It was a joke. The ending of the post was a joke including the pam bam and the two birds with one stone part. I apologize if it was taken to heart by anybody, that was not my intention.Please do not assume haters will reply to this thread, To do so would constitute a form of tangential or preemptive behavior blocking, which is unnecessary as there is absolutely no hating on this forum!
Suites with Proven Behavior Blockers that you Trust and Recommend
- Thread starter SearchLight
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Dec 23, 2014
- 8,510
Veloce,
In the wide sense, any AV detection which is not based on pure signatures can be called behavior block. But, the Behavior Blocker module is usually used in more specific meaning.
I am afraid that your meaning of Behavior Blocker is not the same as that used by SearchLight who started this thread. Also, the AV vendors do not use such meaning because of the collision with the classic definition of Behavior Blocker.
So, with all respect to your conviction, I will stick with mine.
In the wide sense, any AV detection which is not based on pure signatures can be called behavior block. But, the Behavior Blocker module is usually used in more specific meaning.
I am afraid that your meaning of Behavior Blocker is not the same as that used by SearchLight who started this thread. Also, the AV vendors do not use such meaning because of the collision with the classic definition of Behavior Blocker.
So, with all respect to your conviction, I will stick with mine.
- Mar 29, 2018
- 7,613
And mine was meant to be light-hearted! No offense taken.
That is perfectly fine.So, with all respect to your conviction, I will stick with mine.
However, the English language is the English language.
In the English language, "behavior blocking" refers to the act of blocking behavior, however that is done.
Therefore, regardless of how certain AV vendors decide to name things or people's personal interpretation of the two words combined, it factually refers to the act of blocking behavior. Behavior can be blocked in many different ways. The definitions in the English language do not state that for "behavior blocking" to be referred to correctly, the behavior must be blocked in a specific manner.
You've stolen my heart. Marry me?
- May 16, 2018
- 1,363
Please do not assume haters will reply to this thread, To do so would constitute a form of tangential or preemptive behavior blocking
Hating is not allowed. (Except directed at Webroot.)
Message board behavior block hating is the worst.
Hating is NOT allowed...
I HATE the haters... oh wait...
- Mar 29, 2018
- 7,613
What's Webroot? Reminds me of Pooproot. Typo?
Pooproot. It's a poop residing at your roots.
When you least expect it, the root decides to shoot.
It's not a beam of light and it's not a ball of fire.
It's ransomware straight from Pooproot's hacked servers or your system files as the target.
Last edited:
- May 16, 2018
- 1,363
Last edited:
- Mar 29, 2018
- 7,613
I think OPs request was fulfilled on P. 1 or 2 and he may be no longer following, but I've appreciated the discussion in any case.
- Jun 24, 2016
- 2,485
It doesn't work like that, your debate is non-sense. Every industry works with tricky, good looking names. For example, we're used to the term antivirus, when we al know virus is just a type of malware and the correct terminology would be antimalware. We are also sold AI as an addition to security suites claiming their technology owns every technique known, when it's just the same old techniques with a cool name "artificial intelligence", making us believe there's some kind of robotic non-human code able to eradicate malware. If we study terminology by its definition, most words in the industry would be nonsense, like sandbox, behaviour blocker, AI, even the proper definition of antimalware would mean that our program avoids malware, but that's just not true because it's not entirely perfect.
What Andy means is clear and true, "behaviour blocking" as its whole, as a pattern identification is obsolote and can be easily bypassed, hence why vendors are migrating to newer technologies and implementing default-deny modules. Identificating patterns is a difficult job when each new piece of malware that's released changes it's evasion techniques. The future of cybersecurity does not rely upon static modules that can be easily learnt and avoided (databases, standard rules, behaviour blocking). I think that's the point of @Andy Ful and it's totally right.
- Jul 6, 2017
- 2,392
I agree with what has been said about Kaspersky. But without forgetting Emsisoft, although I stayed, with the Default Deny. For me it is the most effective when it comes to 0 days if you understand how it works.
There are many forms of behavior blocking.
1. Dynamic heuristics is a form of behavior blocking depending on how it was designed.
2. HIPS is a form of behavior blocking.
3. Sandbox is a form of behavior blocking.
This is really simple to understand.
You're confused because of your personal interpretation with the concept but if you understood how these technologies worked behind the hood, you'd understand that they tend to use the same techniques that your average "Behavior Blocker" feature relies on except it has a different name and interactive features which security forum members are accustomed to associating with the term "Behavior Blocker".
ESET has an exploit protection module and has for a long time. It has functions within it which can intercept behavior of running programs like any typical Behavior Blocker would for something like monitoring the use APC in code injection attacks... so it can stop it. Yet, people forever claimed that ESET didn't have any behavior blocking technology simply because they weren't giving into the gimmick at the time. The understanding of behavior blocking technology and how there's more than just one form of it needs to be explained.
I will admit though, there was some aspect of trolling in all of this. I should be fair to Andy and apologize for that. I did take it too far.
