN Known Russian Business Network IP (386)

according to Suricata /w Emerging Threats list.
I guess you know what Client RBN stands for and that has nothing to do with political issues and keygen cracks.
For that site is hosted in the Netherlands (a 3 man firm) we see: DNS: ns2.p8.ru, ns1.p8.ru
Also consider: http://www.mywot.com/en/scorecard/85.159.233.95?utm_source=addon&utm_content=popup-donuts
RBN has been known as a nebulous organization, see: https://community.mcafee.com/community/security/gti/webthreats/blog/2011/11/29/russian-business-network-malware-sites-and-ip-addresses. But all this has apparently this nothing to do with the recent avast flag.
The reason for Network Shield blocking is solely known to the avast team member(s)  that implemented it.
Pondus now says avast/GData are not the only ones to flag it,

polonus

the point is that any information provided is hard to be sufficient yet not too technical for users to digest...

on top of that, u should trust that ur antivirus is not politically motivated...uninstall anything from ur system that u cannot trust.

edit: ask mode is suicidal...u need to understand how many users would trade security for ease of usage...including accessing malicious sites. most of them will regret their actions later (if they even know that they are infected). if u look at the forums long enough, u will see what great lengths people who have no idea on how to use even the avast gui to go about doing trial and error to find the setting to allow them access to an infected webpage or file...all without proper analysis on the suspect website/file...