This site is for Avast Business products only. For articles on AVG Business products, see AVG Business Help. If you are in the right place but cannot find what you are looking for, please contact Avast Business Support for further assistance.

File Shield

This Article Applies to:

  • Avast Business Hub

 

File Shield is the main layer of Antivirus active protection. It scans programs and files saved on the device for malicious threats as they are opened, run, modified, and saved. File Shield is designed to prevent any detected malware from infecting the system.

We strongly recommend you always keep this shield turned on and only make configuration changes if you have an advanced understanding of malware protection principles.

Note that in Antivirus for macOS, the shields can only be disabled, not uninstalled. Therefore, if you uninstall File Shield via policy settings, the service on macOS endpoints will only be disabled.

Configuring File Shield Settings

Windows and macOS configuration options are mixed together in the policy settings for the various components.

To access File Shield settings:

  1. Go to the Policies page
  2. Click the desired policy to open its Detail drawer
  3. Select the Settings tab, then Antivirus
  4. Expand the File Shield section (under Antivirus Protection)

Five sets of settings are available here:

  • Scan behavior (Windows and macOS)
  • Actions (Windows)
  • Packers (Windows)
  • Sensitivity (Windows)
  • Report file (Windows)

Scan Behavior

The settings here determine what File Shield scans and under which conditions. The following options are available for Windows devices:

  • Scan when executing 
    • Scan programs when executing: Scans programs when they are executed (e.g. when the user opens Microsoft Excel).
    • Scan scripts when executing: Scans scripts when they are executed (e.g. a JavaScript file).
    • Scan libraries when executing: Scans libraries (dlls) when programs are executed.
  • Scan when opening
    • Scan documents when opening: Scans documents when they are opened by the user (e.g. Microsoft Word).
    • Scan documents with custom extensions: Enabling this will allow you to add specific extensions to be scanned.
    • Scan all files: All file types will be scanned when opened. This can have a negative performance impact. By default, only the most common files that can be infected are scanned.
  • Scan when attaching
    • Scan auto-run items when removable media is attached: When a removable device is attached, auto-run items are scanned to help prevent any viruses that infect the system by automatically running when a removable device is plugged.
    • Scan diskette boot sectors on access: When a floppy disk is accessed, the boot sector is scanned.
  • Scan when writing
    • Scan files when writing: Scans files with default and/or custom extensions, or all files when they are created or modified (this can have a negative performance impact).
    • Do not scan files on remote shares: Prevents File Shield from scanning remote shares for files that are written. It can help with performance issues over the network, and is checked by default.
    • Do not scan files on removable media: Prevents File Shield from scanning files on removable devices. This is not recommended.

Under the Policy section, you can configure the available settings for macOS devices:

  • Report potentially unwanted programs (PUP): Scans for PUPs (e.g. spyware).
  • Move infected files to quarantine: Sends the detected threats to the Quarantine. Otherwise, files will be blocked without removal.

Actions

The Actions settings define how viruses, PUPs, unwanted tools, and suspicious objects are handled when detected by File Shield. For each type, it is possible to configure three actions to perform, with the "if the action fails" value. The following actions can be selected from each drop-down menu:

  • Fix automatically: Runs a sequence of actions (repair file; if not possible, then move to Quarantine; if not possible, then delete).
  • Move to quarantine: Sends the threat to Quarantine, where it cannot harm your system.
  • Repair: Removes only malicious code attached to an otherwise safe file — this is not possible for files that are entirely malware.
  • Ask: Avast asks what you want to do with a detected threat before any action is taken.
  • Delete: Permanently removes the file from your computer.
  • No action: No action is taken during the scan; the threat is listed in your scan results and you can decide what to do later.

For example, you can set the first action to Move to quarantine. If that fails, then Ask the user. If that then fails as well, the final action can be to Delete the file. If the final action also fails, nothing further will be performed (the file will continue to be blocked).

Under the Options section, you can also define whether File Shield will:

  • Show notifications for actions: Choose whether a notification is displayed each time File Shield detects a threat on the device.
  • Perform the selected action when the system restarts: File Shield will perform the necessary action when the device restarts.
  • Enable Antimalware Scan Interface (AMSI) scanner: This allows the user to disable/enable the AMSI integration.
    • AMSI is a feature in Windows 10 and newer operating systems that allows the antivirus to have some close integration with the OS to enhance detection capabilities. More on AMSI can be found in this Microsoft article.

Lastly, the Processing of infected archives section allows you to configure what to do with infected archives. By default, the shield will try to remove the infected file from the archive and if that fails, nothing will happen.

