- Apr 13, 2013
- 3,224
A Crueler test of the Avast Behavior Blocker vs Ransomware.
Another Avast Behavior Blocker vs Ransomware Test
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Aug 2, 2015
- 4,286
Caught it on YT on your channel CS, Thanks
Another peek into what it means to put a positive spin that encourages sales, or
"tell the truth", I wont ruin it and tell you what path Avast took
Another peek into what it means to put a positive spin that encourages sales, or
"tell the truth", I wont ruin it and tell you what path Avast took
- Jul 6, 2017
- 2,392
He's not taking anything. Thank you, cruel sister.
- May 7, 2016
- 1,307
- Sep 30, 2017
- 19
Thank you for the test @cruelsister.
Last edited:
- Jul 28, 2016
- 950
thanks for this test cruelsister! I guess it sucks to be an avast free user and you wtch this outccome will the placebo effect last if you are willing to cough up dough for them
will the placebo effect last if you are willing to cough up dough for them 
- Jan 6, 2017
- 835
You can test Norton's Sonar. I think its better thans avast's bb.
- Mar 13, 2016
- 1,298
@cruelsister
The whitelist feature of Avast (hardened mode) is (currently) related to the FILE (execution) SHIELD (because you execute a file), so don't bother to enable hardened mode when the execution filter of the file shield is disabled. The placement of this feature in the GUI as general option is misleading, but it might have ringed a bell that your samples passed the whitelist feature.
On second thoughts: your test showed that the behavior blocker scored a 100% detection. It might well be that by disabling the file (execution) shield, Avast will not stop further execution of that sample (or executables spawned by that binary).
Regards Kees
The whitelist feature of Avast (hardened mode) is (currently) related to the FILE (execution) SHIELD (because you execute a file), so don't bother to enable hardened mode when the execution filter of the file shield is disabled. The placement of this feature in the GUI as general option is misleading, but it might have ringed a bell that your samples passed the whitelist feature.
On second thoughts: your test showed that the behavior blocker scored a 100% detection. It might well be that by disabling the file (execution) shield, Avast will not stop further execution of that sample (or executables spawned by that binary).
Regards Kees
Last edited:
- Dec 23, 2014
- 8,510
That is a good point. The test proves that probably Avast Behavior Shield does not work correctly without File Shield. Proving something more requires not disabling the File Shield, but using the old signatures instead. Anyway, Behavior Shield failed to detect Petya Green ransomware, I think.@cruelsister
The whitelist feature of Avast (hardened mode) is (currently) related to the FILE (execution) SHIELD (because you execute a file), so don't bother to enable hardened mode when the execution filter of the file shield is disabled. The placement of this feature in the GUI as general option is misleading, but it might have ringed a bell that your samples passed the whitelist feature.
On second thoughts: your test showed that the behavior blocker scored a 100% detection. It might well be that by disabling the file (execution) shield, Avast will not stop further execution of that sample (or executables spawned by that binary).
Regards Kees
Last edited:
- Apr 13, 2013
- 3,224
I was just trying to recreate the test of the Avast BB that was posted last week and which gave a false impression (the hardened Mode was active because I would have been criticized for not using it).
Although I actually think that Avast has made great strides in the past 9 months and is currently quite a good product (sad that it recently refuses to play nice with CF!), my primary concern is that Avast users are not misled by not well designed tests. Any of the ransomware that bypassed the Avast BB in this test can be easily morphed to a true zero day, and running into one of these even with File Shield active will result in Unnumbered Tears.
Although I actually think that Avast has made great strides in the past 9 months and is currently quite a good product (sad that it recently refuses to play nice with CF!), my primary concern is that Avast users are not misled by not well designed tests. Any of the ransomware that bypassed the Avast BB in this test can be easily morphed to a true zero day, and running into one of these even with File Shield active will result in Unnumbered Tears.
The behaviour shield is linked with the File Shield in some aspects. I can't go into much detail but I'll give an example. Most of the time zero day malware is already classified in the cloud (old malware is also classified in the cloud). Now here comes the important bit, malware is executed and IDP (behaviour shield) checks the cloud and gets a result that the file is classified as malicious but IDP does this check "asynchronously". This means that the behaviour shield would not block the malware immediately since the File Shield which does the check "synchronously" would have already removed the threat before IDP got involved. File Shield does this query synchronously, e.g. it will block the malware process creation immediately while the query result gets back from the cloud. This is why sometimes some files get encrypted by ransomware before IDP reacts. This happens alot with Petya based sample if File Shield is disabled.
I'm not saying that the behaviour shield is a silver bullet since nothing is 100% but it would be nice to see a video with the File Shield enabled.
The file shield is also linked to whitelisting to hardened mode. Hardened mode also only targets exe files.
I'm not saying that the behaviour shield is a silver bullet since nothing is 100% but it would be nice to see a video with the File Shield enabled.
The file shield is also linked to whitelisting to hardened mode. Hardened mode also only targets exe files.
- Dec 23, 2014
- 8,510
So, even with the old local signatures and active File Shield, the test will be invalid, because in the cloud the signatures are new.
- Dec 23, 2014
- 8,510
If I have correctly understood Alikhan, the test is invalid by design, because of the way the Behavior Field interacts with the cloud. It would be correct only for the true 0-day malware (not detected by the cloud). One thing is interesting in the test. The users should know that disabling File Shield automatically disables hardened mode. This is a bug, that the user can tick the hardened mode, and it does not work.
Edit1.
It would be interesting to test Avast Behavior Shield with disabled Internet connection.
Edit2.
... and enabled File Shield + old signatures.
Last edited:
Can you even test a behavior blocker in "isolation"? Selectively disabling one component or another even though they're enabled out of the box and judiciously choosing your malware can be construed as more self-serving, right? Naturally, this is hindsight following that Malware Geek production. Thanks for this more unbiased presentation.
The test would be better if the sample bypassed both the File Shield and Behaviour Shield with cloud enabled. Without the cloud, the behavior shield would not do as well (I would say awful) due to the fact old detections are moved to the cloud plus no file shield to check synchronously. The behavior shield does do analysis but is often slow to react that's why when the files are analyzed by the behaviour shield, they are moved to the cloud so the file shield can block them. Personally, I'm not a fan of hardened mode and it makes CyberCapture useless.
- Dec 23, 2014
- 8,510
I meant: It would be interesting to test Avast Behavior Shield with disabled Internet connection and enabled File Shield (forgot about the bold fragment).
Edit
Plus old signatures.
Last edited:
- Jul 5, 2016
- 416
Here is two screen shots of what IE and Edge are doing with my computer these days.
Attachments
- Dec 23, 2014
- 8,510
I have Windows 10 Pro + Edge. No problems with this video (I tried both Edge and IE). So it is not Edge / IE problem on default settings.
So, this means that in that other test file shield was indeed disabled? If that's the case and Avast BB still worked. Then that means that Avast behavior blocker doesn't need the File Shield.
Could someone link the other test?
Similar threads
