Andrew3000

Level 6
Verified
Malware Tester
Yes, it would seem that Eset have introduced the BB. There is no possibility to customize it (only exclusions). Probably being a new feature it will not be the best BB choice. It is to be appreciated, however, the effort they made introducing it, I am sure that they will do everything to improve it day by day.
 
There is no such thing as a "proven" behavior blocker. Any behavior blocker is destined to eventually fail if you put it up against enough samples. It's a hit and miss every single time you run a sample. The only thing you're going to find when asking for a "proven" behavior blocker is a "he said" and "she said" game. One word against someone else's. What is the point of that and how is it productive? It's not.

It's all fun and games when you're running samples the AV KNOWS is unknown/new or untrusted on its cloud network but what happens when an exploit is used and a safe, genuine and common program is abused for malicious purposes?

I'm just saying, it doesn't take a genius to get a high detection ratio with unknown malware when the attack chain in the test is limited to just running samples which are relatively new, untrusted on the cloud network. There's more effective testing methodologies out there to really learn the strengths and weaknesses of a particular product, but you've got to be willing to learn and spend the time to do the necessary work.
 

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
There is no such thing as a "proven" behavior blocker. Any behavior blocker is destined to eventually fail if you put it up against enough samples. It's a hit and miss every single time you run a sample.
it's true. The best BB will eventually miss something. However, better BBs from trustful vendors will save users from most infections.
If an AV has great other components that block most malwares before execution , its BB has to work a lot less frequent

It seems to me that Kaspersky is the best overall AV (in terms of protection only). It's great at everything, except it's poor against adwares and PUPs
Emsisoft also has equally good BB as Kaspersky, sometimes better, sometimes worse, but its other shields are not great. Its BB usually has to work extra hard
 
It seems to me that Kaspersky is the best overall AV (in terms of protection only). It's great at everything, except it's poor against adwares and PUPs
Emsisoft also has equally good BB as Kaspersky, sometimes better, sometimes worse, but its other shields are not great. Its BB usually has to work extra hard
Kaspersky are using hardware-isolation technologies on their banking protection which naturally allows them to do more than Emsisoft can in that regard. IMO, Kaspersky's Application Control is superior to Emsisoft's BB.
 

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
Kaspersky are using hardware-isolation technologies on their banking protection which naturally allows them to do more than Emsisoft can in that regard. IMO, Kaspersky's Application Control is superior to Emsisoft's BB.
kaspersky's application control is a kind of cloud-assisted HIPS so it's not really classified as BB
BB is almost always automated while HIPS is user or cloud-dependent
It's definitely superior only if the user knows how to use it. In default settings, all unknown files (unrated) will be classified in "Low Restricted" category -> which KIS won't do anything to it, basically very minimal restrictions
unless user uncheck "Select Action Automatically" -> HIPS will be effective and starts prompting
 
kaspersky's application control is a kind of cloud-assisted HIPS so it's not really classified as BB
BB is almost always automated while HIPS is user or cloud-dependent
It's definitely superior only if the user knows how to use it. In default settings, all unknown files (unrated) will be classified in "Low Restricted" category -> which KIS won't do anything to it, basically very minimal restrictions
unless user uncheck "Select Action Automatically" -> HIPS will be effective and starts prompting
Pstttt... there's a vendor called Webroot with an absolutely amazing BB. Just kidding. Gotcha. I bet you were "WT*'ng" in your mind as you read the beginning.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Behavior Blocker is an outdated technology. The best AVs use Behavior Monitoring as a part of AI-based protection with Deep Learning. So even when the malware is detected due to the crucial information from the Behavior Monitoring module, the user will not be informed about it.
 
Behavior Blocker is an outdated technology. The best AVs use Behavior Monitoring as a part of AI-based protection with Deep Learning.
I'm sorry but that is simply false.

"Behavior Blocker" is a marketing gimmick.

You can implement technologies like ML to process recorded behavior in a "Behavior Blocker" and it won't make it any less of a "Behavior Blocker" or any more of one. At the end of the day, ML/Ai is still pattern matching.

There is no "best" AV - it solely depends on your personal requirements.

So even when the malware is detected due to the crucial information from the Behavior Monitoring module, the user will not be informed about it.
What would be the point in monitoring behavior and never doing anything about it once a certain threshold has been met? Please name a vendor which monitors behavior and literally supports doing absolutely nothing regardless of what is done by the sample - provide evidence of the monitoring to verify the claims alongside.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
I'm sorry but that is simply false.

"Behavior Blocker" is a marketing gimmick.

You can implement technologies like ML to process recorded behavior in a "Behavior Blocker" and it won't make it any less of a "Behavior Blocker" or any more of one. At the end of the day, ML/Ai is still pattern matching.


