Suggestion: adding startup items monitor to behavior shield

Avast Free Antivirus / Premium Security
1

I want to suggest adding start items monitor to behavior shields besides the 3 items in the expert settings.

2

Making a suggestion to monitor when you don’t say monitor for what isn’t going to help pushing a suggestion.

When the File System Shield already does that (scan/monitor) when they start.
The three entries in the expert settings are loose enough to monitor this (depending on what it is you want to monitor), as malware like behavior or unauthorised modification.

But if it is just the creation of new startup entries then there are many free products that already do that, WinPatrol for instance and some HIPS based firewalls, etc.

3

WinPatrol’s Startup entry monitor is excellent even in the free version:
http://www.winpatrol.com/startup.html

4

CCleaner (any of the 3 editions/builds) also has this function. Autoruns is another one. MSconfig (already in Windows). It depends how deep you want to get in the startup process.

5

Never use MSconfig as a start up manager as it could cripple Windows bootup!
http://www.blackviper.com/2002/09/24/why-cant-i-use-msconfig-to-change-my-services-in-windows-xp

6

I respectfully disagree. Any advance tool is “risky” if you don’t know what you are doing. So, if MSConfig shouldn’t be used because of the posted reasons in that link, then neither CCleaner (in any of its capabilities) nor any other.

The user should know what exactly can be disabled. Those saying:
blindly disable all just to test” are indeed giving a bad suggestion.

There is always a limit about how much a user can help another one from posts in a forum, or by just reading an article.

The responsibility is always in the hands of the owner of the system.

7

And what makes you think that the Behavior Shield doesn’t already monitor the startup locations?

8

What I mean is that if avast monitors start items and see if untrusted process want to add something to startup folder or registry autorun because most malwares specially trojans and backdoors set themselves to start when system starts.

9

Yes, that’s one of the things the Behavior Shield is already doing. Just set it to Ask mode and you should be able to see the prompts…

Thanks
Vlk

10

The only setting in the Behavior shield that implies (through vaguity hence inferrence by the user) that it covers monitoring of startup items is the “Monitor the system for unauthorized settings” option. Well, I suppose users could guess this means inclusion of startup entry monitoring (and hope it covers them all since even WinPatrol missed a few in its startup monitor until they got notified of their deficiencies).

So let’s assume this option includes monitoring of ALL startup entries: Run[Once] key, Startup folder, scheduled tasks, WinLogon event, application load event, etc. I’ve done many installs and have yet to get a popup from Avast telling me that a new startup item was added by that install. WinPatrol alerted me but not Avast’s Behavior shield. After reading this forum thread, I went into the settings and noticed that the Behavior shield was configured to “Auto-decide” for its action. That must be the install-time default for Avast since I don’t remember ever even seeing this option. So if Avast is making its own decision, on what criteria is that decision based? Is there a whitelist of known good installers or applications where Avast will remain silent when they add a startup entry? Obviously, so far, and based on unknown criteria or perhaps some whitelist, Avast has yet to announce to me that something I installed or how I configured an app defined a new startup item or created a new NT service. There are apps where you can configure them to modify the load behavior of an app (i.e., load event) or add shell extensions to a different program so how do I know that Avast alerts on those? Does it cover the Winlogon events? Does it cover everything on which SysInternals’ AutoRuns will report?

Why would Avast be silent even for “good” apps that create new startup entries and/or new services or new events or new shell extensions? I still want to know if an installer or app created a new startup item. Quicktime adds its superfluous qttask startup entry that I permanently block Quicktime from regenerating by using WinPatrol but I still have to know about it to take action on it. ATI’s Catalyst driver wants to add its own startup entry (to make loading it faster when opened later) along with its ATI Hotkey Poller service (which I don’t want since I configure ATI to not use hotkeys and don’t load its tray icon process, anyway, so I have to also disable this superfluous service). I’d still have to know that a new startup item or a new service or a new Winlogon event or a new startup/shutdown script got defined to prompt me that I might want to check them out.

According to its help, “The default action is “Auto-decide”, which means avast! will decide whether or not it should be allowed based on a range of criteria”. So they added this monitoring (how comprehensive and what criteria is unknown) but effectively discarded this feature with their choice for a default setting.

