Battle Behavioral Blockers: SONAR vs DeepGuard vs System Watcher

Compare list
Symantec Endpoint Security Cloud
Kaspersky Security Cloud Family
F-secure Internet Security
In-depth Comparison





notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
What the title says, I'm interested only in the Behavioural Blocking component, not the other components of suites which include the said BB components.

Are there any tests on behavioral blockers?

Which BBs work well against scriptors/fileless?
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
818
The Comparison itself might be wrong :
Let me say how this works :
SW works for certain actions to get triggered
Modification of start up, Encrypt few files, then rolls back all the malicious actions to a previous state (With a Restart)
SW intelligence lies in Rollback System

DG: DG intercepts and reacts faster in most cases. It just BLOCKS the actions. All the remnants will remain on the system.

SONAR : Above SW in capability. Catches some highly sophiscated malware than other Behavior blockers. But in some rare cases Analysis takes a bit more time, before a verdict is reached. Works with Heuristics( R.T) protection. Removal depends upon the threshold level of malicious Behavior.

From the above, it is clear phenomena of work differs. Some react late but later result is Clean, some react faster but System remains Not clean.
Moreover all BB require constant updates to trace the behaviors with time. If a BB fails against a simple malware, but catches a Highly sophiscated one,, then -------.

Constant development, User threat statiatics is vital for any BB ( Vendor) for effective working.
I say "NO VOTE" because no one situation can trigger the effectiveness of any BB, but as per tests I pick SONAR, SW. (Only based on tests)*
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
The Comparison itself might be wrong :
Let me say how this works :
SW works for certain actions to get triggered
Modification of start up, Encrypt few files, then rolls back all the malicious actions to a previous state (With a Restart)
SW intelligence lies in Rollback System

DG: DG intercepts and reacts faster in most cases. It just BLOCKS the actions. All the remnants will remain on the system.

SONAR : Above SW in capability. Catches some highly sophiscated malware than other Behavior blockers. But in some rare cases Analysis takes a bit more time, before a verdict is reached. Works with Heuristics( R.T) protection. Removal depends upon the threshold level of malicious Behavior.

From the above, it is clear phenomena of work differs. Some react late but later result is Clean, some react faster but System remains Not clean.
Moreover all BB require constant updates to trace the behaviors with time. If a BB fails against a simple malware, but catches a Highly sophiscated one,, then -------.

Constant development, User threat statiatics is vital for any BB ( Vendor) for effective working.
I say "NO VOTE" because no one situation can trigger the effectiveness of any BB, but as per tests I pick SONAR, SW. (Only based on tests)*

Thanks for the detailed response !

Analysis takes a bit more time, before a verdict is reached.
what does it do until a verdict is reached? does it allow? does it block? or is this configurable ?
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
i will say Emsisoft Antimalware :p:p as i am use it and say it is one of the best i used i think sonar is aggressive when i used it before which caused a lot of false positive (this was in Norton security Not symantic i do not know about it )
for system watcher it is Fantastic but i found kaspersky bit consuming for the resources
Deep guard i didnot try it before as i think F secure UI is ugly :) :)
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
i will say Emsisoft Antimalware :p:p as i am use it and say it is one of the best i used i think sonar is aggressive when i used it before which caused a lot of false positive (this was in Norton security Not symantic i do not know about it )
for system watcher it is Fantastic but i found kaspersky bit consuming for the resources
Deep guard i didnot try it before as i think F secure UI is ugly :) :)

How does Emsisoft behavioral blocker component compare to the 3 mentioned in the poll ? Is there any testing of it ?
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Application Control is application whitelisting ? some sort of anti-exe based on getting a verification from Kaspersky's cloud ?
Application Control is a module included in Kaspersky suites, which is strictly connected with firewall rules and Kaspersky's Vendor List. It divides all files into groups:
  • Trusted
  • Low Restricted
  • High Restricted
  • Untrusted
Where each file goes depends on its digital signature, behaviour and several facts. To be brief, it will compare the digital signature with the vendors list they created in order to verify it's trusted. You can tweak this module to avoid Kaspersky trusting files just for being signed, so they have to match the vendors list. As well, you can configure it to block execution of those untrusted. Therefore, all unsigned files that are not recognised will be untrusted and therefore blocked. I have always used it that way: do not trust unsigned fiñes, always rely on Kaspersky's Vendor List, if a file isn't recognised highlight it as untrusted, block all untrusted files and their internet connections. If a file is highlighted as untrusted (automatically or manually) this will also disable connections for it, that's why AC is connected to firewall.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
i just posted a video of it .its behavior blocker was fantastic against ransomware here is the link for it

Thanks, how does it do against other threats, eg how did it do against Astaroth


back when Astaroth was 0-day ( not blocked by signatures )
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Thanks, how does it do against other threats, eg how did it do against Astaroth


back when Astaroth was 0-day ( not blocked by signatures )
Read this:
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
@notabot
posted int giveaway but not approved yet
for you if you want to try Fsecure as it is embedded in your vote
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I would be curious how Deepguard performs against the same.

The Emsisoft behavior blocker is indeed impressive. Yesterday I was building a project that involved batch files downloading other scripts from github and executing them, and that got flagged. Even using a not-well-known build of VMWare Workstation triggered “injector” detection.

The downside though is without cloud reputation serving as a whitelisting mechanism it seems like these behavior blockers would be pretty FP-prone. All depends on the balance one desires between FP’s versus escapes.

That's indeed cool ! Emsisoft is officially then the 4th option, even if not part of the poll.
Can you administer the Emsisoft BB through their web dashboard in the same granularity that you can administer it locally ? Also does Emsisoft support AMSI ?

To be honest I'm not sure I'd want cloud whitelisting. E.g. if Chrome gets hit by an exploit and starts doing funny things, I'd want the BB to flag it, if Chrome is whitelisted due to being legit software then it won't be as effective. Same applies to eg Excel when opening a malcoded spreadsheet.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Also beyond child-parent relationships between processes. A process can

Talk to COM interfaces in-process, ie see if an interface with GUID XYZ already exists and try to talk to it.
call in-process functionality from .net assemblies
call a function exposed by a common dll in-process

Does any BB monitor these things ? or they all only look at process trees and/or where they write on disk?
 
9

93803123

To be honest I'm not sure I'd want cloud whitelisting. E.g. if Chrome gets hit by an exploit and starts doing funny things, I'd want the BB to flag it, if Chrome is whitelisted due to being legit software then it won't be as effective. Same applies to eg Excel when opening a malcoded spreadsheet.

Behavioral monitoring will be inefficient, if not ineffective, against the latest and greatest application exploits.

Behavioral monitoring cannot be generically applied, otherwise a lot of legitimate safe processes will be blocked. The context matters. So an unknown, first-time process is monitored whereas Chrome and, depending upon any child process and the behavioral protection algorithm, the system might or might not be protected in the case of a Chrome exploit.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top