Questions about Blocker in Avast Home

Avast Free Antivirus / Premium Security
1

I set Avast Home to block bat files to create, save and delete files.
I manually create a bat file to delete other files. Avast does not warn me. I modify the bat file and save it. Avast warns me. I use that bat file to delete that bat file. Avast warns me.

Therefore does this mean that the blocker function only prevents files from deleting and saving themselves only, but not prevents them from deleting other files? The help function does not mention this very clearly.

2

It should not block the files you’re about to delete (from *.bat file) which have different file extension than those you see in the standard shield provider. Is it possible ?

3

Before modifying setting, I created a bat file with name xyz.bat:
del c:\aaa.txt

I saved it, and blocked bat files using blocker as specified in the attached diagram. I created aaa.txt. Then I ran xyz.bat. Avast did not warn me. Strange. aaa.txt was deleted by xyz.bat. I modified the xyz.bat.
del c:\bbb.txt

I saved the file, but Avast warned me. Good. I allowed it. Then I created bbb.txt, and ran xyz.bat. Avast did not warned me. Strange. bbb.txt was deleted by xyz.bat. I modified the xyz.bat.
del c:\xyz.bat

I saved the file, and Avast warned me. Good. I allowed it. I ran xyz.bat. Avast warned me. Good. xyz.bat disappeared since it was deleted by ifself.

Therefore I have the question why xyz.bat can delete txt files without Avast’s warnings. Is this the true function of blocker that those blocked operations are valid only for those specified file extensions?
Thanks.

4

It seems that the purpose of blocker is to protect files having file extensions entered in the setting. I originally thought that it protects other files from being created, modified, or deleted by files having file extensions entered in the setting. Then blocker, to me, is no longer useful. It protects those specified files (exe, scr, com…) as well as viruses, worms and trojans. One may draw the conclusion that blocker is a tool to protect viruses, since most viruses have file extensions like exe.

5

Yeah yesterday i tested it too and it’s purpose is wrong IMO.
It should prevent files like BAT,VBS,WSH,SCR,EXE… to execute their actions,rather than protecting target files with extension BAT,VBS,WSH,SCR,EXE… from those actions…

So if file Dumb_ass.scr attempts to Open file explorer.exe for writing (just example),blocker should warn you that Dumb_ass.scr attempts to open file for writing. In this case Dumb_ass.scr should be blocked by Blocker.

Same should be if Erase_system.bat attempts to erase whole WINDOWS or SYSTEM32 folder. Erase_system.bat should be blocked,because it attempts to delete all system files.
Damn it’s quiet hard to describe such complicated text in english :slight_smile:

6

Appart from the fact that the Behavior Blocker is an old feature and it’s usefullness is very limited in today’s Windows environment (it may be best to remove it completely), your conclusions are wrong. It is a blocker of suspicious behavior (thus preventing an unknown virus to spread or perform its payload), not a protector of system files.

Almost all the actions on your computer are performed by .exe files. If you prevent .exe files from executing their actions (such as opening a file for writing), you block almost everything - Word won’t be able to write the .doc file, e-mail client won’t be able to save the downloaded e-mail, programs won’t be able to store their settings. The operation “opening a file for writing, performed by an .exe file” is very common and there’s nothing suspicious about it. On the other hand, the operation “opening an .exe file for writing” is much less common and more suspicious (actually, I think it’s even more suspicious when it’s performed by a file with .xyz extension - that cannot even be started in an ordinary way - than by an .exe file).

It’s the operation “opening the file for writing” that is blocked - so it doesn’t matter if you say “Dumb_ass.src file was blocked”, or “Opening exeplorer.exe was blocked” - it’s the same action. The same holds for deleting the system folder. If you mean the announcement window should show something else (or some more info), you may be right - but it’s rather a cosmetical issue :wink: