Windows Update is not trustworthy? Says Avast.

Avast Free Antivirus (self-updated just moments before) asked me whether some unidentified application should be allowed to run. No activity was on that Windows 7 system other than the Windows Update I had just started. The updates progress hang so I thought the warning might be about one of the updates. As soon as I accepted (which was not the default option), the updates went on just fine.

This is not a big deal for me, but I usually like to recommend this product to friends that would have failed and possibly messed up their updates with this stupid warning message.

See attached screenshot (edited for smaller file size).

(While I don’t follow the German text…)

I’ve found that Avast’s BEHAVIOR SHIELD often questions some of the Microsoft Updates… particularly those related to .NET.

If you’ll notice in your screen shot, the file being downloaded is a .TMP (“temporary”) file. Sometimes, malware will disguise itself as a .TMP file to bypass detection, only to rename itself later as an executable. Given this, the reponse by avast is understandable.

As such, whenever I see that Windows Update is including anything for .NET, I make it a point to (temporarily) DISABLE avast’s BEHAVIOR shield for the duration of the download/installation (RE-enabling it immediately thereafter).

You may also find that a similar phenomenon occurs with other programs (perhaps the Visual Studio 2010 that appears in your photo, which I don’t have installed on my system).

The behavior is not different from other tools. For example, Windows Defender would ask for your permission to let some new (or updated) driver to modify the registry.

Of course, Avast Team should always take note of this type of issues so to improve the reactions.

I have never seen this Win Update behavior on my WIN 7 x64 installation since I have had Avast 6 installed - 9 months.

I have all shields set to the highest level including behavior shield. In fact every Avast setting offered is set to its highest level. As such if anyone should be getting Avast alerts, it is me. Case in point, I such had two .Net 3.5 and 4.0 security Win Updates today.

Personally, I would research this further. I know from past experience with WIN XP updates, MS proxy servers have been hacked. Something MS doesn’t want to talk about.

There is no proxy server here on my home internet connection. I have disabled automatic updates for anything on my notebook as I don’t want it to download stuff when I’m on a mobile connection and software is not smart enough to figure that out, so today was the day I updated things again. The Windows/Microsoft update in question could be a few weeks old.

I always hoped that Windows can verify the integrity of the updates it downloads. At least that’s what I expect from any software update feature that’s not a simple desktop application. So a virus scanner shouldn’t need to watch those executables only to find suspicious activity and then have the user mess up something. Software installation and updating usually comes with such suspicious activity so it’s not that interesting after all.

There is no proxy server here on my home internet connection.
I was referring to the servers Microsoft uses for hosting it's updates. Here in the US it is primarily Alkami.

No problem on my Windows 7 system.

Maybe you should go to:
avast!WEBforum > avast! support forums > Non-english zone > Deutsch
http://forum.avast.com/index.php?board=24.0

Well it does not happen in all systems but it surely does happen in XP if Behavior Shield is set to ask.

http://forum.avast.com/index.php?topic=86573.0

I said I was going to report back if setting Behavior Shield to auto-decide was not a good idea in case the installment of .NET updates were not totally installed, I did November, and December Microsoft Updates without problems and these new .NET updates for 1.1, 2.0, 3.5 installed also without any problems. So, either way, if set to auto-decide or disable behavior shield during the duration of Windows update, will eliminate all alerts.

Unless someone fron Avast! team gives a definitive answer which way to go . So, what you say ?

So in the end, for users who cannot operate AV software and need to have it set up by someone else, and who are strongly advised to install Windows updates (which goes on its own quite well, if not disturbed by AV software), the only option is NOT to use behavioural filtering in Avast at all, for now. Would you agree?

I do not agree.
See, something very special happened to avast to trigger just yours Windows Update.
Did you change the Behavior Shield settings?

Why ? Do you not know or you are not an administrator ?

I agreed. For the alerts to come up Behavior Shield must be set to " Ask ". To see how the Behavior Shield is set:

Open Avast by clicking the Avast! icon go to Real-Time Shields an open it. Look for Behavior shield at the bottom of the list and click it. At your right you got Expert Settings, click it then change the option to auto-decide. See screenshot for references.

Regards.

I checked my Avast behavior shield history last night since I had applied four WIN 7 updates yesterday afternoon. Behavior shield had a count of over 400 all recorded at the time the WIN 7 updates had been downloaded and applied. Now behavior shield normally show a counts of 20 or less a day.

I personally feel Avast behavior shield is of minimal usefullness. I do find it very interesting though that it appears to be scanning Win Updates in detail whereas I have never seen it perform this throughly on anything else. Appears to me it is designed to examine changes in OS files for the most part hence the increased activity when Win Updates occur.

As far as the originally poster issue is concerned, I beleive that he might have had an existing OS file that is possibly infected or corrupted. When the corresponding Win Update was applied to that file, it caused Avast behavior shield to detect an anomoly and hence trigger an alert?

If you feel the behavior shield is of minimal usefulness, then uninstall it. But I would say that you are wrong, you only need to look at the expert settings to see why it is monitoring the windows update activity.

In the Main settings, one of the three options, Monitor the system for unauthorised modifications. Each windows update item will be changing many system settings, properties (namely registry and files) and this is no doubt the one that is going to be working overtime.

