Status
Not open for further replies.

Online_Sword

New Member
Verified
Trusted
Just now I test the harden mode with an EXE that can trigger the harden mode (aggressive) in the online case.
The following tests are conducted on my virtual machine running win 7 (32-bit).
I will reboot my virtual machine after each test.

Test 1: Online -> Offline

I first double click my EXE in the online case.
It is immediately blocked by the harden mode.

Then I cut off the network connection of the virtual machine and double click my EXE several times.
It is always blocked as long as I do not reboot the virtual machine.

Test 2: Offline -> Online

I first double click my EXE in the offline case.
It is NOT blocked by avast in such case.
Then I connect my virtual machine to the network and double click my EXE several times.
It is
always allowed to run as long as I do not reboot the virtual machine.

Test 3: Online -> Offline -> Reboot -> Offline

I first double click my EXE in the online case.
It is immediately blocked by the harden mode.
Then I cut off the network connection of the virtual machine and double click my EXE several times.
It is always blocked as long as I do not reboot the virtual machine.

Then I reboot my virtual machine and keep my virtual machine offline.
This time my EXE is allowed to run when I double click it.

Test 4: Offline -> Online -> Reboot -> Online

I first double click my EXE in the offline case.
It is NOT blocked by avast in such case.
Then I connect my virtual machine to the network and double click my EXE several times.
It is
always allowed to run as long as I do not reboot the virtual machine.
Then I reboot my virtual machine and keep my virtual machine online.
This time my EXE is blocked by avast when I double click it.

To sum up:

1. The harden mode highly depends on the cloud lookup.
2. The strategy of the harden mode is "
default allow", not "default deny". So when it cannot connect to the cloud, it will allow EXEs to run by default rather than blocking it.
- I personally like "default deny" better.
3. The result of cloud lookup will be only stored until the reboot.

Question:

I hope to know that whether the HIPS of avast also depends on the cloud or not?
I do not know how to trigger the HIPS of avast...
 
Last edited:

Atlas147

Level 30
Verified
Trusted
Content Creator
Hmmm I understand why the devs would default allow when the cloud cannot be reached but when it's back online it should check the cloud again before allowing it again.
 

Online_Sword

New Member
Verified
Trusted
New finding: Exclusion from Aggressive Hardened Mode

In the general settings panel, you can exclude files from hardened mode, but only singular files, not folders. In the past, I thought there was no way to exclude an entire folder from hardened mode. If so, it would be inconvenient, especially for programmers.

Just now, I found that we can actually exclude an entire folder from the hardened mode. In the exclusion tab of the settings panel for the file protection, you can exclude files and folders from the real-time monitoring of reading (R), writing (W), and execution (X), respectively.

In the past, I thought in that panel, we can only exclude things from the traditional on-access scanning.

But now my tests show that, if you exclude a file / folder from the monitoring of execution, then that file / folder will not be blocked by the harden mode.

Users can use the wildcard here, so I think it could be very convenient, but will not significantly influence the security.

New question: different behavior in Win XP and Win 7.

I am testing the hardened mode in both win XP and win 7 (both are in the virtual machine).

In win XP, each time when I just open the folder which contains unknown executable files, a pop-up will come out, as slow as a very old gentleman who wants to pass a very busy street with no traffic light.

But in win 7, the pop up will be shown only when I double click the unknown executable files, just as what I need.

I should say I cannot understand the behavior of the hardened mode in Win XP.
 
Last edited:
D

Deleted Member 333v73x

What do you guys think of 'Hardened Mode' on 'Agressive' I was considering ot because it may act like a mini anti-executable?
 

Online_Sword

New Member
Verified
Trusted
@Anti-Malware Reviewer :

If my memory serves me right, the aggressive hardened mode of avast cannot handle CMD, let alone the other interpreters.

By contrast, the real anti-exe programs should be able to handle the scripts, interpreters, and other vulnerable processes properly.

Another problem is that the whitelist corresponding to the aggressive hardened mode is invisible to the users. We cannot specify what can be trusted except making some exclusions with the method mentioned in #7.

Therefore, in my opinion, the aggressive hardened mode may not be as powerful as a real anti-exe program.

However, it is still a good feature when you have a stable network connection to the cloud server of avast:), because according to the following link, the hardened mode is much more tight than DeepScreen:

DeepScreen, Hardened Mode
 
Last edited:
Status
Not open for further replies.
Top