Avast Free - Behavior Shield/IDP - ransomware test

https://youtu.be/OK-XJaUDNmg
Hope avast Behavior Shield improve in future release. :slight_smile:

sorry but this methodology is flawed…disabling avast web shield knocks out a important component as a part of blocking the URL’s…even if a malware sample accesses a malware url and web shield has it but in this case it can’t alert so he didn’t test IDP correctly.

From what I see if he had kept avast! shields up none of them would have got through just like in a normal user situation and havoc ransom looks more like a script skid type stuff.

I am happy to see IDP is blocking even baddest of the malware.And it’s a new feature for avast and there things in pipeline still to come .

Disabling Avast! shield’s means you are crippling one of the main weapons with which avast fights against malware.All the shields work together in most cases they help IDP as well.Avast! shields are dependent on each other so this test isn’t a true demonstration of IDP since it lacked the help from other shields.

This proves nothing but the tester’s lack of knowledge.

It’s not flawed if you know the purpose of the test. The test was meant to poke Behavior Shield and it did. That’s all it is to it.

Of course it is meant to poke the behavior shield.But IDP needs web shield atleast to work during the test atleast with ransom downloader which downloads the file from a blocked url.

With web shield disabled the payload is downloaded and kind of risk it till the end.With web shield on avast will block the URL and IDP will see the underlying culprit and block it.I have seen this for myself.

What only happens here is IDP blocks the payload but not the downloader thanks to the tester disabling web shield and again if it were the ones I have seen it will keep trying to download the file and all IDP can do is keep blocking whereas the js or the downloader is knocked right away as soon as web shield blocks the URL.

And again the end result will only look bad for avast considering the downloader is still running just because the tester doesn’t know how avast works.

This is exactly what I asked for from avast team and I am glad its working in that direction. :slight_smile:

Avast just like before is dependent on its shields.

could you please explain how those 3 modules link together? How to isolate behavior shield for testing without depending on the signatures and web shield or other blacklisting methods? Finding undetected samples which haven’t been detected by webshield and file shield?
are you 100% sure that IDP and other modules are linked together or are they just separate things?

I have seen IDP and file shield blocking the exact same files. I thought they are separate because file shield should have blocked them first and IDP should not have been touched. Web shield → file shield (signatures, hardened mode, reputation service, cybercapture,…) → IDP (last layer) => I don’t know how they work, the order, the connections

I have been testing avast’s Behavior blocker and BBs of other products. Of course I don’t know how they work because I don’t know coding but what I can see is that other BBs, some are better, some are worse than IDP in similar testing conditions.

I’m an Avast fanboy. I’m a bit bias towards avast and using it for my whole family and friends

I accept my lack of knowledge about the product but where can I fill it up?

Haha I stopped recommending avast from 2014.I think they just got me back.

Anyway Behaviour blocker isn’t only one of the things that are linked together with shields there are other components as well.

You see this particular chain of ransom infection was discussed among the evangelists and was put in front of avast team by me.

Ransom Downloader>>Accesses Malware URL for downloading the payload>>>Avast web shield blocks it>>IDP see’s its bad and quarantines it or kills the downloader itself or in this case say wscript.exe

When IDP wasn’t present avast wasn’t intelligent enough to make the decision and the user kept complaining about blocked url messages.I can link you to such a test if you want.

I know IDP blocks the payload in your video but at times the downloader is still running and tries downloading different things.

You need to know IDP isn’t a lone BB it is something within avast.

By the way I am not blaming you for it just wanted to keep you informed. :slight_smile:

That’s not entirely true. CyberCapture depends on Web Shield. Behavior Shield is fully independent module. It can and does work on its own.

Can any developer from Avast answer this? Are those modules have some kinds of connections?
or are they completely independent?

Please, I don’t want to hear that if A doesn’t detect, B will detect => independent
I want to hear if A doesn’t detect, A will help B to detect by …bla bla bla…

Well the problem is cybercapture does not work for js files.While behaviour shield monitors them and looks for suspicious behaviour like accessing a blacklisted URL etc etc.This is just my experience with testing it.

The only case where behav. shield is not independent in the case where the malware is a downloader and doesn’t do any harm to the system apart from trying to download malicious binaries constantly :o

I personally would like if IDP blocked the downloader and prefer to keep minimum web shield on for this purpose even if you are poking the shield to see how it does this small change can change the outcome of the test.Remember I had reported js locky url to avast that wasn’t blocked by any of the shields so yes such cases exist even in real life.

read: https://forum.avast.com/index.php?topic=196758.msg1366250#msg1366250