The two features share some “overlapping” functions and therefore there is no reason to turn them both on at the same time (if you do, the Hardened Mode will always prevail over the DeepScreen).
Simply put, the Hardened Mode is a means of “parental control” for executable files.
When enabled, it is always running in the background and checking every process launched on the machine. The evaluation of files is based on their reputation coming from the cloud (controlled by the VLab).
- In the Aggressive Hardened Mode, only chosen executable files with known high ratings are allowed; the rest gets prevented from running.
- On the other hand, the Moderate Hardened Mode blocks only files which have bad ratings (and those which have no ratings at all, due to being new).
This is useful for inexperienced users who do not always know what exactly they are launching.
The DeepScreen, when active, works similarly in the background and checks all the executable files being launched. It also works with the cloud data about their reputations.
However, unlike the Hardened Mode, this tool is also capable of running a file which has no rating (or insufficient number of ratings – usually below 20-50, depending on the file) in the sandbox to test its behavior (compare it with malicious patterns) and then decide whether to allow or block it.
- all files with known good or average ratings are automatically allowed;
- all files with known bad ratings are automatically blocked as malware (even if they are not in the VPS yet and therefore not blocked by the webshield) and the data on such incidents are sent to the VLab (to include in the VPS, if appropriate);
- lastly, files which are “unknown” or “not known well enough” are tested in the sandbox, allowed or blocked accordingly, and the rating resulting from the DeepScreen testing gets added to the cloud of reputations.
The log files for both of there components are available in the usual C:\ProgramData\AVAST Software\Avast\log folder as hardenenedmode.log (created only when some action has been carried out by the feature; missing there by default) and autosandbox.log