Which is the best behavioral blocker

  • DeepGuard

    Votes: 4 5.9%
  • SONAR

    Votes: 29 42.6%
  • System Watcher

    Votes: 35 51.5%
  • Total voters
    68
  • Poll closed .
Products to compare
Symantec Endpoint Security Cloud
Kaspersky Security Cloud Family
F-secure Internet Security
Compare
Usability
Performance and System Impact
Proactive protection (Behavior blocker, HIPS, Sandbox)
Ransomware protection
Banking & Payments protection

notabot

Level 11
What the title says, I'm interested only in the Behavioural Blocking component, not the other components of suites which include the said BB components.

Are there any tests on behavioral blockers?

Which BBs work well against scriptors/fileless?
 

Mahesh Sudula

Level 16
Verified
Malware Tester
The Comparison itself might be wrong :
Let me say how this works :
SW works for certain actions to get triggered
Modification of start up, Encrypt few files, then rolls back all the malicious actions to a previous state (With a Restart)
SW intelligence lies in Rollback System

DG: DG intercepts and reacts faster in most cases. It just BLOCKS the actions. All the remnants will remain on the system.

SONAR : Above SW in capability. Catches some highly sophiscated malware than other Behavior blockers. But in some rare cases Analysis takes a bit more time, before a verdict is reached. Works with Heuristics( R.T) protection. Removal depends upon the threshold level of malicious Behavior.

From the above, it is clear phenomena of work differs. Some react late but later result is Clean, some react faster but System remains Not clean.
Moreover all BB require constant updates to trace the behaviors with time. If a BB fails against a simple malware, but catches a Highly sophiscated one,, then -------.

Constant development, User threat statiatics is vital for any BB ( Vendor) for effective working.
I say "NO VOTE" because no one situation can trigger the effectiveness of any BB, but as per tests I pick SONAR, SW. (Only based on tests)*
 

notabot

Level 11
The Comparison itself might be wrong :
Let me say how this works :
SW works for certain actions to get triggered
Modification of start up, Encrypt few files, then rolls back all the malicious actions to a previous state (With a Restart)
SW intelligence lies in Rollback System

DG: DG intercepts and reacts faster in most cases. It just BLOCKS the actions. All the remnants will remain on the system.

SONAR : Above SW in capability. Catches some highly sophiscated malware than other Behavior blockers. But in some rare cases Analysis takes a bit more time, before a verdict is reached. Works with Heuristics( R.T) protection. Removal depends upon the threshold level of malicious Behavior.

From the above, it is clear phenomena of work differs. Some react late but later result is Clean, some react faster but System remains Not clean.
Moreover all BB require constant updates to trace the behaviors with time. If a BB fails against a simple malware, but catches a Highly sophiscated one,, then -------.

Constant development, User threat statiatics is vital for any BB ( Vendor) for effective working.
I say "NO VOTE" because no one situation can trigger the effectiveness of any BB, but as per tests I pick SONAR, SW. (Only based on tests)*
Thanks for the detailed response !

Analysis takes a bit more time, before a verdict is reached.
what does it do until a verdict is reached? does it allow? does it block? or is this configurable ?
 

notabot

Level 11
On its own, I believe SONAR can be a clear winner. Nevertheless, SystemWatcher when used with Application Control and several other modules of the suite is unbeatable.
Application Control is application whitelisting ? some sort of anti-exe based on getting a verification from Kaspersky's cloud ?
 

DDE_Server

Level 7
i will say Emsisoft Antimalware :p:p as i am use it and say it is one of the best i used i think sonar is aggressive when i used it before which caused a lot of false positive (this was in Norton security Not symantic i do not know about it )
for system watcher it is Fantastic but i found kaspersky bit consuming for the resources
Deep guard i didnot try it before as i think F secure UI is ugly :) :)
 

notabot

Level 11
i will say Emsisoft Antimalware :p:p as i am use it and say it is one of the best i used i think sonar is aggressive when i used it before which caused a lot of false positive (this was in Norton security Not symantic i do not know about it )
for system watcher it is Fantastic but i found kaspersky bit consuming for the resources
Deep guard i didnot try it before as i think F secure UI is ugly :) :)
How does Emsisoft behavioral blocker component compare to the 3 mentioned in the poll ? Is there any testing of it ?
 

