imuade

Level 9
Verified
Hi all, I was using CCAV before, but then I have moved to Avast because of some slowdowns while browsing.
With @Evjl's Rain configuration, Avast is really light and secure (y)

About CCAV, FYI, they released a beta (now a release candidate) where you can avoid the Valkyrie's fail:

Here is the change list:
New:
1. Option to enable Virus Scope outside Sandbox:
- Like CIS, now you have a new option "Monitor only the applications running in the Sandbox" under "Sandbox --> Sandbox Settings" as shown in enclosed snap VirusScopeOutsideSandbox.png
2. Additional Trusted Vendor List options as discussed in wishlist item here
- Now you have following additional options under "File Rating Settings":
Do cloud lookup for trusted vendors (selected by default)
Do cloud lookup for malicious vendors (selected by default)
Do not update local list upon program updates (de-selected by default)
- And you have additional options to import and export Trusted Vendor entries under "File Rating --> Trusted Vendors" section.

Above advanced options allow you to fully control trusted vendor list. You can export, import and then control update and online look up of vendor list.
So, you can customize the trusted vendor list by deleting who you don't trust and you can set CCAV to not update (overwrite) the TVL.
Then, you can set it to don't check on cloud the whitelist (previously unknown files deemed safe) and check the blacklist only (file classified as malware or PUP), so any unknown file not digitally signed by a vendor in your custom TVL (and not trusted by the user) will be sandboxed.
No more Valkyrie bypass (at cost of more FP), great if you don't often install new stuffs (y)
 
Last edited:
  • Like
Reactions: Evjl's Rain

Decopi

Level 2
Hi @Evjl's Rain ,

I found a post thread you opened (past year) about VooDooShield. Because this post thread is closed, please, allow me here a simple question:

What is your latest opinion about VoodooShield when compared to CF+CS' settings? I saw that CF consumes less system resources, and also works as a firewall. So, is there any advantage on VoodooShield when compared to CF/CS?

Thanks
 

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
Hi @Evjl's Rain ,

I found a post thread you opened (past year) about VooDooShield. Because this post thread is closed, please, allow me here a simple question:

What is your latest opinion about VoodooShield when compared to CF+CS' settings? I saw that CF consumes less system resources, and also works as a firewall. So, is there any advantage on VoodooShield when compared to CF/CS?

Thanks
hi, I haven't used VS for a very long period of time so I can't really make a proper comment about it
I can tell a few things about my past experience with VS (old version, > 1 year ago). I always used Autopilot mode, I hate prompts/popups:
- VS was heavier than CF. VS took more time to analyze files
- VS generated more popups than CF (CS settings) despite using autopilot mode -> understandable for anti-exe
- VoodooAI wasn't perfect with quite a lot of FPs especially for Asian applications, many of them lack a signature or unknown by vendors
- I really liked its virustotal lookup

I think CF is better than VS in most situations: FPs, speed, less prompts, harder to bypass

VS is better than CF: stability? (I heard VS is buggy in the new releases), give you more control than CF about what a process is doing when it is set to Always on/smart mode
 

Decopi

Level 2
hi, I haven't ... smart mode
Great answer @Evjl's Rain . Thank you!

Please, last question:
I tested VoodooShield long time ago, and want to test now again, just to see by myself if it has improved. But I don't remember how to setup it. The official "User guide" has 25 pages that I don't have time to read now. And I didn't find a quick setup guide. So, please, which one are the basic steps I need to setup VoodooShield? For example, I remember that after installing, it needs to work in "training" mode for few days, and after that in "Autopilot". Is that correct? Anything else? Any other step? Settings?

Thank you in advance!
 
  • Like
Reactions: oldschool

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
Great answer @Evjl's Rain . Thank you!

Please, last question:
I tested VoodooShield long time ago, and want to test now again, just to see by myself if it has improved. But I don't remember how to setup it. The official "User guide" has 25 pages that I don't have time to read now. And I didn't find a quick setup guide. So, please, which one are the basic steps I need to setup VoodooShield? For example, I remember that after installing, it needs to work in "training" mode for few days, and after that in "Autopilot". Is that correct? Anything else? Any other step? Settings?

Thank you in advance!
or you just need to enable autopilot from the beginning and start using it. It's good enough
training mode is useful for Always on/smart mode which blocks everything including safe apps while autopilot allows completely safe apps
if you have the pro version, disable "Automatically allow by parent process"
you are good to go

other settings are optional
basically, I just uncheck Automatically allow by parent process and turn on autopilot mode. That's it
 

