Battle Behavioral Blockers: SONAR vs DeepGuard vs System Watcher

[notabot]

What the title says, I'm interested only in the Behavioural Blocking component, not the other components of suites which include the said BB components.

Are there any tests on behavioral blockers?

Which BBs work well against scriptors/fileless?

 

[notabot]

System Watcher & SOANR both are better than DeepGuard. Personally I like System Watcher more. It's excellent against unknown malwares, not in any way online depended and can roll back malicious actions. Other two doesn't have a roll back feature as far as I'm concerned.

What do the other two do? block unless cleared?

 

[93803123]

I don't expect it to prevent the exploit but do post-exploit damage control, as the exploited application application won't be behaving as normal

Yeah, that's an expectation that will lead to disappointment beyond anything other than commonly-protected against cases.

 

[SeriousHoax]

What do the other two do? block unless cleared?

Something like that. I mean you know the basic idea behind most behavior blockers. They monitor suspicious processes based on many behavioral patterns. Norton's SONAR is integrated into Auto Protect (Real Time Protection) and if internet connection is available it also checks online for reputation related info. SONAR works offline but stronger when connected to internet. You can also adjust its level. The more aggressive you set the higher the possibility of better detection but would produce more false positives.
While System Watcher is a separate module. It's not integrated into Real time protection or anything else. It can block malwares when malwares get passed the Real Time Protection and Application control module. Even if a malware makes some changes to the system, it can roll back those malicious actions so very useful against Ransomwares.

 

[harlan4096]

Here some docs about SW, a bit obsolete (bur probably still valid), Kaspersky is constantly evolving that module:

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf

System Watcher gets smarter

How heuristic analysis and System Watcher work in Kaspersky Internet Security.

www.kaspersky.com

 

[notabot]

Yeah, that's an expectation that will lead to disappointment beyond anything other than commonly-protected against cases.

Apparently Kaspersky System Watcher does monitor for that, sure nothing catches everything but at least one BB is modeled for post-exploit damage control

Edit: Also found

Behavioral Blocking Rules - Panda Security Mediacenter

Panda Cloud Antivirus 1.1 incorporates two types of behavioral protections; behavioral blocking and behavioral analysis. In this post we are going to concentrate on the…

www.pandasecurity.com

e.g.

• Rule 5002: During normal behaviour, Web browsers shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
• Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from downloaded programs directories. This rule prevents some IE vulnerabilities normally exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is being exploited

There is post-exploit modelling in BBs - nothing can be complete but it looks like for some vendors it's in their radar.

 

[notabot]

Here some docs about SW, a bit obsolete (bur probably still valid), Kaspersky is constantly evolving that module:

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf

System Watcher gets smarter

How heuristic analysis and System Watcher work in Kaspersky Internet Security.

www.kaspersky.com

Awesome, thanks !

 

[notabot]

Yes some BB systems are able to watch for exploited apps of certain types. DeepGuard is able to do so too, and I’ve seen some tests where they explicitly exploited WinAmp and other outdated apps with known vulnerabilities and many BB’s catch it...

What others are saying is that these sorts of generalizations are very prone to false positives. For example, both rule 5002 and 5005 are generally true except when, say, the browser tries to update yourself. And you can see a lot of these programs, without whitelisting, have false positives to situations like Firefox updating itself (unless you are moving from whitelisted to whitelisted Firefox, in which case you’re also pretty much not getting these BB benefits)

Yes behavior blockers are cool and do provide a very valuable last layer of defense against zero days, but check out the testing in the Malware Hub. Every BB tested has some misses. Malware was designed to evade BB’s too — it’s a constant cat and mouse game.

Do you know if SONAR watches for exploited aps and how good it is at that compared to the other BBs ?

They can only have misses but even if they catch 60% (I pulled that out of thin air, don't know what the numbers looks like) of fresh malware, that's huge compared to 0% in a post-exploit situation. Btw in the hub what have you seen, how much % is the miss approximately for BBs ?

 

[fabiobr]

Behavioral monitoring will be inefficient, if not ineffective, against the latest and greatest application exploits.

Behavioral monitoring cannot be generically applied, otherwise a lot of legitimate safe processes will be blocked. The context matters. So an unknown, first-time process is monitored whereas Chrome and, depending upon any child process and the behavioral protection algorithm, the system might or might not be protected in the case of a Chrome exploit.

System Watcher does that, Eugene explain it in their blog.

SW build a historical event of apps, it's not just the moment behavior. There is too an exploit prevention system that monitors behavior similar to exploit vulnerabilities in apps, it was include after creation of SW (old PDM for exploit prevention module that no longer exists) and they integrated it both adding exploits typical behaviors to SW.

What do the other two do? block unless cleared?

They just block malicious action. SW can rolls back cause it builds a time-line of each application action.

 

[fabiobr]

Yes some BB systems are able to watch for exploited apps of certain types. DeepGuard is able to do so too, and I’ve seen some tests where they explicitly exploited WinAmp and other outdated apps with known vulnerabilities and many BB’s catch it...

