… is a feature to directly exclude files from the “actions to take” window.
It’s unreasonable having to go to the chest with every false positive detection or to turn of some of the protection just to start a download with a fp detected file.
It’s inconvenient to exclude files in advance.
Like I’ve written in another topic: What if Avast finds a legit Windows file suspicious and when it gets removed or send to chest, you instantly get a BSOD and from then on can’t even boot up Windows anymore?
With the recent increase of false positives since Avast 2014 came out and because even with Avast 8 you can’t directly exclude files which are categorized as viruses - only suspicious (evo_gen32 something in Avast 2014) files and downloads - I’ve lost all my longstanding trust and that’s why I’ve already moved on to another anti-virus.
Avast used to be good in my opinion when the false positive rate was almost non-existent and there was a an option to directly allow file access to false positives which would be rather rated as suspicious than as virus threats, but with the state it is in now (regardless of version 8 or 2014), I don’t want to think about that there might be a high possibility that one day, Avast will detect a harmless Windows system file or itself, move it to the chest and as a result, I would either need to re-install or to use some image backups which would mean wasted time if I need to update Windows and/or programs again even with the process of having to revert to an older system image.
So my question is, why does Avast exclude this option and made it even worse in Avast 2014, because you can’t exclude suspicious rated files and downloads on demand anymore?
There are plenty of ways within avast to exclude URL's, processes and applications.
They mean nothing if a legit system file triggers a false positive. Or do you think it would be a good idea to exclude the whole Windows folder in advance?
Adding a "do nothing " scenario to the actions on finding a virus would be madness.
No, from my point of view it is madness [b]not[/b] having a "do nothing" scenario.
I'd rather scream at Avast if my machine were crippled because of some false positive alarm than because of my own decision.
If I can have a choice, I will never regret it, because that's something that I myself have decided, however, if I can't have a choice
and things screw up, I will put the blame on the program which robbed me of my decision and I believe, others would do the same.
That is why on the File Shield settings, I set everything to ASK first then Repair and then if that fails, Remove to Chest. During ask, I can decide for myself if it looks like a false positive, especially if it a critical system file ( I have run into that once already with avast) because I always have an disk and system image backup available. But, not that many people could or would do that.
I had only set it to ask, because I always want to have the time to evaluate it and because I don’t trust the repair or chest,
however, the problem is that during ASK I can’t decide to let the file through if it’s a false positive so I would end up using a system image and most users won’t even have that, so they would even need to re-install windows in the worst case.
Or another solution would be to hard shutdown your computer and to try making exclusions in safe mode or to uninstall it, before it can delete or move something to chest but that might be risky for the hardware or I could force shutdown Avast by terminating the processes with the right tool and immediately halt all file shields on restarting it before excluding the file but that would leave a really bad impression.
I mean, you shouldn’t need to disable any shield just to make an exception on demand. That’s just stupid.
YES! The software needs the capability to ALLOW THIS FILE THIS TIME, and also an IGNORE THIS RULE UNTIL NEXT (DEFINITIONS OR PROGRAM) UPDATE feature.
Maybe not available as the default, but power users need to be able to configure it as an option to the “Ask” option.
I started out asking for exactly this a month or so ago when I was fighting a false positive as well. I was told, as some are telling in this thread, that there are other ways to do it. Those other ways are not sufficient!
Here’s a scenario that the current “exclude after the fact” measures do not work with.
You’re building software sources into executables.
Avast triggers a false positive and kills an intermediate file that has a temporary name assigned by the build software.
You can’t tell it to IGNORE THIS FILE, THIS TIME, so the build fails, interrupting your productivity. Neither can you tell it to exclude the particular (flawed) rule that made the false positive happen in the first place. This forces you to deal with the Avast! problem immediately.
You go to the Chest and try to exclude that file from there, but next time you build the file is given a different temporary name, so the build fails and you spin your wheels some more. This forces you to have to move from “set it and forget it” to “expert” level in Avast configuration.
You finally, in disgust, exclude your entire development folder structure so you can get back to work after having been distracted for a good long time figuring out the convoluted Avast! UI. Hopefully you haven’t been fired yet, and you have to work late to catch back up.
You submit the file as a false-positive, wasting more of your time that you could be working.
Some weeks / months later, MAYBE some other Avast issue makes you remember that you’ve excluded an entire block of your disk from all protection and you remove the exclusion (and maybe the false-positive detection has been corrected). Hopefully some malware hasn’t found a way to use that exclusion to its advantage.