The other two options (removing the whole archive if removing the infected file from the archive fails, or always removing the whole archive) can lead to issues if there is a false positive, and the archive may be deleted if too large.

Packers

These settings allow you to define which archive (packer) formats Avast should try to extract during File Shield scans (unpacked files can be better analyzed for malware). Original archives remain intact while processed by File Shield. You can choose to use either all packer formats or just the ones you select from the list. By default, only the most commonly infected packers are used.

Sensitivity

Here, you can adjust the sensitivity of the Antivirus scan for File Shield:

  • Heuristics Sensitivity: Heuristics enable Antivirus to detect unknown malware by analyzing code for commands that may indicate malicious intent. The default setting is Normal. With higher sensitivity, Antivirus is more likely to detect malware, but also more likely to make false-positive detections that incorrectly identify files as malware.
    • Use code emulation: Choose whether to use code emulations to unpack and test suspected malware in an emulated environment, where the files cannot cause damage to devices.
  • Sensitivity: Enable Test whole files to check the whole content of a file instead of the parts typically affected by malicious code. There is usually no need to enable this option, and it will likely impact system performance.
  • PUP and suspicious files: Choose whether or not to scan for potentially unwanted programs (PUPs). You can select the option separately for pre and post 21.5 and 21.6 versions of the Antivirus respectively. For versions 21.6 and newer, you can also choose whether to scan for potentially unwanted tools.

Report File

You can configure the report file here in order to enhance the reporting of the shield:

  • File name: Enter a name for the report file (default * will use the default file name)
    • The Generate report file checkbox needs to be ticked for the report file to be created.
  • File type: Select the format of the report file:
    • Plain text (ANSI)
    • Plain text (Unicode)
    • XML
  • If file exists: Select Append if you want new results to be added to the end of the previous report, or Overwrite if you want new results to replace the previous report
    • Using the Append option will gradually increase the size of the report file on the disk. Including informative events such as OK will also greatly increase the size on the disk as every clean file will be reported.
  • Reported items: Define which events appear in report files:
    • Infected items — Files and areas of the scanned environment that the virus scan identifies as containing malware
    • Hard Errors — Unexpected errors that require further investigation
    • Soft Errors — Minor errors, such as a file being unable to be scanned because it was in use
    • OK items — Files and areas that the virus scan identified as being clean
    • Skipped items — Files and areas that the virus scan did not check because of the scan settings

At the bottom of the settings, the default location of the report is displayed.

Enabling Anti-Exploit Monitor

The Anti-Exploit Monitor (called Anti-Exploit Shield in the local client) scans and protects against known exploits (e.g. the "Hafnium Exchange" exploit) in popular software. This feature is part of File Shield and can be enabled both remotely via the policy settings of the console (see Troubleshooting Features in Business Hub) or locally via the Protection section of the client UI (see Core Shields Settings).

Adding File Shield Exclusions

If needed, you can add exclusions to the File Shield scans through the Antivirus Exclusions settings of a selected policy. This can speed up the scans and prevent false-positive detections.

For more information on standard and component-specific exclusions, see Configuring Antivirus Exclusions.

FAQ

The managed endpoints are designed to be controlled from the policies, therefore the important shields are inaccessible from the UI to be disabled individually. Core Shields can only be disabled together.

The local Antivirus is simplified with its controls in the UI. The user can only control all shield settings from these toggles at once, rather than individual settings for each shield.

We have the advanced controls in our managed policies to be able to configure each shield individually, which overwrites the local client settings, leading to these options being empty. The same can be performed from the Geek Area in the local client.

They are still configured correctly, they simply are not visible in the local client UI.

It depends on how you want to handle the detections - it can be simple to use the Fix automatically feature, however, the final action in that sequence is Delete, therefore it may not be desirable in cases of false positives. Move to Quarantine is a safe option to allow potential restoration in the future.

Enable the password protection of the UI (locally in unmanaged, from the policies in managed) in order to prevent the local user disabling shields.

Add the application as an exclusion either in the global or File Shield specific exclusions. Verify if there are any potentially conflicting applications (e.g. another antivirus) running on the system and remove it if found.

There are many more advanced settings in the policies which are not available in the local client or in the unmanaged version. Usually, further customization is not required, but offers administrators with advanced knowledge the opportunity for further detailed settings management.

 

Other Articles In This Section:

Web Shield

Mail Shield

Behavior Shield

Related Articles:

Managing Policies

Configuring Antivirus Exclusions

Troubleshooting 'Invalid Mail Server Certificate' Warnings