What others are saying is that these sorts of generalizations are very prone to false positives. For example, both rule 5002 and 5005 are generally true except when, say, the browser tries to update yourself. And you can see a lot of these programs, without whitelisting, have false positives to situations like Firefox updating itself (unless you are moving from whitelisted to whitelisted Firefox, in which case you’re also pretty much not getting these BB benefits)

Yes behavior blockers are cool and do provide a very valuable last layer of defense against zero days, but check out the testing in the Malware Hub. Every BB tested has some misses. Malware was designed to evade BB’s too — it’s a constant cat and mouse game.

Yes some BB systems are able to watch for exploited apps of certain types. DeepGuard is able to do so too, and I’ve seen some tests where they explicitly exploited WinAmp and other outdated apps with known vulnerabilities and many BB’s catch it...

What others are saying is that these sorts of generalizations are very prone to false positives. For example, both rule 5002 and 5005 are generally true except when, say, the browser tries to update yourself. And you can see a lot of these programs, without whitelisting, have false positives to situations like Firefox updating itself (unless you are moving from whitelisted to whitelisted Firefox, in which case you’re also pretty much not getting these BB benefits)

Yes behavior blockers are cool and do provide a very valuable last layer of defense against zero days, but check out the testing in the Malware Hub. Every BB tested has some misses. Malware was designed to evade BB’s too — it’s a constant cat and mouse game.

You're right, that's why you can't trust only in one layer of protection. Plus cloud to check things.

Do you know if SONAR watches for exploited aps and how good it is at that compared to the other BBs ?

They can only have misses but even if they catch 60% (I pulled that out of thin air, don't know what the numbers looks like) of fresh malware, that's huge compared to 0% in a post-exploit situation. Btw in the hub what have you seen, how much % is the miss approximately for BBs ?

Norton has an anti-exploit module. It's good.

 

[notabot]

You're right, that's why you can't trust only in one layer of protection. Plus cloud to check things.


Norton has an anti-exploit module. It's good.

Thanks for this, if I'm not mistaken the anti-exploit module is the equivalent of WD's exploit guard - what I'm after with the BB is post-exploit protection, ie if the browser is compromised the BB should block it from "unusual behavior"

System Watcher does that, Eugene explain it in their blog.

SW build a historical event of apps, it's not just the moment behavior. There is too an exploit prevention system that monitors behavior similar to exploit vulnerabilities in apps, it was include after creation of SW (old PDM for exploit prevention module that no longer exists) and they integrated it both adding exploits typical behaviors to SW.


They just block malicious action. SW can rolls back cause it builds a time-line of each application action.

System Watcher sounds really good tbh - does SONAR also build a historical record of app behavior to track unusual behavior ( even if it can't roll back )? or this is unique to SW

 

[93803123]

System Watcher does that, Eugene explain it in their blog

They just block malicious action. SW can rolls back cause it builds a time-line of each application action.

The module probably won't stop the latest and greatest exploits.

 

[notabot]

None of the exploit modules do protect against generic exploits. They usually say something along the lines of monitoring "commonly" exploited venues (for example, PDF readers, media players, certain browsers, etc).

For example, I created a simple C++ service that takes a hostname over a TCP port and then pings it, but it has a trivial stack-based buffer overflow that allows an attacker to overwrite the command being executed from "ping" to something of their choice. WD, Emsisoft, and F-Secure don't see anything wrong. I can try additional exploit blockers but from a practical standpoint there is no reasonable way for a third party watchdog service to have byte-by-byte granularity into monitoring processes interactions like this unless you want to run your computer in a glacially slow VM with instruction-by-instruction replay capabilities. (Note that some expensive malware detonator appliances do stuff like this, but you're talking about taking hours to analyze the first minute of execution)

And if a binary was not compiled with hardening enabled at compile time, there's little that can be done at runtime to bolt on hardening without compromising binary compatibility of the program with itself.

What you say is correct but eg compiling something with ASLR, making the stack non-executable in the 00s etc all make apps harder to exploit, or to rephrase, apps would have had many more exploits without them.
They don't/can't completely eliminate exploits but all these measures make it significantly harder to exploit an application and that's what I like about exploit guard, it's not by any means unbreakable but it's good to have, it's effectively hardening of vulnerable apps.

Imo post-exploit BB and exploit-guard like functionalities are both good to have, they complement each other anyhow and anyhow both of them can only be imperfect.

btw to divert momentarily, I'm positive in the future coding standards will evolve due to tools like google/clusterfuzz

and we'll be having fewer and fewer exploits

 

[fabiobr]

Thanks for this, if I'm not mistaken the anti-exploit module is the equivalent of WD's exploit guard - what I'm after with the BB is post-exploit protection, ie if the browser is compromised the BB should block it from "unusual behavior"



System Watcher sounds really good tbh - does SONAR also build a historical record of app behavior to track unusual behavior ( even if it can't roll back )? or this is unique to SW

I don't know if it records too. SONAR relies on Symantec cloud, when Norton product detects an unknown file it send to the cloud for analysis and then comes with the verdict. It's a bit different than SW that has a built in technology (which can be a little heavier than Norton), allowing to full function offline, though asks to KSN too and it's better online.

