Behavior Shield Info Please

system · January 1, 2011, 11:48pm

Why if you have a program lets say like OA firewall
in ‘exclusions’ under avast! and running Behave Shield
set at ‘ask’ and not allow would you get any pop-ups
for OA Firewall at all?
I had to set it back to allow because of all the pop-ups
I am getting!

Lisandro · January 1, 2011, 11:50pm

BeS is not a HIPS. It will only alert IF a program is a malware or “unknown”. It analyses the behavior of the program/file. OA firewall is a legit one, so, no alert.
BeS shows very little popups.

system · January 2, 2011, 12:00am

Tech, Not true…I jut got two of them and then went back to allow
because of those pop-ups
see image

http://i53.tinypic.com/2cqxnwh.jpg

http://i52.tinypic.com/2echtsw.jpg

http://i56.tinypic.com/16ibnd.jpg

Lisandro · January 2, 2011, 1:10am

Thanks for reporting Hay.
Maybe you need to boot?
If it does not work, maybe the programmers could take a look in the exclusions and at BeS.

system · January 2, 2011, 1:58am

your welcome and this is after a few re-starts
and surfing for a day 8)

ky331 · January 2, 2011, 1:44pm

I receieved two BeS warnings (when set to ASK) about my Wireless Connector:

C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

One about my firewall:
C:\Program Files\Comodo\Firewall\cmdagent.exe

and one more about my clock-synchronization:
C:\Program Files\D4\D4.exe

At that point, I switched back to the default of ALLOW

system · January 2, 2011, 1:56pm

Im using OA free and don’t get any BeS popups with it set to Ask. I know BeS is working cause the Analyzed count goes up. I haven’t excluded OA and Avast from each other.

system · January 2, 2011, 2:12pm

Does BeS consult the persistent cache? If it does then some of these pop ups people are seeing maybe because you excluded those applications from scanning in other shields and so there not cached and “white listed”, hence their unknown.??

system · January 2, 2011, 2:18pm

I have OA++ but I had ver 4.0 and no problems with Behav shield set to ask. I just updated OA++ to 4.5.1.351 and zero problems. I have not needed to exclude OA. I am amazed at this version of OA. Not a single pop up yet! I had upgraded a few months ago to 4.4 and had terrible problems and had to go back to 4.0. As for the latest Avast this is the first version where Behav Shield is working. It has analyzed 6364 events in the few minutes since Vista Ultimate rebooted to finish the OA++ update.

igor0 · January 2, 2011, 2:54pm

Yes, it does.

No, that’s not the case - actually, an “opposite”, in a certain sense of the word, might be more true. So, we may trigger a special “refresh” (of specific items) of the persistent cache in the next few days.

system · January 2, 2011, 3:10pm

The exclusions only apply for on-demand scans (see description). When otherwise using “ask”, you should get one popup and then if you “allow &trust” should never see it again. Check your BeS report file under Program Data/…/Reports.

Example: Got a popup, allowed it, no more popups
Reports file says:

1/1/2011 6:18:01 AM Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Internet Explorer\Main\Save Directory
By: C:\Program Files (x86)\Online Armor\oawatch64.dll
Via: C:\Program Files (x86)\CCleaner\CCleaner64.exe
→ Action allowed

But I also get entries like

2/31/2010 5:19:29 AM Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
By: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
→ Action allowed
*

avast! Real-time Shield Scan Report
This file is generated automatically
Started on: Friday, December 31, 2010 5:20:56 AM

12/31/2010 9:57:28 AM Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
By: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
→ Action allowed
*

avast! Real-time Shield Scan Report
This file is generated automatically
Started on: Friday, December 31, 2010 9:58:50 AM

12/31/2010 10:00:20 AM Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
By: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
→ Action allowed
*

avast! Real-time Shield Scan Report
This file is generated automatically
Started on: Friday, December 31, 2010 10:01:37 AM

12/31/2010 3:34:16 PM Modification of: \REGISTRY\USER\S-1-5-21-1311629033-178814953-3054948673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Moonrise Icon
By: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
Via: C:\Program Files (x86)\Moonrise\MoonriseIcon.exe
→ Action allowed
*

which didn’t generate popups, but you can’t tell that from the report. Or do the trusted processes get cleared at every boot? Or Update?

DavidR · January 2, 2011, 4:24pm

For me the Trusted processes that I added (from the behaviourshield.txt as I don’t use Ask) remained after reboot. As far as update goes I guess they too survive updates (certainly VPS) and possibly if you do a program update from the UI.

system · January 2, 2011, 4:31pm

Thanks David,
I didn’t think they got cleared, but scratching around for and explanation of the repeated allows. Maybe I got popups and forgot? doubtful, but it was with a previous version.

Behavior Shield Info Please

Announcements