Which is the best behavioral blocker

  • DeepGuard

    Votes: 4 5.9%
  • SONAR

    Votes: 29 42.6%
  • System Watcher

    Votes: 35 51.5%
  • Total voters
    68
  • Poll closed .
Products to compare
Symantec Endpoint Security Cloud
Kaspersky Security Cloud Family
F-secure Internet Security
Compare
Usability
Performance and System Impact
Proactive protection (Behavior blocker, HIPS, Sandbox)
Ransomware protection
Banking & Payments protection

notabot

Level 15
Yep changing WD security settings has no impact on the exploit working. Things like DEP, ASLR, stack guards only work against specific forms of vulnerabilities.
Just as a basic example: if you allocate a struct on either the stack or the heap that contains a mix of function pointers and buffers, and then allow for a buffer overflow such that a buffer can spill onto a neighboring pointer within the same struct, there is almost nothing that can be bolted onto this after compilation that will guard against this attack. there is a new wave of technologies like authenticated pointers which can help mitigate these attacks but that is something that requires the program writer to opt into this at compile time and dramatically changes code generation.

Things that you can change at runtime are things like whether or not you allow the stack to contain code, how randomized malloc results are, and so on. They help guard against a different set of attacks.

(BTW my background is in system security through proactive security technologies and system design; BB’s and such represent a last line of defense if I have failed at my job!)
I'm not a security person but I'm fairly familiar with C/C++ and the internals of executables (at least for intel processors)

onto a neighboring pointer within the same struct
withing the same struct it's entirely unnoticeable indeed as the semantics could well be non-malicious, no BB can know that.

But while a heap based attack like this is unnoticeable. a stack based attack where the return address is overwritten can be detected (?) e.g. I can't think of any C++ dev whose coding practices include going beyond the bounds of an array to overwrite the return address. The semantics here are clearly malicious.

how randomized malloc results are
not to remove the bite from the other attacks but I'd imagine this is fairly important for overflows, for the example you mentioned, where the overwrite is in the same struct, nothing can be done, but to reverse the argument, if all malloc results were deterministic/known exploiting other structs would be trivial. - I'd call this progress.

I think we're on the same page but though e.g. I expected the old school stack based attacks to be detectable as overwriting a return address at runtime can only malicious.

I just remembered: back in the day when stack was executable, a junior had by mistake self-inserted a stack based buffer overrun on a string which he "fixed" by adding one more variable (whose value was overriden instead of the return address) :')
 

notabot

Level 15
Detection of stack based attacks are still hard, and trust me, I’ve written at least one major OS’s implementation of return control flow hijacking detection ;)

No processor architecture allows sampling every function return and control flow change in order to track them. Some tool chains allow emitting of jump and return checkers that their C runtimes can implement but they can be extremely performance penalizing. And once again without processor level features like authenticated jump and return instructions it is still possible to detect.
Also the format of a stack frame is very much dependent on the compiler and optimizer, especially in user space. And no processor has enough watch points that you can realistically introspect every single attempt to overwrite what looks like a frame pointer.

BTW no behavior blocker does any of this kind of checking. This is the job of the OS, the C/C++ runtime, and the compiling tool chain. Windows Defender now “owns” a lot of the runtime gardening settings that used to be tucked away in other Windows preferences but that IMO is not to be considered a behavior blocker. In general a behavior blocker is looking at process to outside interactions: syscalls, inter process communication attempts, accesses to resources like the network and filesystem and registry, etc. Even exploit detectors are really looking for external behavior of a process. None of them monitor the internals of a process.
Thanks, very good post, and what you say makes sense, if the return address is not exposed in a reasonable manner by the processor, monitoring overrides becomes a pita (though given that this is a well known issue for 20 years now, maybe even more, they should had done something about it )
 

notabot

Level 15
Hey on the bright side, things are being done! For a few years now, ARM has defined a spec and made a handful of CPUs that support authentication in both the jump and return directions. Changes like that don’t happen overnight especially since few customers tolerate the idea that they switch to incompatible CPU architectures every 2-3 years and leave all older programs behind!
Does intel plan something similar ?
They are clearly doing security related work, ie SGX is very interesting for remote attestation and for holding in-enclave-memory keys etc but haven't come across anything related to execution security.
 

BVLon

Level 1
System Watcher & SOANR both are better than DeepGuard. Personally I like System Watcher more. It's excellent against unknown malwares, not in any way online depended and can roll back malicious actions. Other two doesn't have a roll back feature as far as I'm concerned.
Wrong. SONAR does include rollback action and sandboxing functionality and it had them long before Kaspersky even thinks about adding them.
I tested System Watcher with malware that exibits self-temination and System Watcher restores the initial file that contains the infection. It is powerfull, but not smart enough. SONAR on the other hand, wipes of all components and reverts all actions. SONAR is also powered by thousands of behavioral profiles.
You can read more here: Star Malware Protection Technologies | Symantec

I think SONAR is the clear winner here.
Don't forget that over the years, Symantec acquired multiple companies whose heritage is now behind SONAR. The first one was Whole Security. Second one was PC Tools with their infamous ThreatFire. It's not like they started from the scratch without any know-how.
F-SecureDeepGuard is also an old & well-stablished technology. If their whitepapers are correct, they've had behavioural blocking long before everyone else (2006). Symantec introduced behavioural blocking in June 2008 with the Norton 2009 beta after it's been 3 years in the making.
This was followed by Bitdefender's Active Virus Control and Intrusion Detection components, (1-2 months after SONAR) later renamed to Active Threat Control and now Advanced Threat Detection. This was followed by and AVG (Q1 2009). https://download.bitdefender.com/resources/files/Main/file/active_virus_control_wp.pdf
SONAR, DeepGuard and ATD are designed to be your first layer of unbeatable defense and rarely even need to rollback anything, as they block dodgy executables and command lines right away. System Watcher is designed as a last resort, when everything else has failed.

AVG with AVG Identity Protection formerly known as Norton AntiBot developed by Sana Security was first added as a standalone program available only with AVG Internet Security 8.5, completely integrated in AVG 9 or 10 and then it was made available in the free version as well.
Kaspersky's system watcher popped up years after, around 2012-13 if I am not mistaken. Kaspersky did not underdevelop it however, and it is considered to be on par with the rest.
These companies are the first to introduce behavioural blocking and as a result all of them + AVAST that now owns AVG, have very capable behavioural blockers.
I won't neceserally pick one over the other, all of them are now very old, polished and effective.

GData, Avira, McAfee are amongst the last players in this field with questionable behavioural blockers. I don't think any of them will do the job properly, except Avira maybe. TrendMicro was good before, not sure how it's doing nowadays. I also have no historical data about them nor I've ever been interested in using them. Panda has long got TruPrevent (2006 as well if I am right), but on my tests it never really performed werll and Panda doesn't rely on it heavily. Much like Webroot's Infrared, Panda is more reputation-focused.
 
Last edited:

BVLon

Level 1
BVLon Nice insights on behavioral blockers functions and history. Thanks for sharing.
Welcome bro

@BVLon to complete your historical post about BBs, you forgot Mamutu from Emsisoft (which is now incorporated into Emsisoft AM), it was a standalone very efficient BB like Threatfire; was in 2007-2008 if i recall well and already integrated cloud (community) lookup.
Erm I didn't really know anything about mamutu apart from it's name. I've heard that it's quite good. Might put it to a test tonight.
 

BVLon

Level 1
threatfire 2007 ahhh such a good memories of the unsecure windows XP. threatfire was amazing till symantec killed it.
It was doable, but not amazing. It was quite flexible tho, we had 5-6 levels of aggressivness. It was also damm light.
It was capable of detering users from Norton. From business point of view it was best that they chuck it in Norton and get it over with lol
I strongly believe that SONAR is mostly threatfire.


++++Update

I've finished testing Mamutu, it's just as effective as SONAR. I rarely actually say that. I've seen some Emsisoft guys here in this forum before, if anyone is reading, CONGRATS lol.
I can highly recommend Emsisoft AM.
 
Last edited:

Umbra

Level 25
Verified
I've finished testing Mamutu, it's just as effective as SONAR. I rarely actually say that. I've seen some Emsisoft guys here in this forum before, if anyone is reading, CONGRATS lol.
I can highly recommend Emsisoft AM.
Sadly Mamutu (as a standalone BB) and another very powerful tool (Online Armor) were abandoned because of lack of sales to finance their development.
 

BVLon

Level 1
Sadly Mamutu (as a standalone BB) and another very powerful tool (Online Armor) were abandoned because of lack of sales to finance their development.
Yeah, they dumped the firewll for cost-cutting, although it doesn't really require any updates. This indicates poor sales. Mamutu as a standalone blocker is useless. That would target a small audience of very advanced users, who combine different soulutions... On top of declining Windows-devices sales, who needs to waste resources on that? And Emsisoft is not really a popular company either.
 