imuade

Level 9
Verified
- first you MUST temporarily disable Avast's self-defense (I just realized avast can revert those hosts changes if we don't disable self-defense and don't lock the hosts file)
Settings -> troubleshooting -> uncheck "enable avast self-defense module"
- second: open C:\Windows\System32\drivers\etc\hosts (make sure it's not read-only so you can edit) -> add these following entries and save as hosts (without any extension)
0.0.0.0 a.fortumo.com
0.0.0.0 ad.flurry.com
0.0.0.0 adlog.flurry.com
0.0.0.0 ads.flurry.com
0.0.0.0 analytics.ff.avast.com
0.0.0.0 analytics.flurry-cdn.com
0.0.0.0 api.flurry.com
0.0.0.0 api.fortumo.com
0.0.0.0 app.igodigital.com
0.0.0.0 cdn.flurry.com
0.0.0.0 data.altbeacon.org
0.0.0.0 data.flurry.com
0.0.0.0 dev.flurry.com
0.0.0.0 e.crashlytics.com
0.0.0.0 get-avast.com
0.0.0.0 googleads.g.doubleclick.net
0.0.0.0 googletagmanager.com
0.0.0.0 pagead2.googlesyndication.com
0.0.0.0 pay.fortumo.com
0.0.0.0 proton.flurry.com
0.0.0.0 stage.app.igodigital.com
0.0.0.0 v7.stats.avast.com
0.0.0.0 v7event.stats.avast.com
0.0.0.0 wutlar.fortumo.com
0.0.0.0 mobile-campaigns.avast.com
0.0.0.0 ipm-provider.ff.avast.com
0.0.0.0 stats.avg.com
- set your hosts file as read-only (to prevent avast from modifying it) or more advanced, right-click on hosts ->security tab -> edit -> deny all write rule for all accounts
- enable avast's self-defense
- settings ->
+ disable cybercapture (not helpful, IMO if you have hardened mode)
+ scroll to bottom -> Privacy -> uncheck 2 boxes
- block AvastUI.exe (outbound connection) with your firewall (if your free license expires, unblock avastui -> register for a new free license -> block again)
I tried this, but Avast somehow managed to remove some entries from the host file... so, I have blocked those addresses on both K9 Web Protection (which, if I'm not wrong, works system-wide) and Windows Firewall.
Here the IPs to block:
52.16.132.201
76.13.28.7
72.30.3.10
77.234.42.253
54.243.113.132
74.6.34.34
52.48.246.16
184.73.217.242
69.147.64.34
184.73.148.59
74.6.144.143
68.180.240.56
107.22.214.66
206.54.170.109
74.125.70.157
74.125.124.97
74.125.132.154
54.72.6.27
72.30.3.80
107.20.33.202
77.234.42.253
77.234.42.252
136.243.9.208
23.45.134.219
77.234.44.93
104.91.202.101
 

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
@Evjl's Rain ... did you test any other anti-executable? (out from CF & VS)
the IPs he blocked from above are safe. The url list was made by me then he converted it to IPs. It's completely safe as there is no malfunctioning in avast

I tested novirusthanks exe radar pro (free) and crystal security
I didn't like them much
anyway, I abandon any anti-exe because they generate too many prompts for my liking
 
Last edited:

dJim

Level 5
Verified
but guys can any1 see the point? last post talking abouth block avast telemetry.. sound familiar with windows 10.. dam there´s a program, OS. where u dont need to worry abouth telemetry. btw dont confuse telemetry with spy..comodo team explain they used telemetry to see how users use interface wich module uses more and those things nothing abouth ur historial, paswords etc. not all telemetry is bad some help alot to improve those programs wich we love to use.
 
  • Like
Reactions: Evjl's Rain

slash/

Level 6
All telemetry is the same. It's good for us since we get a better product through the improvements it provides. It's good for the vendor since they can improve their product (and probably sell our behaviour for money). It's bad for us because it invades our privacy. Also, it can't be stopped, no matter how hard you try to block it. You can mitigate some of it, but vendors are smarter than that.
 
  • Like
Reactions: Evjl's Rain

Decopi

Level 2
I abandon any anti-exe because they generate too many prompts for my liking
Absolutely agree with you. In addition, CF/CS works as an anti-exe in a very simple an minimalist way, also with very low system impact.
I just asked because I try not to be in love with my choices. But I can't find nothing better than CF/CS + Avast Free.
 
  • Like
Reactions: Evjl's Rain

Pirate_fin

Level 1
- first you MUST temporarily disable Avast's self-defense (I just realized avast can revert those hosts changes if we don't disable self-defense and don't lock the hosts file)
Settings -> troubleshooting -> uncheck "enable avast self-defense module"
- second: open C:\Windows\System32\drivers\etc\hosts (make sure it's not read-only so you can edit) -> add these following entries and save as hosts (without any extension)
0.0.0.0 a.fortumo.com
0.0.0.0 ad.flurry.com
0.0.0.0 adlog.flurry.com
0.0.0.0 ads.flurry.com
0.0.0.0 analytics.ff.avast.com
0.0.0.0 analytics.flurry-cdn.com
0.0.0.0 api.flurry.com
0.0.0.0 api.fortumo.com
0.0.0.0 app.igodigital.com
0.0.0.0 cdn.flurry.com
0.0.0.0 data.altbeacon.org
0.0.0.0 data.flurry.com
0.0.0.0 dev.flurry.com
0.0.0.0 e.crashlytics.com
0.0.0.0 get-avast.com
0.0.0.0 googleads.g.doubleclick.net
0.0.0.0 googletagmanager.com
0.0.0.0 pagead2.googlesyndication.com
0.0.0.0 pay.fortumo.com
0.0.0.0 proton.flurry.com
0.0.0.0 stage.app.igodigital.com
0.0.0.0 v7.stats.avast.com
0.0.0.0 v7event.stats.avast.com
0.0.0.0 wutlar.fortumo.com
0.0.0.0 mobile-campaigns.avast.com
0.0.0.0 ipm-provider.ff.avast.com
0.0.0.0 stats.avg.com
- set your hosts file as read-only (to prevent avast from modifying it) or more advanced, right-click on hosts ->security tab -> edit -> deny all write rule for all accounts
- enable avast's self-defense
- settings ->
+ disable cybercapture (not helpful, IMO if you have hardened mode)
+ scroll to bottom -> Privacy -> uncheck 2 boxes
- block AvastUI.exe (outbound connection) with your firewall (if your free license expires, unblock avastui -> register for a new free license -> block again)
Can i add those entries to hosts before installing avast, or would it mess up the installation?