I went to the Behaviour Shield part of Avast 5. I clicked on “Show traffic history” and I see two infected items in the red part.
Now I want to see what the two infected are. I did a full scan, nothing was found. A boot time scan will be done later today.
I tried to open “Show Report File” but it says nothing there.
Unfortunately the Behaviour Shield log is worse than useless as it doesn’t record detection information like the other resident shields. Why this is the case I don’t know, but simply recording when it starts and stops every day, which is pretty useless other than to see if it was running.
I’m not quite sure if Behavior Shield is even useful at all. I’ve seen it checking actions and i’ve also got blocked actions but i have absolutely no idea what happened. Not even which process caused those blocked events, nothing. I also haven’t seen a single malware getting actually blocked by it.
So either i’m observing things in a wrong way or Behavior Shield should be improved in many more ways, detection and interface wise.
The Behavior Shield that we shipped in version 5.0 is a new component that is going to be further developed moving forward. For example, in version 5.1, we will be adding more sensors that will allow for even finer-grain filtering.
For now, the Behavior Shield is focused on exploits coming via typical mechanisms (browser, PDF reader, and flash vulnerabilities, for example). It also closely monitors all kernel-mode code (drivers) loaded into the operating system, and is able to detect zero-day rootkits.
With the release of v5.0.545, Vlk noted…
“Improvements in the Behavior Shield (realtime antirootkit part)”
and with the release of (current) v5.0.594, Vlk noted…
The major problem as I see it is that Behaviour can be interpreted in many ways, the same as Heuristics, but the real issue here is what is actually monitored (sensors) by the Behaviour Shield. So if the behaviour shield doesn’t comply with your interpretation of what a behaviour shield would do, then you are likely to say it isn’t working or isn’t working as you think it should be.
The avast behaviour shield isn’t like things like threatfire.
So it is still focused in these same areas Vlk mentioned before and will continue to evolve:
- avast! Behaviour Shield, general information from an interview Softpedia - Ondrej Vlcek
[b]Ondrej Vlcek:[/b]
The Behaviour Shield that we shipped in version 5.0 is a new component that is going to be further developed moving forward. For example, in [b]version 5.1, we will be adding more sensors that will allow for even finer-grain filtering[/b].
For now, the Behaviour Shield is focused on exploits coming via typical mechanisms (browser, PDF reader, and flash vulnerabilities, for example). It also closely monitors all kernel-mode code (drivers) loaded into the operating system, and is able to detect zero-day rootkits.
So the major improvements in the addition of more sensors behaviour monitoring from the above (in bold) aren’t due until avast 5.1. For the most part the improvements in the new build numbers has been one of performance so they don’t slow system performance (which many complained of).