Q&A Avast Hardened Mode: still the same?

RoboMan

Level 34
Thread author
Verified
Top poster
Content Creator
Well-known
Jun 24, 2016
2,337
Hello guys,

Can anybody here explain to me how Avast Hardened mode works at this moment?

It used to be moderate and agressive, now it's just one option. People say the remaining option is the agressive one... Does this mean Hardened Mode still works as Agressive Mode used to work? If enabled, should Avast block execution of all unknown executable?

I'm still trying to figure it out... spent a generous 45 minutes launching all the unknown, unsigned executables I could find around and got no alert from Hardened Mode (and no blocking, of course).

So, if anybody would be so kind to explain to me how Hardened Mode is working nowadays, I would be grateful.

Thanks!
 
Last edited:

Sorrento

Level 4
Dec 7, 2021
175
I have hardened mode enabled, just looked again and it actually says 'recommended for inexperienced users' which I think is new as never read that before? I rarely if ever get any flags whatever from AVAST, I don't use the AVAST extension though.
 

Moonhorse

Level 32
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,159
In finnish it says literally this: '' With avast defensive mode you can lockdown your computer, this is recommended for inexperienced users''

I have only seen one block, with adguard, but now days later i dont even get that > whitelisted by avast
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,814
Hardened Mode still blocks unknown (by Avast) files.
I compiled a totally innocent file in Autoit:

Code:
#include <GUIConstantsEx.au3>
Example()

Func Example()
    GUICreate("test GUISetTextColor", 100, 100) ; will create a dialog box that when displayed is centered
    GUICtrlSetDefBkColor(0xFF0000) ; will change text color for all defined controls
    GUICtrlCreateLabel("label", 10, 5)
    GUICtrlCreateRadio("radio", 10, 25, 50)
    GUICtrlSetBkColor(-1, 0x0000FF) ; will change text color for specified control
    GUICtrlCreateButton("button", 10, 55)
    GUISetState(@SW_SHOW) ; will display an empty dialog box

    ; Loop until the user exits.
    While 1
        Switch GUIGetMsg()
            Case $GUI_EVENT_CLOSE
                ExitLoop
        EndSwitch
    WEnd
EndFunc   ;==>Example

It simply displays the below window:

1639257136621.png


After executing it with enabled Hardened Mode, Avast displayed the alert:

1639257505641.png
 

RoboMan

Level 34
Thread author
Verified
Top poster
Content Creator
Well-known
Jun 24, 2016
2,337
Thank you @Andy Ful, we can always count on your knowledge regards security.

Do you think Avast Hardened Mode can be considered as strong as H_C "disallowed" regarding to blocking unknown files? Always thinking on the scenario where we're just trying to block unknown things, not block everything regarding the vendor.
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,814
It is worth remembering that without the Internet connection, Avast Hardened Mode works as follows:

First scenario:
  1. The file was downloaded but not executed, and then the Internet connection has been lost. If we execute this file (still not Internet access), then it will not be blocked.
  2. After connecting to the Internet again, the already executed file will not be blocked.

Second scenario:
  1. If the file is executed for the first time and Avast is connected to the Internet, then the file can be blocked.
  2. If the file was blocked by Hardened Mode, then it will be also blocked without the Internet connection.
(y)
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,814
Do you think Avast Hardened Mode can be considered as strong as H_C "disallowed" regarding to blocking unknown files? Always thinking on the scenario where we're just trying to block unknown things, not block everything regarding the vendor.

No. The Hardened Mode works only for COM, EXE, and SCR files. Its strength is kinda similar in practice to the Defender ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".:(
There are some differences too. For example, the ASR rule can also block unknown DLLs dropped to disk and executed via rundll32.exe.

For files downloaded from the Internet (files with MOTW), the SmartScreen AppRep works with COM, EXE, and SCR files similarly to the Avast Hardened Mode. But, SmartScreen can also block MSI files. The advantage of Hardened Mode over SmartScreen follows from the fact that it can block payloads dropped without MOTW.
 
Last edited: