Review is by no means targeted at the general users. Such custom settings were tweaked for the advanced user who knows what he/she is doing. Please bear this in mind.
For the purpose of this review (since it is a comparison with another custom approach), MBAM and EEK were updated on the same day as the mentioned approach (1st of July), then Avast was updated to latest version and signatures. Once updates were done, Cloud and automatic updates were disabled for a fair comparison. Links were tested on the 1st of July.
Custom settings: Refer to attachment screenshot and scan settings below. Note as well that the rest of the settings that are not on screenshot and text below are the same as the other custom approach.
Links (refer to attachment): Out of 19 links, 9 bypassed Web shield: plugnrex and jackpotcity. Note that jackpotcity is actually an online casino powered by Microgaming and is considered by most AV vendors as a PUP/PUA.
Malware packs:
collection of 66, 39 and 49 packs from MT. Unpacked and placed together: Total of 154 files
Detection:
123/154 - 79.87%
Note that the above scan used was Folder Scan.
Since I did not see any activity from File System Shield, I decided to go to disabled all shields apart from File System Shield and executed support_251.exe and 1726989408.isr 04.exe from malc0de which was dated 1st of July (not available in the original links). No reaction was observed with the 2 infections.
I then re-enabled all shields and from the leftovers, executed 20 of them in which 2 of them were Security Shield and Live Security Platinum fake AVs.
By the first infection, Security Shield, suddenly it stopped responding (which I suspect it was File System Shield doing. I then left Live Security Platinum fake av as the last sample and this time Avast didnt get 'killed'. Used rkill to kill the fake av processes and then did a full scan with Avast. Result was 9 files detected, but only 5 could be removed (including the PUP jackpotcity). Autoit script with decompressed bomb was the files that couldnt be removed by avast (no action available). This was the same exact scenario in the previous custom test but I forgot to mention the name, so apologies for this.
Restarted in safemode and ran MBAM. Finally started windows as normal and did a final scan with EEK.
[attachment=1602][attachment=1607]
Machine is now completely clean, apart from the need to manually uninstall all leftovers from Jackpotcity since Avast only deleted the main EXE.
Final verdict:
Once again a simple approach to maximize Avast's potential prior to version 6. Unfortunately the cleaning capabilities are somewhat to be desired and there should be an improvement. The file that bypassed the webshield from plugnrex was actually detected by Avast in full scan but I expected File System Shield to reach and it didn't. By the time a scan is done, system was already infected.
I expected File System Shield to interact more or at least do its job more than expected, but unfortunately it was not the case. Without sanbox and Behaviour shield enabled, File System Shield is not ran at it's full potential.
Based on all the above, my rating is 3 stars.
On the other approach, I did say:
Unfortunately I did not see a huge difference, therefore my rating remains as 3 stars.
It is to note that Avast Free is still a great product, however to maximize its full potential, the user will have no choice but to use nearly all the shields, while Mail/IM/P2P shields can be fully optional. This leaves nearly no room for a good custom secure approach on it's own.
Note that this is only my opinion. Other users might have other opinions and I will respect that.
For the purpose of this review (since it is a comparison with another custom approach), MBAM and EEK were updated on the same day as the mentioned approach (1st of July), then Avast was updated to latest version and signatures. Once updates were done, Cloud and automatic updates were disabled for a fair comparison. Links were tested on the 1st of July.
Custom settings: Refer to attachment screenshot and scan settings below. Note as well that the rest of the settings that are not on screenshot and text below are the same as the other custom approach.
Code:
Quick scan
Sensitivity | Medium heuristics, Scan for PUP, Follow links during scan
Packers | DOS, Win32, Droppers
Performance | Normal scan priority, Check "speed up scanning using persistent cache"
No Report files or Exclusions
Full system scan
Sensitivity | High heuristics, Use code emulation, Scan for PUP, Follow links during scan
Packers | All packers
Performance | High scan priority, Check "store data about scanned files in the persistent cache"
No Report files or Exclusions
Select folder to scan - (used for malware packs).
Scan | Scan all files
Sensitivity | High heuristics, Use Code Emulation, Scan for PUP, Follow links during scan
Packers | All packers
Performance | High scan priority, Uncheck the below options in Persistent cache
No Report files or ExclusionsLinks (refer to attachment): Out of 19 links, 9 bypassed Web shield: plugnrex and jackpotcity. Note that jackpotcity is actually an online casino powered by Microgaming and is considered by most AV vendors as a PUP/PUA.
Malware packs:
collection of 66, 39 and 49 packs from MT. Unpacked and placed together: Total of 154 files
Detection:
123/154 - 79.87%
Note that the above scan used was Folder Scan.
Since I did not see any activity from File System Shield, I decided to go to disabled all shields apart from File System Shield and executed support_251.exe and 1726989408.isr 04.exe from malc0de which was dated 1st of July (not available in the original links). No reaction was observed with the 2 infections.
I then re-enabled all shields and from the leftovers, executed 20 of them in which 2 of them were Security Shield and Live Security Platinum fake AVs.
By the first infection, Security Shield, suddenly it stopped responding (which I suspect it was File System Shield doing. I then left Live Security Platinum fake av as the last sample and this time Avast didnt get 'killed'. Used rkill to kill the fake av processes and then did a full scan with Avast. Result was 9 files detected, but only 5 could be removed (including the PUP jackpotcity). Autoit script with decompressed bomb was the files that couldnt be removed by avast (no action available). This was the same exact scenario in the previous custom test but I forgot to mention the name, so apologies for this.
Restarted in safemode and ran MBAM. Finally started windows as normal and did a final scan with EEK.
[attachment=1602][attachment=1607]
Machine is now completely clean, apart from the need to manually uninstall all leftovers from Jackpotcity since Avast only deleted the main EXE.
Final verdict:
Once again a simple approach to maximize Avast's potential prior to version 6. Unfortunately the cleaning capabilities are somewhat to be desired and there should be an improvement. The file that bypassed the webshield from plugnrex was actually detected by Avast in full scan but I expected File System Shield to reach and it didn't. By the time a scan is done, system was already infected.
I expected File System Shield to interact more or at least do its job more than expected, but unfortunately it was not the case. Without sanbox and Behaviour shield enabled, File System Shield is not ran at it's full potential.
Based on all the above, my rating is 3 stars.
On the other approach, I did say:
Unfortunately I did not see a huge difference, therefore my rating remains as 3 stars.
It is to note that Avast Free is still a great product, however to maximize its full potential, the user will have no choice but to use nearly all the shields, while Mail/IM/P2P shields can be fully optional. This leaves nearly no room for a good custom secure approach on it's own.
Note that this is only my opinion. Other users might have other opinions and I will respect that.