Locked (running) system files cannot be removed, you wouldn’t isnatntyl get BSOD. Besides, there are safeguards that preventdeleting and quarantining of files in system folders (generic location based and whitelisting along with digital signatures).
and that’s only a small amount of topics. However, even if I could trust Avast on this matter, when it comes to deleting/moving files without an option to leave them alone, I still wouldn’t want to continue using it, just take a look at NoelC’s example.
Is there any official wording as to why Avast doesn’t offer an exclude on demand feature in the system file shield and in the web shield when set to ask?
But not a lot of users are able to make these advanced user decisions to discriminate between FP or genuine detection or even to the nature of the detection.
Seems a lot of users do not really trust the av solution they choose. Whenever a detection is made they go into denial or do like to ignore because it interferes with whatever they like to do at that very moment. Users are generally more irritable nowadays Some go into denial, some blame avast, but they never start from the PEBKAC point of view. In a lot of cases it is not “What is avast critically missing?”, but “What is this user critically missing?”.
We even had users here that started to defend developers of insecure code despite the infection was being fully and extensively explained to them.
Of course this attitude can be understood for miscreants and those that want to evade blackhat SEO spam detection or for instance users of crack code and illegal code.
Best policy is to check a detection for validity online or ask here on the forums and then act decidedly, report FPs as they can happen, but are a low percentage always and are known to soon be cured/repaired within a coming update.
Direct exclusions are often searched by gamers that like to cheat or developers that claim FPs on packer code or common users that do not know the workings of the av solution or how to allow potential unwanted programs.
Then finally there is a percentage of users that like to rant because of ranting and they fall into the category forum trolls,
Wow, so you’re saying that if Avast! put in the ability to allow a file that’s come up on Avast’s radar to be used anyway, that everyone would just blithely choose to allow it anyway, despite the warning.
Are you really saying every user has so little sense or impulse control that he/she would choose to infect themselves even after being told their file has malware in it, and that even power-users cannot be trusted to enable the ability to bypass the detection under some conditions?
Do you think that excluding whole blocks of the disk structure is better? Perhaps Avast! should remove that as well?
Who do you think owns the computer?
As someone who knows what he’s doing with a computer, I’d pay extra for the options I noted.
Now you are taking my answer out of context. Whenever you start to use the av solution avast make a scan and gives you an ability to allow programs and tools you’d trust. If something happens as with what you describe, everybody is up in arms against avast detecting part of the valid OS as a FP. Believe me soon we are being flooded by messages. So that is not the point, why this thread has been started in the first place? Is the bottom line here? I like to use your av solution but only under my conditions only. Why use an av solution anyway? Avast does only detect a file when the solution finds malcode or takes some code to be that.
What if you have the freedom to exclude a nasty file infector and later only could use the computer for a door stopper. Excluding blocks of disk structure is because they cannot be scanned, and also sometimes happens to prevent cross detection as with MBAM code files for instance, etc.
You own the computer and avast owns the software you decided to have on it and you can choose to use that software or not. If a full detection pattern is not to your liking then choose something more to your liking - an inferior solution or an av sieve! ;D
I am not against using a file that comes up on the avast radar. I strongly advise all users to report these file detections (file a FP reoprt from inside the file detection to avast) or report as FP in the virus and worms for a general discussion. What I am against is the possibility of users circumventing a valid detection. Malcreants would praise the day we allowed that and it would make the product quite worthless and unreliable. So until you exclude in advanced mode avast keeps alerting and detecting. You have so much options as to fine tune the av solution. So what is the bottom line of your critique?
If you are looking for an anti-virus that is built to each users preferences, ain’t gonna happen.
There will always be someone wanting this and another that. There has to be some give and some take.
I don’t know of “any” software which includes every individual want into their software.
If you want to exclude, then exclude and be done with it.
There is no way that even a complete nitwit is going to send a “vital” OS file to the chest.
avast will always ask before sending a vital file to the chest.
Only this: There are situations the current toolset doesn’t handle well at all. Having to exclude whole subsections of the disk in order to circumvent a temporary false positive is hitting a gnat with a sledgehammer.
Ignoring the possibility that false positives can happen is just silly. They ARE happening. More than ever now as the landscape evolves, from what I can see.
