In the AV Comparative False Alarm tests, March 2014, Avast had 95 false alarms. Win32:Evo-gen, a relatively new heuristic detection of Avast, was responsible for 80+ of these FP?s.
AV Comparatives uses the default settings in their testing. I am using the Hardened Mode Aggressive which to my understanding uses the White List and doesn?t depend on Heuristics. So far I have only had 3 FP?s. They were AdwCleaner, WinPatrol and Tweaking.com ? windows Repair. All three were new updates that had not made it to the White List. They all make registry changes and were probably blocked by the Behavior Shield. I knew they were OK and Avast allowed me to Exclude them and they were installed with no further problems.
This is just one reason that I recommend setting your Avast 9 to the Hardened Mode Aggressive but just because you are using the default mode don?t think you are going to be bombarded with False Alarms. Probably not, these tests are run on many hundreds of little known, little used programs to get the data base large enough to be worth using.
Even at that I hate to see more than 10 or 12 FP?s in a run, so I have quires posted to Avast about a fix for Evo-gen, but don?t have a reply at this time.
I have been testing Avast since January and highly recommend it even with a few little bugs. I have reported 2 bugs to Avast and they were corrected with an update in short time.
There are 3 Modes that Avast can be set to, they are: default, Hardened Mode Moderate and Hardened Mode Aggressive. When I ask some of the guys at Avast just how these different modes work, I get the same canned, ambiguous answer? So, I have tested against Zero-Day Threats in the different modes attempting to find out how each mode reacts. And since XP lost its luster there have been 500 to 1500 Zero-Day threats hitting the web each day on just one of the malware scanning sites that I monitor therefore, I have no problem finding test material. Lol
Here is my understanding of the three Modes:
First, in Avast there are 8 real time shields that are used in each of the modes. They are: File System Shield, Web Shield, Mail Shield, Network Shield, P2P Shield, IM Shield, Behavior Shield and Script Shield. The ONLY Free AV with a Script Shield so, no need for NOSCRIPT which is too geeky for the average user..
Default Mode:
When going to a site, if you get a drive-by from a compromised site or click on a bad link the URL is tested with the Black List of bad URL?s which is updated in real time from the Avast Cloud. If found, it is blocked?.
If not found in the Black List it is checked with heuristics and behavioral. In what order, I?m not sure??? If found to be suspicious it is sent to DeepScreen (the Avast Sandbox) and this is where the operator needs some computer Savvy because if it is still suspicious it will give the choice to delete it or exclude it.
Therefore the default mode should NOT be used by a novice computer operator..
Hardened Mode, Moderate:
In the Hardened Modes, DeepScreen (sandbox) is disabled..
I call this Moderate Mode the ?Granny Mode? to keep your old granny from loading the computer with toolbars and PUPs by clicking on everything she sees. Lol
This mode is really more aggressive than the aggressive mode.. When a bad URL comes through and is not blacklisted but is found suspicious by heuristics or behavior, it is stopped right there and Granny doesn?t get it!
Hardened Mode, Aggressive:
This mode is the ONLY mode that uses the ?White List? which is what I believe all AV?s should be going to for better protection. As far as I know Avast and Comodo are the only Free AV?s offering a White List and Comodo is so paranoid that when it detects something you must play 20 questions in order to get rid of it or keep it?
In Avast Hardened Mode Aggressive, when a file is not found on the blacklist it is checked by a huge White List in the avast cloud and if not found there it is rejected. This mode relies very little on heuristics or behavior.
There are a few situations that I haven?t quite figured out yet but am working on.
I have had a few bad files that made it all the way through the White List, downloaded and weren?t caught. Some were zip files and when opened were deleted. Others were files that were not bad until installed which were caught and deleted when clicked on. Those I can understand, but why it passed the 3 program updates that were not on the White List and allowed me to exclude them is a mystery that I?m working on.
I recommend Avast set to Hardened Mode with K9 and MBAM Premium (real time) or run the free MBAM often as the backup layers for Avast?..
Any questions or something I missed, just holler!
This message has been edited since posting. Last time this message was edited on 29. April 2014 @ 11:57
|