I will change the action setting from “Auto-decide” to “Ask” to see from now on if Avast alerts me about new startup items and new services just like WinPatrol already does. I specifically added WinPatrol because Avast’s Behavior shield was NOT giving me those notifications.

11

There is no “all” startup entries - those interested will always come up with new ones, i.e. the list will always grow. But no, it probably doesn’t cover everything in AutoRuns (which, again, adds new entries pretty often).

Yes, the default is auto-decide, because most users would have no idea what the message means or how to answer it; the default for most avast! settings it to decide automatically and not bother the user.

The Behavior Shield is not meant to be a HIPS asking ten times a minute for user’s decision - so I’m afraid that’s not what you are looking for. It tracks specific operations, watches relations of those performing the operations… and supplies that information to the scanning engine, thus making it possible for various heuristic detections to work. When the requesting process looks suspicious according to various criteria, specific operations are blocked (or asked, if configured that way) - but you most likely won’t get asked for most ordinary programs (such as QuickTime or Catalyst), sorry.

12

I have not seen AutoRuns constantly or even frequently adding new entries. When Windows, any version, gets released, where and how startup items can be defined is fixed. The only ones that I know that can change afterward are the shell extension or load events added to the apps via registry entries. From what I recall, those type of entries are also standard and, in fact, Nirsoft and other utilities simply scan the registry for what entries meet that criteria (so an on-access monitor could also see those type of new entries).

Most users don’t know what all the prompts from Online Armor, Comodo firewall, ZoneAlarm, WinPatrol and other security products means until they get prodded to find out. That doesn’t stop those same users from installing and using those security products. Users can also choose what level of prodding they get. Changing from auto-decide to Ask provides this same level of control but you and I disagree on what should be the default. Auto-decide seems to nullify the point of this feature (so having it disabled by default would be another option to eliminate users from having to make decisions). It seems simple enough to include a “Use auto-decide from now one (hide this prompt)” option in the popup alert, just like a “remember your choice” option available in many products. Those who feel annoyed by the prompt, especially if they have no clue what it means or simply don’t want to bother with finding out, can change the behavior at the prompt. Those that like to be told that the startup state of their host has changed would leave the prompt to show. The feature isn’t nullified by hiding it with the auto-decide setting and the user sees they can choose to hide or leave it. Dialogs often include a config setting in thier windows. Yes, this probably falls under feedback or a request for enhancement.

Except that this feature is a HIPS function. If there were 10 prompt per minute or even per day then the user is making lots of changes to their host with lots of installs and would know why they are getting those prompts (they just made a change and they would just get the prompt) or there really is something seriously wrong with their host and they probably should get alerted about it.

Most HIPS products (well, all that I’ve used) let the user state that all current startup items are okay and to accept them. The product lists all the startup items it found and then merely asks the user if they want to allow all of them. The users says yes and that’s the last time they see that prompt until a NEW startup item was found - and that shouldn’t be 10 times per minute or 10 time per day and, for most users, it shouldn’t be 10 times per month, either. Anything checking for startup items should find ALL of those that already exist when the security product is installed, display that list, and let the user select which ones are okay and which aren’t. That’s just ONE TIME the user needs to make a choice. New startup items added after that should not appear at some humongous rate but at the rate at which the user installs programs or makes config changes in their apps (that have to do with adding/modifying a startup item).

Remember that we’re not talking about a HIPS product that tracks system changes by child process called by a parent process to ask users if the child is permitted to run by the parent. That would result in lots of subsequent prompts just to use the OS and apps. We’re talking about startup items. Those should NOT be changing by some excessive rate - if they are then the user SHOULD get notified.

How many times in the last MONTH has your startup list changed? When it changed, it wasn’t during or right after you did an app install? Or right after you modified an app’s config that addded or modified a startup item? And how many times was that in the last month? If you’re seeing the startup list changing 10 times per minute, day, or month then you are definitely not the typical user or even an expert user and something is severely changing the state of your host if you weren’t aware of why so many changes were getting made.