Advice Request Avast Hardened Mode: still the same?

[RoboMan]

Hello guys,

Can anybody here explain to me how Avast Hardened mode works at this moment?

It used to be moderate and agressive, now it's just one option. People say the remaining option is the agressive one... Does this mean Hardened Mode still works as Agressive Mode used to work? If enabled, should Avast block execution of all unknown executable?

I'm still trying to figure it out... spent a generous 45 minutes launching all the unknown, unsigned executables I could find around and got no alert from Hardened Mode (and no blocking, of course).

So, if anybody would be so kind to explain to me how Hardened Mode is working nowadays, I would be grateful.

Thanks!

 

[Sorrento]

I have hardened mode enabled, just looked again and it actually says 'recommended for inexperienced users' which I think is new as never read that before? I rarely if ever get any flags whatever from AVAST, I don't use the AVAST extension though.

 

[Moonhorse]

In finnish it says literally this: '' With avast defensive mode you can lockdown your computer, this is recommended for inexperienced users''

I have only seen one block, with adguard, but now days later i dont even get that > whitelisted by avast

 

[Andy Ful]

Hardened Mode still blocks unknown (by Avast) files.
I compiled a totally innocent file in Autoit:

#include <GUIConstantsEx.au3>
Example()

Func Example()
    GUICreate("test GUISetTextColor", 100, 100) ; will create a dialog box that when displayed is centered
    GUICtrlSetDefBkColor(0xFF0000) ; will change text color for all defined controls
    GUICtrlCreateLabel("label", 10, 5)
    GUICtrlCreateRadio("radio", 10, 25, 50)
    GUICtrlSetBkColor(-1, 0x0000FF) ; will change text color for specified control
    GUICtrlCreateButton("button", 10, 55)
    GUISetState(@SW_SHOW) ; will display an empty dialog box

    ; Loop until the user exits.
    While 1
        Switch GUIGetMsg()
            Case $GUI_EVENT_CLOSE
                ExitLoop
        EndSwitch
    WEnd
EndFunc   ;==>Example

It simply displays the below window:

After executing it with enabled Hardened Mode, Avast displayed the alert:

 

[Andy Ful]

Anybody can check Hardened Mode in this way:

1. Copy the wordpad (write.exe) from Windows folder to another folder.
2. Use hex editor to change a few bytes.
3. Run the modified write.exe.

 

[ForgottenSeer 92963]

@Andy Ful

A respected member of this forum has written a program called Configure Defender which unleashes corporate strength capabilities of Microsoft Defender.

Regards Kees

 

[Andrew3000]

Yes, it blocks any executable that is unknown to Avast

 

[Andy Ful]

@Andy Ful

A respected member of this forum has written a program called Configure Defender which unleashes corporate strength capabilities of Microsoft Defender.

Regards Kees

I like Avast too.

 

[RoboMan]

Thank you @Andy Ful, we can always count on your knowledge regards security.

Do you think Avast Hardened Mode can be considered as strong as H_C "disallowed" regarding to blocking unknown files? Always thinking on the scenario where we're just trying to block unknown things, not block everything regarding the vendor.

 

[Andy Ful]

It is worth remembering that without the Internet connection, Avast Hardened Mode works as follows:

First scenario:

1. The file was downloaded but not executed, and then the Internet connection has been lost. If we execute this file (still not Internet access), then it will not be blocked.
2. After connecting to the Internet again, the already executed file will not be blocked.

Second scenario:

1. If the file is executed for the first time and Avast is connected to the Internet, then the file can be blocked.
2. If the file was blocked by Hardened Mode, then it will be also blocked without the Internet connection.

 

[Andy Ful]

Do you think Avast Hardened Mode can be considered as strong as H_C "disallowed" regarding to blocking unknown files? Always thinking on the scenario where we're just trying to block unknown things, not block everything regarding the vendor.

No. The Hardened Mode works only for COM, EXE, and SCR files. Its strength is kinda similar in practice to the Defender ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
There are some differences too. For example, the ASR rule can also block unknown DLLs dropped to disk and executed via rundll32.exe.

For files downloaded from the Internet (files with MOTW), the SmartScreen AppRep works with COM, EXE, and SCR files similarly to the Avast Hardened Mode. But, SmartScreen can also block MSI files. The advantage of Hardened Mode over SmartScreen follows from the fact that it can block payloads dropped without MOTW.