Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Kaspersky Internet Security - System Watcher only, no KSN - ransomware test
Message
<blockquote data-quote="Wave" data-source="post: 589393"><p>I'm not quoting this to complain about what you said, I don't really mind, I just wanted to add some detail since I know a select few like reading those sort of internal posts I make sometimes.</p><p></p><p>The security product won't suspend a program during it's run-time to "analyze" it, it does this when the program is starting up (they register a callback from kernel-mode called PsSetCreateProcessNotifyRoutineEx) via a callback for the notification, and then they proceed to scan the PE representing that program (chances are it won't do this from kernel-mode, but work with IPC to notify a user-mode service running under SYSTEM to perform the scanning).</p><p></p><p>During the program's execution, if it's being monitored for behavioral analysis, the API calls will be detoured (not all but the selected ones supported for the feature in the scope of the monitoring) and this information will be logged. When an alert is presented, it will then suspend the process - it'll be resumed if it is allowed to be allowed, and if it should be terminated then the security product will work with IPC to make the program call ExitProcess, or it will connect to the kernel-mode driver and have it shutdown the process (and then continue with the quarantine plan, etc.).</p><p></p><p>In actual fact, you cannot "suspend" a process - you suspend the threads within the process; this means that when NtSuspendProcess is called, it'll lead to the threads being suspended. The process is essentially a "container" for the process' threads, the same way that the body is the protector of the heart - the heart allows it to function through pumping blood through the body... Whereas the threads cause the functionality for the process. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /></p></blockquote><p></p>
[QUOTE="Wave, post: 589393"] I'm not quoting this to complain about what you said, I don't really mind, I just wanted to add some detail since I know a select few like reading those sort of internal posts I make sometimes. The security product won't suspend a program during it's run-time to "analyze" it, it does this when the program is starting up (they register a callback from kernel-mode called PsSetCreateProcessNotifyRoutineEx) via a callback for the notification, and then they proceed to scan the PE representing that program (chances are it won't do this from kernel-mode, but work with IPC to notify a user-mode service running under SYSTEM to perform the scanning). During the program's execution, if it's being monitored for behavioral analysis, the API calls will be detoured (not all but the selected ones supported for the feature in the scope of the monitoring) and this information will be logged. When an alert is presented, it will then suspend the process - it'll be resumed if it is allowed to be allowed, and if it should be terminated then the security product will work with IPC to make the program call ExitProcess, or it will connect to the kernel-mode driver and have it shutdown the process (and then continue with the quarantine plan, etc.). In actual fact, you cannot "suspend" a process - you suspend the threads within the process; this means that when NtSuspendProcess is called, it'll lead to the threads being suspended. The process is essentially a "container" for the process' threads, the same way that the body is the protector of the heart - the heart allows it to function through pumping blood through the body... Whereas the threads cause the functionality for the process. ;) [/QUOTE]
Insert quotes…
Verification
Post reply
Top