Last edited:
- Dec 23, 2014
- 8,510
The problem with behavior blocking comes from the fact that modern AVs can block the file both due to its behavior and design. For example, the below file features can hardly be connected with behavior:
Edit.
As usual, I can agree with most facts posted by Veloce. We differ only with interpretations and semantics, which are not important to this thread. The main fact is that many users do not see AV behavior-based features if these features are not called Behavior Blocker.
- The source from the file was downloaded.
- The file prevalence.
- The file digital certificate (EV, standard, open source, SHA1, SHA256, no certificate).
- The file entropy.
- The code similarities to the known malware.
- etc.
Edit.
As usual, I can agree with most facts posted by Veloce. We differ only with interpretations and semantics, which are not important to this thread. The main fact is that many users do not see AV behavior-based features if these features are not called Behavior Blocker.
Last edited:
- Jan 9, 2013
- 1,457
That old? Mamutu and Threatfire comes to mind.
- Oct 2, 2011
- 1,553
I loved the old Threatfire from Pc Tools, it was a great BB.
- Feb 17, 2018
- 870
- Jul 3, 2017
- 626
I think what causes all the confusion is the marketing hype that the AV companies use to frighten the consumer, and get him or her to buy their products. The operative words nowadays seem to be Zero Day infection prevention, and which technique is most effective. That said, what does one use when the AV companies have yet to develop a signature defintion to react to the new virus? Moreover, do we want our AV to over react with FPs? So we come to the age old question of whether you want a Behavior Blocker module incorporated in the product, or a Default-Deny setup, or both to react to a Zero Day.
It is all a matter of personal choice: being an informed user, reading reviews and postings here on MT, trial and error on your machine, and a little old common sense when surfing.
I myself am a victim of the hype, and reading reviews. For example, I had installed Cf/cs, then uninstalled it because of stability issues posted elsewhere on MT. Then I tried ESET IS because people said it was light but somewhat weak without tweaks, so I followed some, and then added VS. I even tried AVG IS but found that to be so bloated, over 1GB installed on my PC, that I found it sometimes slowed my PC down. So now I am trying Trend Micro by itself. For me, I am learning that less is more, and efficient.
I guess there is no 100% AV solution but imo you want to get as close as possible without ill effects. Of course, I backup everything once a week, just in case all else fails, and I need to recover. Cannot stress the importance enough of image backups!
Decisions, decisions.
It is all a matter of personal choice: being an informed user, reading reviews and postings here on MT, trial and error on your machine, and a little old common sense when surfing.
I myself am a victim of the hype, and reading reviews. For example, I had installed Cf/cs, then uninstalled it because of stability issues posted elsewhere on MT. Then I tried ESET IS because people said it was light but somewhat weak without tweaks, so I followed some, and then added VS. I even tried AVG IS but found that to be so bloated, over 1GB installed on my PC, that I found it sometimes slowed my PC down. So now I am trying Trend Micro by itself. For me, I am learning that less is more, and efficient.
I guess there is no 100% AV solution but imo you want to get as close as possible without ill effects. Of course, I backup everything once a week, just in case all else fails, and I need to recover. Cannot stress the importance enough of image backups!
Decisions, decisions
.
Last edited:
- Aug 4, 2016
- 1,465
@SearchLight: I do agree, for me there isn't a perfect solution, you either end up with things you don't want or need or not enough. I use VS & most of the time it's great but IMHO & no offense to anyone it can be a pain in the arse or brilliant, yesterday it decided to block Spotify & I wasn't in, this caused huge derision from the family member wanting to use it, etc etc etc.
As for behavior blocking my other half is an expert with bells on, she now has worked out any unapproved behavior I may even think of doing before I have & block it. Sadly the list of my unappoved behaviour is growing weekly, Webroot should employ her without any doubt!
As for behavior blocking my other half is an expert with bells on, she now has worked out any unapproved behavior I may even think of doing before I have & block it. Sadly the list of my unappoved behaviour is growing weekly, Webroot should employ her without any doubt!
- Dec 23, 2014
- 8,510
The AV technologies evolve and the terminology evolves too. Some AV vendors like Emsisoft still use the term Behavior Blocker, probably to maintain product continuity, but this term seems less appropriate when machine learning technologies are involved.
Even a Zero-day term is not clear nowadays. A few years ago it was related exclusively to exploits. So, the Zero-day protection had a meaning to protect against Zero-day exploits.
To avoid confusion it is better to say about protection/prevention against UDs or FUDs.
UD - undetectable by signatures, but uses known techniques so can be detected/removed by one or more AVs.
FUD - undetectable by AVs for some time.
The protection against FUDs may look strange, but it is possible in the era of machine learning based on the complex telemetry from all computers in the AV network (Big Data Analytics). The AVs will miss the FUD malware, so it can infect some computers. But after some minutes/hours the telemetry from infected computers can alarm the AV cloud. The infection chain is now analyzed by the special methods including human expert analysis and most FUDs will be detected in this way and the infection cannot spread out.
So, you probably are interested in AVs with strong UD protection like CIS, KIS, etc.
Last edited:
Similar threads
