Regarding the Avast Aggressive Hardened Mode

Status
Not open for further replies.
Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Just now I test the harden mode with an EXE that can trigger the harden mode (aggressive) in the online case.
The following tests are conducted on my virtual machine running win 7 (32-bit).
I will reboot my virtual machine after each test.

Test 1: Online -> Offline

I first double click my EXE in the online case.
It is immediately blocked by the harden mode.
Then I cut off the network connection of the virtual machine and double click my EXE several times.
It is always blocked as long as I do not reboot the virtual machine.

Test 2: Offline -> Online

I first double click my EXE in the offline case.
It is NOT blocked by avast in such case.
Then I connect my virtual machine to the network and double click my EXE several times.
It is always allowed to run as long as I do not reboot the virtual machine.

Test 3: Online -> Offline -> Reboot -> Offline

I first double click my EXE in the online case.
It is immediately blocked by the harden mode.
Then I cut off the network connection of the virtual machine and double click my EXE several times.
It is always blocked as long as I do not reboot the virtual machine.
Then I reboot my virtual machine and keep my virtual machine offline.
This time my EXE is allowed to run when I double click it.

Test 4: Offline -> Online -> Reboot -> Online

I first double click my EXE in the offline case.
It is NOT blocked by avast in such case.
Then I connect my virtual machine to the network and double click my EXE several times.
It is always allowed to run as long as I do not reboot the virtual machine.
Then I reboot my virtual machine and keep my virtual machine online.
This time my EXE is blocked by avast when I double click it.

To sum up:

1. The harden mode highly depends on the cloud lookup.
2. The strategy of the harden mode is "default allow", not "default deny". So when it cannot connect to the cloud, it will allow EXEs to run by default rather than blocking it.
- I personally like "default deny" better.
3. The result of cloud lookup will be only stored until the reboot.

Question:

I hope to know that whether the HIPS of avast also depends on the cloud or not?
I do not know how to trigger the HIPS of avast...
 
Last edited:
  • Like
Reactions: frogboy, chrcoluk, mal1 and 7 others
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
@Online_Sword: The HIPS of Avast is also passive and its categrize to detect any suspicious behaviour unlike the typical classic way so pop ups are lesser.
 
  • Like
Reactions: Online_Sword
Atlas147

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Hmmm I understand why the devs would default allow when the cloud cannot be reached but when it's back online it should check the cloud again before allowing it again.
 
  • Like
Reactions: Davidov and Online_Sword
Solarlynx

Solarlynx

Level 15
Verified
Top Poster
Well-known
Apr 30, 2012
711
It's nice to hear Avast developing HIPS. Will Avast free have HIPS as well?
 
Kate_L

Kate_L

in memoriam
Verified
Top Poster
Well-known
Jun 21, 2014
1,044
I hope someone told them about this. They need to change to "default deny" else you are a target. Good job with this test :)
 
  • Like
Reactions: XhenEd and Online_Sword
Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
New finding: Exclusion from Aggressive Hardened Mode

In the general settings panel, you can exclude files from hardened mode, but only singular files, not folders. In the past, I thought there was no way to exclude an entire folder from hardened mode. If so, it would be inconvenient, especially for programmers.

Just now, I found that we can actually exclude an entire folder from the hardened mode. In the exclusion tab of the settings panel for the file protection, you can exclude files and folders from the real-time monitoring of reading (R), writing (W), and execution (X), respectively.

In the past, I thought in that panel, we can only exclude things from the traditional on-access scanning.

But now my tests show that, if you exclude a file / folder from the monitoring of execution, then that file / folder will not be blocked by the harden mode.

Users can use the wildcard here, so I think it could be very convenient, but will not significantly influence the security.

New question: different behavior in Win XP and Win 7.

I am testing the hardened mode in both win XP and win 7 (both are in the virtual machine).

In win XP, each time when I just open the folder which contains unknown executable files, a pop-up will come out, as slow as a very old gentleman who wants to pass a very busy street with no traffic light.

But in win 7, the pop up will be shown only when I double click the unknown executable files, just as what I need.

I should say I cannot understand the behavior of the hardened mode in Win XP.
 
Last edited:
  • Like
Reactions: Deleted Member 333v73x and LabZero
D

Deleted Member 333v73x

What do you guys think of 'Hardened Mode' on 'Agressive' I was considering ot because it may act like a mini anti-executable?
 
  • Like
Reactions: Online_Sword
Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
@Anti-Malware Reviewer :

If my memory serves me right, the aggressive hardened mode of avast cannot handle CMD, let alone the other interpreters.

By contrast, the real anti-exe programs should be able to handle the scripts, interpreters, and other vulnerable processes properly.

Another problem is that the whitelist corresponding to the aggressive hardened mode is invisible to the users. We cannot specify what can be trusted except making some exclusions with the method mentioned in #7.

Therefore, in my opinion, the aggressive hardened mode may not be as powerful as a real anti-exe program.

However, it is still a good feature when you have a stable network connection to the cloud server of avast:), because according to the following link, the hardened mode is much more tight than DeepScreen:

DeepScreen, Hardened Mode
 
Last edited:
  • Like
Reactions: Davidov and silversurfer
Status
Not open for further replies.

Similar threads

RRlight
The way F-Secure beta works is a little bit weird
Replies
1
Views
413
F-Secure
Bot
Bot
Nunzio_77
    • Like
Serious Discussion Data leak: Avast Free or Bitdefender Free?
Replies
28
Views
2,428
General Security Discussions
ifacedown
ifacedown
M
    • Like
    • +Reputation
NEW Avast version 24.5
Replies
1
Views
632
Avast
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top