A better behavioral blocker (avast! 5)

Im really into this behavior blocking feature, and im happy it will be added to avast 5
But avast 5 wont let you give any option to allow or deny a program (as what i know)
Im not really sure, i only wanted to post this poll to see what behavior of the behavior blocker you prefer… nothing more
Thanks

Sorry, there’s always more. ;D
I would like to see an allow/deny option, and a recommendation based on the type of behaviour appended. Or at least a bit more tech info on what the behaviour is likely to mean.

Simply letting the program decide should perhaps be an option in the settings, but should not be default.What if it gets it wrong, and for whatever reason explorer.exe is quarantined, and you reboot before noticing this?

I for one would probably have trouble deciding what behavior to allow or Deny.
I would assume avast would most likely have what behaviors to stop etc.
So i voted Let them decide whether if the program will be allowed or denied

Of course people with the Knowledge, would probably know what to deny or accept.

oh, what i meant about the “nothing more” is that. they dont need to base their decisions through this poll… i only want to know what is your opinions toward the issue :smiley:

~ i think i should edit my post and put “with recommendations” when choosing the allow/deny options

I don’t mind Behavior Shield being DENY only for as long as it doesn’t make mistakes and if they’ll improve it for detection of binaries and not just very specific “entry points” as they call it. Main benefit of using Behavior Shield for everything is that you can seriously boost detection of new malware regardless of how it’s obtained.

This is the same discussion as to the options on virus detection and letting the user permit known badness into their system because they think they know better.

People with knowledge + experience = Behavior blocking advice

But for me it’s kinda impossible if avast wont get a single mistake… :-\

I’m interested by this shield. Anyway, on the first error that it does, I’ll stop it once for all. Can’t leave an instance of any security program decide what is good or not by itself without making sure it’s 100% secure for the system. If it’s only 99.99%, I’ll ditch it. To make it clear, if it blocks one time something that shouldn’t be blocked, I’ll stop it from running and won’t even bother to try it again.

I’m looking forward to the 0.01% error then maybe you will go away.

got a problem with me kenny yo ??? ;D

I think they’re going for the no mistakes but far less functionality. Like Network Shield. It never made a mistake, but it also had a very limited scope against malware types.

huh? that’s kinda sad to know… i want the allow/deny options than having this limitations… it will help not that much in malware detecting… :frowning:

yeah I’ve been thinking about the network shield as well and it’s true it doesn’t make mistakes. But it’s watching the network/connections, not the local system.

yeah it’s true id doesnt make any mistakes BUT i rarely notice it in action…
oh no! behavior blocker having this limitations? how about the thousands and thousand of rogue software and unknown malwares…
haiiz :frowning:

that’s off topic here, but I’ve seen the network shield in action not so long ago in avast4: it aborted a connection while I was attempting to click on a web site link already flagged by Google. It works well, that was the second or the third time I saw that. I also see it watching TweetDeck (an external Twitter application) constantly, when the web shield is limited to browsers (as far as I know). Tons of avatars are being temporary downloaded and that’s analysed by the network shield. It might not have settings in the UI, but it’s a powerful feature I believe.
http://forum.avast.com/index.php?topic=49936.msg422583#msg422583

And I don’t think it should be compared at all to the behavior shield. It’s not the same purpose at all.

i see :stuck_out_tongue:

you see what ???

…what you meant :slight_smile:

This is a completely pointless poll because the OP obviously doesn’t understand how the behavior shield works. The behavior shield in avast 5 is not what is usually referred to as a “behavior blocker” or HIPS… It is an expert system based on rules, created by real people here in the lab.

An example: in a classic BB/HIPS, you get an alert like this:

Application abc.exe is trying to install global window CBT hook on session 2. Allow/deny?

Now, behavior shield in avast 5 has a definition file (similar to the normal detection engine) that may contain rules like this:

IF

  • application is located in Windows directory, AND
  • application is packed, AND
  • the application is not signed by a trusted publisher, AND
  • parent process is NOT xyz.exe, AND
  • the last API calls are api1, api2, api3, api4, AND
  • the application recently dropped a file called *.dll into the Windows directory, AND
  • the dll is now being installed as a global window CBT hook

THEN block the application and submit the associated exe and dll files for analysis to the virus lab.

Thanks
Vlk

Thanks for the clarification Vlk… :slight_smile:
I can see how you make the behavior blocker in a very “expert” way… tnx again! :slight_smile: