How behaviour blocking works

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Hello guys, some new members sometimes are suggested to add to their configs a product with BB feature, but what's the behaviour blocking? It is simply the ability of a security software to detect malicious/suspicious actions of a specific process in real-time and terminate the suspicious process to protect the user. Malicious/suspicious behaviours include registry modifies, encryption methods, internet connection ability, files operations, etc. The BB feature is really powerful but obviously sometimes, as all security software, can give some false positives. Some products that have BB are: Emsisoft, Avast, Kaspersky (System Watcher), Bitdefender, Norton.

I am not sure if all major security products nowadays have BB, if not then they should include it to increase protection.
 

ChemicalB

Level 8
Verified
Sep 14, 2018
360
Thanks bud for this useful info :)
BB is a good additional security layer that combines the signatures of many security products.
As you say, it can give FPs and unfortunately it is not always effective because, for example, it may block the main process of a ransomware but not the execution of additional secondary code, and in this case, the encryption process can be unstoppable.
 

Nevi

Level 11
Verified
Top Poster
Well-known
Apr 7, 2016
500
I could be wrong, but I think an antimalware product today need some kind of BB to run with the big guys. Or at least a heuristic based behavior engine. The black hats are simply too good today, to an old fashioned product with just signatures.
 
E

Eddie Morra

"Behaviour Blocker" is a fancy name for dynamic protection capabilities... you can rely on a vendor who's services are complemented with behavioural-based protection aimed at protecting the client from new malicious software without having any component explicitly named as a "Behaviour Blocker" (UK) / "Behavior Blocker" (US).

Contrary to beliefs from many on the forums, ESET has behavioural-based protection against new malicious software, but they do not buy into the "Behaviour Blocker" marketing, which means misinformed hobbyists end up disrespecting them as a vendor online, making all sorts of claims from them being a signature-only solution to not being able to prevent any attacks based on dynamic-based monitoring. To elaborate further, ESET have in-product sandboxing, botnet protection, exploit protection and ransomware protection. I'd love to find out whether some of the other vendors which are heavily promoted on the forums because of marketing decisions have features like emulation support or exclusive botnet protection through network filtering.

References:
https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf
Exploit Blocker | ESET NOD32 Antivirus | ESET Online Help
Exploit Blocker | ESET NOD32 Antivirus | ESET Online Help
What is the Host-based Intrusion Prevention System (HIPS) in ESET Windows home products?

Bottom-line: any dynamic capabilities are vendor-dependent - vendor A and B may do the same or similar things to vendor C and D but vendor B might not be into the "Behavior Blocker" marketing, but this doesn't mean that vendor B has no behavioural-based protection.

Malicious/suspicious behaviours include registry modifies, encryption methods, internet connection ability, files operations, etc.
None of the aforementioned activities are "malicious" behaviours on their own - it merely depends on how X, Y or Z is being used. X, Y or Z might be used by 10,000 genuine and clean programs without any malicious intent, but it may also be used by 20,000 malicious programs to cause harm. You need to understand what is going on to determine whether usage of X, Y or Z is malicious or not.

Would a program automatically be automatically "malicious" or "suspicious" for encrypting logs on-disk and decrypting them in-memory when the program needs to use them, or for using a documented cryptography API to hash with SHA-1, SHA-256 or SHA-512? It depends on whether the end-result is damages to the user, and the important factor in all of this would be whether malicious intent was present. Without being able to prove that malicious intent, and especially if you had signed any Terms and Conditions which complied with the law and explained your rights when it comes to things like responsibility/consequences and warranty, you can throw the whole case out the window because blaming someone for the damages and getting any compensation out of it will be tricky and will probably end up being a waste of time and money on your end.

Encrypting content in itself is not malicious and is quite common for companies who try and protect their Intellectual Property or anything sensitive such as user credentials. At the same time, encrypting content which if encrypted would harm the user (and let's not forget about the malicious intention being applied to this as well otherwise it would have been an accidental bug from a genuine and non-rogue author) would be malicious.

The use of networking features (e.g. using an active internet connection to download content from online to the local machine) are in themselves not malicious by default as well - and the same for registry modifications or general file system operations - although the use of networking features can be abused by someone who does have malicious intent. An example of what a threat actor could do if they have access to the local environment and are intending to do harm, would be using up the network bandwidth to perform DDoS attacks (e.g. botnet activity), or downloading other malicious software via the internet.

Bottom-line: the context is extremely important and blindly forgetting about it would be a mistake.
 

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
"Behaviour Blocker" is a fancy name for dynamic protection capabilities... you can rely on a vendor who's services are complemented with behavioural-based protection aimed at protecting the client from new malicious software without having any component explicitly named as a "Behaviour Blocker" (UK) / "Behavior Blocker" (US).

Contrary to beliefs from many on the forums, ESET has behavioural-based protection against new malicious software, but they do not buy into the "Behaviour Blocker" marketing, which means misinformed hobbyists end up disrespecting them as a vendor online, making all sorts of claims from them being a signature-only solution to not being able to prevent any attacks based on dynamic-based monitoring. To elaborate further, ESET have in-product sandboxing, botnet protection, exploit protection and ransomware protection. I'd love to find out whether some of the other vendors which are heavily promoted on the forums because of marketing decisions have features like emulation support or exclusive botnet protection through network filtering.

References:
https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf
Exploit Blocker | ESET NOD32 Antivirus | ESET Online Help
Exploit Blocker | ESET NOD32 Antivirus | ESET Online Help
What is the Host-based Intrusion Prevention System (HIPS) in ESET Windows home products?

Bottom-line: any dynamic capabilities are vendor-dependent - vendor A and B may do the same or similar things to vendor C and D but vendor B might not be into the "Behavior Blocker" marketing, but this doesn't mean that vendor B has no behavioural-based protection.


None of the aforementioned activities are "malicious" behaviours on their own - it merely depends on how X, Y or Z is being used. X, Y or Z might be used by 10,000 genuine and clean programs without any malicious intent, but it may also be used by 20,000 malicious programs to cause harm. You need to understand what is going on to determine whether usage of X, Y or Z is malicious or not.

Would a program automatically be automatically "malicious" or "suspicious" for encrypting logs on-disk and decrypting them in-memory when the program needs to use them, or for using a documented cryptography API to hash with SHA-1, SHA-256 or SHA-512? It depends on whether the end-result is damages to the user, and the important factor in all of this would be whether malicious intent was present. Without being able to prove that malicious intent, and especially if you had signed any Terms and Conditions which complied with the law and explained your rights when it comes to things like responsibility/consequences and warranty, you can throw the whole case out the window because blaming someone for the damages and getting any compensation out of it will be tricky and will probably end up being a waste of time and money on your end.

Encrypting content in itself is not malicious and is quite common for companies who try and protect their Intellectual Property or anything sensitive such as user credentials. At the same time, encrypting content which if encrypted would harm the user (and let's not forget about the malicious intention being applied to this as well otherwise it would have been an accidental bug from a genuine and non-rogue author) would be malicious.

The use of networking features (e.g. using an active internet connection to download content from online to the local machine) are in themselves not malicious by default as well - and the same for registry modifications or general file system operations - although the use of networking features can be abused by someone who does have malicious intent. An example of what a threat actor could do if they have access to the local environment and are intending to do harm, would be using up the network bandwidth to perform DDoS attacks (e.g. botnet activity), or downloading other malicious software via the internet.

Bottom-line: the context is extremely important and blindly forgetting about it would be a mistake.
Yes, surely those activities can be considered suspicious or not. It depends what is doing a process. However welcome back!:)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top