There is no "best" AV - it solely depends on your personal requirements.


What would be the point in monitoring behavior and never doing anything about it once a certain threshold has been met? Please name a vendor which monitors behavior and literally supports doing absolutely nothing regardless of what is done by the sample - provide evidence of the monitoring to verify the claims alongside.
You probably do not understand my post, and I am afraid that I do not understand yours.
We probably use different definitions of Behavior Blocker.
The classic Behavior Blocker is a separate module that can block processes which are defined as suspicious, like the below from the old Symantec article:
  1. Attempts to open, view, delete, and/or modify files;
  2. Attempts to format disk drives and other unrecoverable disk operations;
  3. Modifications to the logic of executable files, scripts of macros;
  4. Modification of critical system settings, such as start-up settings;
  5. Scripting of e-mail and instant messaging clients to send executable content; and,
  6. Initiation of network communications.
Such Behavior Blocker can suspend the program activity and alerts about suspicious behavior. Because of many false positives, it can be supported by cloud verification to get a clear indication that a program is safe or malicious.
It is an outdated technology, because it is separated from other AV modules and the user often has to make decisions to allow/block the suspicious behaviors. That is why most AVs today do not use such Behavior Blockers. Modern AV technology relies on machine learning behavior models which can integrate information from many AV modules in the process of learning.
For example, Eset uses DNA Detections, Kaspersky uses heuristic-based Behavior Engine.
Here is a fragment from the Kaspersky article, which can show the difference:
"Behavioral Engine component benefits from ML-based models on the endpoint to detect previously unknown malicious patterns in addition to behaviour heuristic records. Collected from different sources, system events are delivered to the ML model. After processing, ML model produces a verdict if the analysed pattern is malicious. Even in the case of a non malicious verdict, the result from the ML model is then used by Behaviour heuristics, which in turn could also flag the detect."

Of course one could name this Behavior-Blocker too, but AV vendors avoid such description.
 
Last edited:
@Andy Ful

"Behavior Blocker" is normally used as a marketing gimmick.

Any AV technology which has the ability to dynamically block the behavior of executable code on the environment constitutes as "behavior blocking technology" because it is blocking behavior.

People can have their own interpretations of the terminology due to what they are used to when vendors explicitly use the marketing gimmick, but it doesn't change the fact that "behavior blocking" is the act of blocking behavior (whether specified as a rule by the user as part of a HIPS solution, automatically decided by the use of unsupervised ML which has generated information on how a particular program works over the duration of weeks in order to differentiate between the type of behavior it should allow or disallow, or specified by manually-planted algorithms).

"Behavior Blocking" is not outdated technology. Dynamic heuristics, sandboxing, etc. are all forms of "Behavior Blocking".

1. Dynamic heuristics might monitor what a program does and then decide it needs to be quarantined. Actions may have already occurred, but future actions have been prohibited. Behavior of the application which would have taken place at a later date has been blocked because the application was blocked in the end.

2. Sandboxing. Actions may be blocked entirely or slightly changed for redirection. In the event of redirection, the originally desired behavior was blocked in exchange for similar behavior which still allows the software requesting to do X, Y or Z to feel comfortable.

3. HIPS. The end user might be able to specify the type of behavior to be blocked or it might be automated for them with pre-configured rules (which may or may not even be tweakable). It's still a form of "behavior blocking".

The term "behavior blocking" refers to the blocking of behavior. It's been used as a marketing gimmick by several to refer to specific things but this doesn't eradicate the meaning of the words "behavior" and "blocking" or "blocking" and "behavior". If you're blocking behavior then you constitute as a "behavior blocker", irrespective of how much behavior you support blocking of or how you manage to achieve it. If behavior is being blocked, it's behavior blocking.

Capisci?
 
If you try and smuggle illegal substances onto a boat which is going to be sailing abroad and you are stopped by the security guards because a sniffer dog ratted you out, that is a form of behavior blocking. Your behavior - smuggling drugs - has been identified and you've been caught so your behavior is now prohibited from continuing and going on any further.

That's a pretty good analogy that doesn't involve the typically used go-to analogy of cars on this forum. Drug smuggling sounds much more exciting.

If I write a program and it is allowed to run, any AV technology which blocks that application from continuing to run due to the identification/interception of certain behavior qualifies as behavior blocking technology. It would still qualify as behavior blocking technology if it supported blocking of specific actions and not only the entire program from continuing to run... irrespective of how this was achieved.

If behavior is blocked then it is behavior blocking technology.

Nada more to be discussed on this.

Two birds with one stone. Pam. Bam!

Haters gonna hate.