I laid out my suggestions to fix it above, in capital letters. Seems to me an “ignore this rule until next update” would be an awesome way to keep 99.999% of the product intact while allowing a user to work nicely around a problem. It’s certainly less risky than just disabling shields or turning off protection on a block of disk space, and that IS happening now.
When observed reality doesn’t match theory, one has to change.
NoelC has already given a clear example why the current situation disrupts legit workflow and you keep on restricting
the message to cracks and other illegal stuff even though it has never been a subject in this thread nor in the other threads
I’ve linked as examples? Way to talk about prejudices!
As if that wasn’t enough, you even picture anyone who is for an “exclude in dialog” feature as people who have
some issues? If you’re going on like that, I’ll stop taking you seriously, however I’ll still give you a chance to behave more respectfully
(and no, greetings alone without direct assaults don’t necessarily mean respectful behavior), so let’s go on with the main topic:
I’ve already moved to another AV, so there is no reason for a rant in the first place, which you’ve suspected. Instead, I’ve only wanted to
share my opinion as to why I’ve decided to leave Avast to help the developers improve with the feedback I’ve been giving as a small thank you for doing a good job in the past and because I feel that I’m not alone with that point of view.
There is also a difference between a permanent and a temporary whitelistening. In my opinion, a permanent whitelistening should only
be the last means of effect in case a program or system file is detected and it should only be done if nothing else helps while a temporary whitelistening should be the first thing to do to prevent the program or the system from breaking, because it allows you to check for yourself (for example on VT and/or with other on-demand scanners) before a crisis begins. A temporary whitelistening also doesn’t interrupt the current workflow and guarantees that the files and/or the system is safe in case of false positives.
With the current way, people need to know beforehand which files are triggered and it is absolutely impossible to evaluate that, because in the next hour some file could get detected in a streaming update while you’ve already made a full scan with no detection.
Your biggest argument was that leaving this option out would increase security, however that is a very wrong assumption. Let’s go back to the example NoelC made. Any user working in the productive sector would need to exclude whole folders in their work, but what if a malware would spread to the excluded folder without any fear of being detected forever? Wouldn’t it be better to have alerts every time to double check the suspicious files first and then to exclude them file by file if they’re harmless?
Of course, you could also exclude them in advanced settings, but that’s not the same as excluding them on demand and it wastes time and therefore money, even in the best case, that the chest would be working without any issues and that the programs/and or the system wouldn’t get affected which would mean more time spent to fix a potential mess an anti-virus caused.
Reporting false positives might be nice for the developers, but not everyone has the time and inclination to do so, especially when we’ve been talking about an extreme increase of the FP rate since the last couple of months.
So far, I hope you and others might understand the quintessence of this topic.
Best regards,
Randissimo
edit:
There is no way that even a complete nitwit is going to send a “vital” OS file to the chest.
avast will always ask before sending a vital file to the chest.
The problem is, there is no option to exclude this vital file or to postpone the decision even when you’re asked.
Thanks for the praise. I do get a little bit the exact impression you’ve mentioned, but if others with a similar mindset on this topic
would come to add their opinion just like you did, I wouldn’t feel cornered by Avast’s fanboys and -girls at all.
By the way: What does the “watched symbol” mean? I don’t hope that it means you’ve been marked as a “bad guy”, because from what I’ve read in your other postings aside from this topic, you simply stated your opinions with clear arguments even if it meant going against the “everything’s o.k.” - policy.
If this thread will get me “watched” too, then I’m sorry to bother even though I’ve already switched to another AV.
I’ll reply just to show my support. Being critical is not the same as flaming or being hostile. Not taking for granted but seeing room for improvement and providing feedback is valuable and should be seen as such.After FP’s causing enormous troubles in the past, for example when AVG marked a core windows system32 dll as virus and it automatically removing it left many thousands of people unable to boot their pc, I’m all for an option to whitelist a file. It should not be an easy -click away the annoyance- button, but if an advanced user goes as far to choose ‘ask’ instead of automatic he/she should be able to determine NOT to quarentine or delete a file when asked what to do.
I addressed that situation. It is a worst case scenario for any av solution and alas not only avast! and AVG experienced such incidents. Because of the impact it sometimes makes headlines in newspapers - someone in development twisted the handles and the error has spilled out to users and will be cured with a next streaming update. In such cases I also would hope there was an in-between solution, sometimes the next streaming update is not good enough,