 

[DeepWeb]

System Watcher is Kaspersky right? Ok then System Watcher because it has the lowest FP rate in the history of AVs.

 

[fabiobr]

Absolutely, and I would add that fine grained sandboxing has gone a long way in addition to hardened runtimes and toolchains.
The point I wanted to highlight was mainly that “exploit monitoring” aspects of behavior blockers is a lot less exciting than the term makes it sound. In reality it’s probably just looking for patterns like Microsoft Word or Acrobat Reader starting scripts or executables.

Overall though I think to answer your original question, you just want to see how well various AV solutions work against zero day or forced dynamic tests. But even that is hard because it seems like especially with SONAR and Emsisoft a lot of the dynamic blocks are still just the cloud reputation saying this binary sucks. You can try writing your own pseudo malware to see how each solution reacts to it but in the real world most malware tends to be variants of existing ones.

Exactly, most of times new malware are build to attack big business, not domestic users. Usually, home user get malware that belongs to a known family. So it's easier to BB detects them, SW get triggered when software begins encrypting some files, for example.

System Watcher is Kaspersky right? Ok then System Watcher because it has the lowest FP rate in the history of AVs.

I think that's because SW was projected to interact with others modules really well and that's why it can reduces FPs.

 

[notabot]

Absolutely, and I would add that fine grained sandboxing has gone a long way in addition to hardened runtimes and toolchains.
The point I wanted to highlight was mainly that “exploit monitoring” aspects of behavior blockers is a lot less exciting than the term makes it sound. In reality it’s probably just looking for patterns like Microsoft Word or Acrobat Reader starting scripts or executables.

Overall though I think to answer your original question, you just want to see how well various AV solutions work against zero day or forced dynamic tests. But even that is hard because it seems like especially with SONAR and Emsisoft a lot of the dynamic blocks are still just the cloud reputation saying this binary sucks. You can try writing your own pseudo malware to see how each solution reacts to it but in the real world most malware tends to be variants of existing ones.

So if I understand correctly, it's only System Watcher that checks if a given binary's behaviour is in line with its past behaviour ? SONAR/Emsi mostly just check cloud reputation of the binary itself ( which I don't really need, all software I install is legit & widely used )

 

[Venustus]

About SONAR

System Watcher in Kaspersky Anti-Virus 2018

The System Watcher component of Kaspersky Anti-Virus 2018 detects malicious activity and allows rolling back such activity

support.kaspersky.com

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf

 

[notabot]

No, all 3 of them work on the same basic principle. They all use their own clouds to determine how closely to watch any binary. If a binary is well known and widely used they all will more or less whitelist and ignore them. Otherwise they will perform behavior monitoring.

SW has more configurable features like the ability to configure it to alert any time you try to use a non trusted app. SONAR IMO has the best cloud because of their larger user base.

I see, so more or less as it currently stands BBs would be fairly useless against an exploited whitelisted/well known app (ie a compromised browser)

 

[notabot]

More or less, yeah. The only exception is that each BB has some sort of “exploit watcher” capability that claims to give extra scrutiny to a small list of hand selected apps such as Office or Powershell.... but that is simply because a lot of well known malware use those exploit paths.

Most dynamic tests how that this capability rarely actually kicks in. Usually what kicks in is an exploited app tries to download some malware and then execution of the malware kicks off an independent scan of that second payload and the AV reacts to that. Whether or not the second payload appeared out of thin air or through an exploited app may weigh in slightly but I don’t expect that to be a major factor.

I see so SONAR/BBs are only useful if the payload runs as its own process, in which case they'll detect it ( ie if it's an exploited browser it doesn't need to be a separate process )

 

[notabot]

In general, yeah. Except (lol there's always exceptions) for the specific category of "fileless" attacks. Fileless has unfortunately turned into a marketing term. Each AV has a proprietary way of defending against "fileless" attacks where something like Powershell or the Windows Scripting Host ingests a malicious payload in memory and starts doing malicious things. However, none of the techniques I've seen are general -- like in my previous example, where I wrote a really dumb TCP service running under the SYSTEM account that could be easily abused remotely to execute arbitrary commands, even harmful ones failed to set anything off.

out of curiosity, since you've already written a small server which is exploitable - if you use WD's Exploit Guard with everything on, is the stack overrun still effective ?

I know if I tried that sequence of operations from a powershell process it probably would've set off a BB.

it's clear thanks, BBs monitor a few dangerous points in the system beyond that it's a 1800s saloon . This is tricky I guess ie this way someone could upload all documents (even CFA in WD is only for editing not for reading) but with OneDrive's latest update using the OneDrive's personal vault is the way to go probably.