Regarding the avast! behavior blocker: feature requests

I’m currently toying around with avast!'s behavior blocker, and it seems to complement System Safety Monitor perfectly by providing the file defense capabilities that SSM lacks, serving as a very nice defense layer against unknown malware.

There are three feature requests, or small tweaks, if you will, that I’d like to place for it, if possible:

  1. Enable logging of the behavior blocker prompts. Even after turning on logging options all down the way to the lowest level, the behavior blocker prompts still don’t show up in the avast! log. This would primarily be useful to check to see what changes a process tries to effect to the file hierarchy after I deny everything it tries to do.

  2. Add a “Deny All” button to block all further actions this process tries to perform. This would be useful for certain worms that search for and infect all executable files of a HDD. Without the Deny All button I was forced to terminate a process using SSM after repeatedly clicking on Deny for ~50 times.

  3. Allow the user to see the full path of the file a process is trying to access. If the path is too long, then it gets shortened and replaced by period symbols, and the user has no idea if a malicious process is trying to open c:\windows\system32\svchost.exe or c:\windows\system32\some folder\another folder\yet another folder\svchost.exe for writing. Adding a popup balloon that displays the full path as the user hovers the mouse cursor over the shortened path that the prompt window displays would be very nice.

Thanks in advance.

Indeed, it’s a feature for very old virus…

Well… they’re good suggestions ans a good wishlist.
Just that I think Alwil won’t give priority to Behavior Blocker. Maybe I’m wrong…

I found this:
[i]Appart from the fact that the Behavior Blocker is an old feature and it’s usefullness is very limited in today’s Windows environment (it may be best to remove it completely), your conclusions are wrong. It is a blocker of suspicious behavior (thus preventing an unknown virus to spread or perform its payload), not a protector of system files.

Almost all the actions on your computer are performed by .exe files. If you prevent .exe files from executing their actions (such as opening a file for writing), you block almost everything - Word won’t be able to write the .doc file, e-mail client won’t be able to save the downloaded e-mail, programs won’t be able to store their settings. The operation “opening a file for writing, performed by an .exe file” is very common and there’s nothing suspicious about it. On the other hand, the operation “opening an .exe file for writing” is much less common and more suspicious (actually, I think it’s even more suspicious when it’s performed by a file with .xyz extension - that cannot even be started in an ordinary way - than by an .exe file). It will prevent files (like BAT,VBS,WSH,SCR,EXE…) to execute their actions.[/i]

Oh, not at all, not by a long shot. ;D

You’d be surprised to see how much unknown malware it stops dead cold if you know how to use it properly. Almost all malware these days need to drop their component files or create copies of themselves before they activate, and this is when the behavior blocker whacks them dead. Without going into the specifics, one very common and useful function would be to prevent drive-by downloads in unpatched copies of IE.

Still, it’s a rather crude implementation of the concept, with next-to-zero configurability. Which I imagine might turn many people off from using it.