Burrito

Level 22
Verified
I've finished testing Mamutu, it's just as effective as SONAR. I rarely actually say that. I've seen some Emsisoft guys here in this forum before, if anyone is reading, CONGRATS lol.
I can highly recommend Emsisoft AM.
Yeah, I was just thinking about about trying old Mamutu on on old computer.

But as Umbra points out...

Sadly Mamutu (as a standalone BB) and another very powerful tool (Online Armor) were abandoned because of lack of sales to finance their development.

*****and Umbra from a separate conversation*****
I think the licensing validation is not functioning anymore for abandoned software, on top of that I'm not even sure you will access the community network and the BB rules will be probably obsolete.

Try in a VM first.
And Umbra does seem to know Emsisoft products about as well as anybody here (not including Fabian).

Probably best not to get any ideas about using Mamutu.
 

HarborFront

Level 48
Verified
Content Creator
@BVLon

Since you are testing BB can you do some tests with 'Multi-process malware'


Quote from the above link

The infection appears to be targeting multi-core machines and has so far evaded most behavioral and some simple threat detection tools....

Code- or signature-based approaches have proved just as ineffective as heuristic analysis.

Unquote

Can you post the results of your tests here with the various BBs for comparison?

Thanks
 
Last edited:

SeriousHoax

Level 18
Verified
Malware Tester
I've finished testing Mamutu, it's just as effective as SONAR. I rarely actually say that.
It's very good indeed but the main problem of Emsisoft's behavior blocker is that it's extremely sensitive. Almost everything is suspicious to it and relies heavily on cloud whitelisting. If a user only uses very popular apps he/she might not face any issues even though Emsisoft had problems with Firefox quite a few times last year alone. You may not notice this by using this for a day or two but if you start installing not so popular apps, updates then you would see this.
 

Umbra

Level 25
Verified
It's very good indeed but the main problem of Emsisoft's behavior blocker is that it's extremely sensitive. Almost everything is suspicious to it and relies heavily on cloud whitelisting. If a user only uses very popular apps he/she might not face any issues even though Emsisoft had problems with Firefox quite a few times last year alone. You may not notice this by using this for a day or two but if you start installing not so popular apps, updates then you would see this.
Because BBs relies first on predefined rules, if a program act like a malware or against a predefined rule (which happens more than often) the BB will kicks-in , hence the reliance on Cloud lookup to discard "False Positive".
All BBs needs Cloud lookup/reputation , even the first iteration of Emsisoft BB (Mamutu 13 years ago) , already relied on it, it was called "Community lookup", where people choice on the alert were catalogued.
 

SeriousHoax

Level 18
Verified
Malware Tester
Because BBs relies first on predefined rules, if a program act like a malware or against a predefined rule (which happens more than often) the BB will kicks-in , hence the reliance on Cloud lookup to discard "False Positive".
All BBs needs Cloud lookup/reputation , even the first iteration of Emsisoft BB (Mamutu 13 years ago) , already relied on it, it was called "Community lookup", where people choice on the alert were catalogued.
I know about this but it's more sensitive and prone to more false positives than most other products.
 

BVLon

Level 1
@BVLon

Since you are testing BB can you do some tests with 'Multi-process malware'


Quote from the above link

The infection appears to be targeting multi-core machines and has so far evaded most behavioral and some simple threat detection tools....

Code- or signature-based approaches have proved just as ineffective as heuristic analysis.

Unquote

Can you post the results of your tests here with the various BBs for comparison?

Thanks
I'll try an obtain a sample of that. In my practice, I've seen a lot worse being blocked so I doubt this will be an issue, but let's see.

It's very good indeed but the main problem of Emsisoft's behavior blocker is that it's extremely sensitive. Almost everything is suspicious to it and relies heavily on cloud whitelisting. If a user only uses very popular apps he/she might not face any issues even though Emsisoft had problems with Firefox quite a few times last year alone. You may not notice this by using this for a day or two but if you start installing not so popular apps, updates then you would see this.
I don't think that this software is targeting grandpas and teenagers... It's mostly for advanced users and it needs to be coupled with a good firewall.

Because BBs relies first on predefined rules, if a program act like a malware or against a predefined rule (which happens more than often) the BB will kicks-in , hence the reliance on Cloud lookup to discard "False Positive".
All BBs needs Cloud lookup/reputation , even the first iteration of Emsisoft BB (Mamutu 13 years ago) , already relied on it, it was called "Community lookup", where people choice on the alert were catalogued.
You just can't have it all. Either it's gonna be effective and over-sensitized, or it's gonna be quiet and sleeping all the time