Why Avast "Hardened mode" is faulty!

Status
Not open for further replies.

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
I just tried installing the new Avast R4 Beta,and as usual I tried installing over the top of the existing version,as suggested on the forums and in the Avast forum!
"Hardened mode" was on in the previous version, set to moderate
This is what I get:
xnktkhgukpvejwmzuyhvnaurgxgvntwuvwahrltylarsjiayrxqyrilwttmmalgrtbinweijfjjmibiywieqdydnldoxygxauayhznbmpgshyyorkoqsgqouyucsqklz


In other words "Avast Hardened mode" in my eyes at least, cannot discern correctly when a program is safe or not with a default block policy!
I know I can setup an exclusion but I don't think this is an acceptable option!
Any opinions from other members appreciated!:)
 

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Yeah, it's a love/hate relationship with Avast.
I agree!
I really dont know the mechanics behind hardened mode as I only installed it to give it a shake up!
But at least we should get some indication as to why a program is blocked in terms of what threat it presents if any to the user!
 

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Behavioral blockers are harder to determinate the type of malware.
A worm can execute codes like a trojan, a trojan also can execute codes like a rogue.
It's harder to defin a "threat" type..

The best config, is the normal config :p
Thanks for the reply but I bet if I turned Avast hardened mode off and ran some malware the computer would be compromised?!:)
 

Littlebits

Retired Staff
May 3, 2011
3,893
Don't get me wrong Avast is an excellent AV, but just like with any AV if you download and run infected files sooner or later you will get infected. Just always download files from safe sources. Hopefully they will eventually make improvements to Hardened Mode.

Thanks. :D
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
One my my pet hates with the more aggressive behaviour analysis is that there is no attempt to analyse the context. So legitimate programs get blocked (just to be safe).

Good example a few years back when I used Avast, it blocked a legitimate java update with normal config, no information displayed, just the filename, and a link to a page for 'more information' which basically told me 'files that are blocked are potentially malicious and could harm your computer'.. Yup. Oh hello Avast, yep block file (could be malicious), bye bye java update.. Oh hello java drive by...:D
 

Striker

Level 7
Verified
Mar 27, 2013
327
I just tried installing the new Avast R4 Beta,and as usual I tried installing over the top of the existing version,as suggested on the forums and in the Avast forum!
"Hardened mode" was on in the previous version, set to moderate
This is what I get:
xnktkhgukpvejwmzuyhvnaurgxgvntwuvwahrltylarsjiayrxqyrilwttmmalgrtbinweijfjjmibiywieqdydnldoxygxauayhznbmpgshyyorkoqsgqouyucsqklz


In other words "Avast Hardened mode" in my eyes at least, cannot discern correctly when a program is safe or not with a default block policy!
I know I can setup an exclusion but I don't think this is an acceptable option!
Any opinions from other members appreciated!:)
u need to switch to aggressive..it use a cloud whitelist from known programs. u dont get that popup on aggressive mode..
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
I like how it says "If you're sure you want to run the program" on a mode intended for inexperienced users... I could name far too many people whose reaction to that (on any file) would be "of course I'm bloody sure I want to run it, that's why I opened it, stupid thing. Exclude"...
 

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
I like how it says "If you're sure you want to run the program" on a mode intended for inexperienced users... I could name far too many people whose reaction to that (on any file) would be "of course I'm bloody sure I want to run it, that's why I opened it, stupid thing. Exclude"...
Indeed there is no indication as to WHY the file is being blocked!
As a Kaspersky user I will get a block and an indication as to why it was blocked>>>trojan etc
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Indeed there is no indication as to WHY the file is being blocked!
As a Kaspersky user I will get a block and an indication as to why it was blocked>>>trojan etc

And what are the bets that if there were some 'computer psychic' who could actually talk to Avast and ask it why the file was blocked, it would reply, with a raspy wisdom... "Signature 0X27CB was matched"... Ah ok, now I know it's safe, thanks for the help Avast.
 

avast! Protection

Level 2
Verified
Jun 27, 2014
51
I will try to explain how avast! Hardened works and why it behaves differently.

By default, avast! checks suspicious files which are not yet known by putting them in a sandbox environment to see how they behave (DeepScreen). If the antivirus finds nothing suspicious in files' behaviour, it automatically starts the application after analysis. The Hardened mode works a bit differently.

As you are aware of, the Hardened mode has two settings - Moderate and Aggressive. By my opinion, the two options should swap their names as I find the Aggressive mode less-intrusive and safer. :D

I will explain you why:

Moderate Setting: When the moderate setting is turned on, avast! automatically blocks files that are detected as suspicious by initial analysis. As I explained above, avast! puts the potential threats in sandbox and if nothing found, starts it automatically. On the other hand, the Moderate hardened mode stops suspicious files' execution right there.

Aggressive: The Aggressive mode analyses if the file is included in avast!'s white-list database located in avast! Cloud. If the file is present in the white-list (flagged as safe), avast! allows it to be executed.

I think that the Hardened mode with white-listing check has a potential in the future as the number of malware threats grows every second and AV vendors may come to a point where it will be easier to check if a given application is white-listed, rather than heavily relying on the heuristic analysis of 0-day threats as a day may come when the number of threats will be bigger than legitimate software packages releases for a given time frame. Of course, this solution may lead to lots of headaches for software developers but there greater minds than me who will find a solution for it as well. :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top