Robbie

Level 28
Verified
Content Creator
Application Control is application whitelisting ? some sort of anti-exe based on getting a verification from Kaspersky's cloud ?
Application Control is a module included in Kaspersky suites, which is strictly connected with firewall rules and Kaspersky's Vendor List. It divides all files into groups:
  • Trusted
  • Low Restricted
  • High Restricted
  • Untrusted
Where each file goes depends on its digital signature, behaviour and several facts. To be brief, it will compare the digital signature with the vendors list they created in order to verify it's trusted. You can tweak this module to avoid Kaspersky trusting files just for being signed, so they have to match the vendors list. As well, you can configure it to block execution of those untrusted. Therefore, all unsigned files that are not recognised will be untrusted and therefore blocked. I have always used it that way: do not trust unsigned fiñes, always rely on Kaspersky's Vendor List, if a file isn't recognised highlight it as untrusted, block all untrusted files and their internet connections. If a file is highlighted as untrusted (automatically or manually) this will also disable connections for it, that's why AC is connected to firewall.
 

notabot

Level 11
i just posted a video of it .its behavior blocker was fantastic against ransomware here is the link for it
Thanks, how does it do against other threats, eg how did it do against Astaroth


back when Astaroth was 0-day ( not blocked by signatures )
 

DDE_Server

Level 7
Thanks, how does it do against other threats, eg how did it do against Astaroth


back when Astaroth was 0-day ( not blocked by signatures )
Read this:
 

DDE_Server

Level 7
@notabot
posted int giveaway but not approved yet
for you if you want to try Fsecure as it is embedded in your vote
 

notabot

Level 11
I would be curious how Deepguard performs against the same.

The Emsisoft behavior blocker is indeed impressive. Yesterday I was building a project that involved batch files downloading other scripts from github and executing them, and that got flagged. Even using a not-well-known build of VMWare Workstation triggered “injector” detection.

The downside though is without cloud reputation serving as a whitelisting mechanism it seems like these behavior blockers would be pretty FP-prone. All depends on the balance one desires between FP’s versus escapes.
That's indeed cool ! Emsisoft is officially then the 4th option, even if not part of the poll.
Can you administer the Emsisoft BB through their web dashboard in the same granularity that you can administer it locally ? Also does Emsisoft support AMSI ?

To be honest I'm not sure I'd want cloud whitelisting. E.g. if Chrome gets hit by an exploit and starts doing funny things, I'd want the BB to flag it, if Chrome is whitelisted due to being legit software then it won't be as effective. Same applies to eg Excel when opening a malcoded spreadsheet.
 

notabot

Level 11
Also beyond child-parent relationships between processes. A process can

Talk to COM interfaces in-process, ie see if an interface with GUID XYZ already exists and try to talk to it.
call in-process functionality from .net assemblies
call a function exposed by a common dll in-process

Does any BB monitor these things ? or they all only look at process trees and/or where they write on disk?
 
9

93803123

To be honest I'm not sure I'd want cloud whitelisting. E.g. if Chrome gets hit by an exploit and starts doing funny things, I'd want the BB to flag it, if Chrome is whitelisted due to being legit software then it won't be as effective. Same applies to eg Excel when opening a malcoded spreadsheet.
Behavioral monitoring will be inefficient, if not ineffective, against the latest and greatest application exploits.

Behavioral monitoring cannot be generically applied, otherwise a lot of legitimate safe processes will be blocked. The context matters. So an unknown, first-time process is monitored whereas Chrome and, depending upon any child process and the behavioral protection algorithm, the system might or might not be protected in the case of a Chrome exploit.
 

SeriousHoax

Level 9
Verified
Malware Tester
System Watcher & SOANR both are better than DeepGuard. Personally I like System Watcher more. It's excellent against unknown malwares, not in any way online depended and can roll back malicious actions. Other two doesn't have a roll back feature as far as I'm concerned.