With the behavior shield on Auto (default option) you are probably less likely to get many pop-ups, however when it is set to Ask, be prepared to get lots of questions on if something should be allowed or not. personally I have that option unchecked as I have WinPatrol Plus installed to monitor such system changes.

The recent .net framework updates are even more intrusive as .net gets into a lot of applications, because of the applications that I have on XP that require .NET I actually had 3 .net updates, 2.x, 3.0 and 4.0.

So there are other choices than completely removing/disabling it, your system your choice.

With the behavior shield on Auto (default option) you are probably less likely to get many pop-ups
I do have it set to auto. I will set it to ask and see if that will at least show some alerts. Under auto mode, I have never once received an alert from behavior shield.

However, since I installed Avast I have had a total of 4194 events analyzed in 9 months with 0 suspicious events. I also beleive the bulk of those 4194 events were the result of Win Update activity. In fact 1274 occuring on one day last August. That same day I installed ten WIN 7 updates. See attached Behavior Shield usage graph for the last year.

Here is a link to a uTube video test of the .1289 Behavior Shield: http://www.youtube.com/watch?v=fnudlBZ9BDY. It didn’t do well at all in this test.

The devil is in the detail as the saying goes. :-\

Oh, I know how to configure Avast or any other AV software. My concern is when other people (see my first post) see such messages and don’t know what to do. While it’s merely bugging me, it’s actually harming those people.

Disabling those questions means leaving the decision to Avast. Given its preset response, that would probably have meant a failed update.

I have always been sceptical about those behavioural stuff. After trying any of them, I eventually disabled them all as they rendered totally useless and annoying. And so seems to be Avast’s solution.

Happy new year! :slight_smile:

The default action in The Behavior Shield when installing Avast! is " Auto-Decide ". In this setting Avast! will allow files coming from Microsoft updates. Sample from my Behavior Shield for those updates:

30/12/2011 9:17:08 Modification of: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322
By: C:\WINDOWS\Installer\MSI9C.tmp
Via: C:\WINDOWS\system32\MsiExec.exe
→ Action allowed
30/12/2011 9:17:08 Modification of: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322
By: C:\WINDOWS\Installer\MSI9E.tmp
Via: C:\WINDOWS\system32\MsiExec.exe
→ Action allowed
30/12/2011 9:19:43 Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\aspnet_state\Type
By: C:\WINDOWS\Installer\MSI173.tmp
Via: C:\WINDOWS\system32\services.exe
→ Action allowed
30/12/2011 9:19:52 Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Start
By: C:\WINDOWS\Installer\MSI17F.tmp
Via: C:\WINDOWS\system32\services.exe
→ Action allowed
30/12/2011 9:19:52 Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Start
By: C:\WINDOWS\Installer\MSI180.tmp
Via: C:\WINDOWS\system32\services.exe

I do not know if the criteria that Avast! team has set for the behavior Shield will also allow other secure ( white list ) programs, But if the person who install Avast does not know zip about computers, and does not mess arround with Avast! setting I am pretty sure He/She will have no problems because of it.

On the other hand if the behavior shield is set to auto-decide and out of the blue come out an alert, well that is why people have a security program to alert them of something that is not right, and if in doubt better to block than to be sorry latter on.

Happy New Year.

The last thing you want in my opinon is your behavior anti-malware software interfering with Win Updates. If the “ask” option of Avast behavior shield is interfering with Win Updates, I would reset it to “auto decide.”

I really don’t know why Avast behavior shield is examining that activity in the first place. Most HIPS software I have used is smart enough to realize that activity from a valid(signed) system service with DEP is OK.

Well iroc9555 has it set to Auto decide, as mentioned in his post - The examples given by iroc9555 show that the originating file/s aren’t signed (as you imply), e.g. the .tmp files making the change/s to the registry via a third party file.

Under normal circumstances if someone told you that was happening in the viruses and worms forum you would consider it suspicious and investigate.

That is what the behavior shield is doing (because of its settings, Monitor the system for unauthorised modifications) in iroc9555’s examples and obviously has the smarts as to allow it.and not block it.

Oh, does that mean that “Ask” will not start off with the same answer that it would “Auto-decide” itself? That doesn’t quite increase my trust in that function. If I set something to auto-decide, I expect it to do exactly that what it would have recommanded (= defaulted) me in Ask mode before. If that differs, how am I supposed to learn what it would do in auto mode and gain trust in that it will be the right thing? Now I’ve seen “Deny” as default answer and so I assumed that this would have been the auto-decide action, which is not what I would accept.

I’ve heard about more false-positive chaos from AV software than it has actually saved me, so I am suspicios about AV software and really want to learn what it wants to do before I let it drive alone. Had that dialogue defaulted to “Accept”, then everything would have been fine in the first place and I would have been a bit more confident that I can safely enable auto-decide mode.

There is no preconceived answer. It just means that when the there is a suspicion (based on the areas the behavior shield is monitoring), rather than the user being ‘Ask’(ed) the the Auto (decide) will run through its rule set/s for that area/action and will make the decision to allow or block.

The problem being if you set it to Ask, unless your are pretty switched on about what is on your system you are just as likely to make a wrong decision and allow something that should have been blocked (what is known as a false negative). For most people the automated decision process with its rule sets are better equipped that the end user.

There are many that actually complain that the behavior shield is not aggressive enough, whilst that may catch some unknown malware, there is then the possibility of a false positive on a legit function. So it is a fine balancing act not to be too passive or aggressive.