Advice Request Suites with Proven Behavior Blockers that you Trust and Recommend

Please provide comments and solutions that are helpful to the author of this topic.

Jun 26, 2019
75
Please do not assume haters will reply to this thread, To do so would constitute a form of tangential or preemptive behavior blocking :D, which is unnecessary as there is absolutely no hating on this forum! ;) All opinions are welcome. (y)
It was a joke. The ending of the post was a joke including the pam bam and the two birds with one stone part. I apologize if it was taken to heart by anybody, that was not my intention.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Veloce,
In the wide sense, any AV detection which is not based on pure signatures can be called behavior block. But, the Behavior Blocker module is usually used in more specific meaning.
I am afraid that your meaning of Behavior Blocker is not the same as that used by SearchLight who started this thread. Also, the AV vendors do not use such meaning because of the collision with the classic definition of Behavior Blocker.
So, with all respect to your conviction, I will stick with mine. (y)
 
Jun 26, 2019
75
So, with all respect to your conviction, I will stick with mine. (y)
That is perfectly fine.

However, the English language is the English language.

In the English language, "behavior blocking" refers to the act of blocking behavior, however that is done.

Therefore, regardless of how certain AV vendors decide to name things or people's personal interpretation of the two words combined, it factually refers to the act of blocking behavior. Behavior can be blocked in many different ways. The definitions in the English language do not state that for "behavior blocking" to be referred to correctly, the behavior must be blocked in a specific manner.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Please do not assume haters will reply to this thread, To do so would constitute a form of tangential or preemptive behavior blocking :D, which is unnecessary as there is absolutely no hating on this forum! ;) All opinions are welcome. (y)

Hating is not allowed. (Except directed at Webroot.)

Message board behavior block hating is the worst.

Hating is NOT allowed...

I HATE the haters... oh wait...
 
Jun 26, 2019
75
Hating is not allowed. (Except directed at Webroot.)
What's Webroot? Reminds me of Pooproot. Typo?

Pooproot. It's a poop residing at your roots.
When you least expect it, the root decides to shoot.
It's not a beam of light and it's not a ball of fire.
It's ransomware straight from Pooproot's hacked servers or your system files as the target.
 
Last edited:

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
@Andy Ful

"Behavior Blocker" is normally used as a marketing gimmick.

Any AV technology which has the ability to dynamically block the behavior of executable code on the environment constitutes as "behavior blocking technology" because it is blocking behavior.

People can have their own interpretations of the terminology due to what they are used to when vendors explicitly use the marketing gimmick, but it doesn't change the fact that "behavior blocking" is the act of blocking behavior (whether specified as a rule by the user as part of a HIPS solution, automatically decided by the use of unsupervised ML which has generated information on how a particular program works over the duration of weeks in order to differentiate between the type of behavior it should allow or disallow, or specified by manually-planted algorithms).

"Behavior Blocking" is not outdated technology. Dynamic heuristics, sandboxing, etc. are all forms of "Behavior Blocking".

1. Dynamic heuristics might monitor what a program does and then decide it needs to be quarantined. Actions may have already occurred, but future actions have been prohibited. Behavior of the application which would have taken place at a later date has been blocked because the application was blocked in the end.

2. Sandboxing. Actions may be blocked entirely or slightly changed for redirection. In the event of redirection, the originally desired behavior was blocked in exchange for similar behavior which still allows the software requesting to do X, Y or Z to feel comfortable.

3. HIPS. The end user might be able to specify the type of behavior to be blocked or it might be automated for them with pre-configured rules (which may or may not even be tweakable). It's still a form of "behavior blocking".

The term "behavior blocking" refers to the blocking of behavior. It's been used as a marketing gimmick by several to refer to specific things but this doesn't eradicate the meaning of the words "behavior" and "blocking" or "blocking" and "behavior". If you're blocking behavior then you constitute as a "behavior blocker", irrespective of how much behavior you support blocking of or how you manage to achieve it. If behavior is being blocked, it's behavior blocking.

Capisci?
It doesn't work like that, your debate is non-sense. Every industry works with tricky, good looking names. For example, we're used to the term antivirus, when we al know virus is just a type of malware and the correct terminology would be antimalware. We are also sold AI as an addition to security suites claiming their technology owns every technique known, when it's just the same old techniques with a cool name "artificial intelligence", making us believe there's some kind of robotic non-human code able to eradicate malware. If we study terminology by its definition, most words in the industry would be nonsense, like sandbox, behaviour blocker, AI, even the proper definition of antimalware would mean that our program avoids malware, but that's just not true because it's not entirely perfect.

What Andy means is clear and true, "behaviour blocking" as its whole, as a pattern identification is obsolote and can be easily bypassed, hence why vendors are migrating to newer technologies and implementing default-deny modules. Identificating patterns is a difficult job when each new piece of malware that's released changes it's evasion techniques. The future of cybersecurity does not rely upon static modules that can be easily learnt and avoided (databases, standard rules, behaviour blocking). I think that's the point of @Andy Ful and it's totally right.
 
Jun 26, 2019
75
It doesn't work like that, your debate is non-sense. Every industry works with tricky, good looking names. For example, we're used to the term antivirus, when we al know virus is just a type of malware and the correct terminology would be antimalware. We are also sold AI as an addition to security suites claiming their technology owns every technique known, when it's just the same old techniques with a cool name "artificial intelligence", making us believe there's some kind of robotic non-human code able to eradicate malware. If we study terminology by its definition, most words in the industry would be nonsense, like sandbox, behaviour blocker, AI, even the proper definition of antimalware would mean that our program avoids malware, but that's just not true because it's not entirely perfect.

What Andy means is clear and true, "behaviour blocking" as its whole, as a pattern identification is obsolote and can be easily bypassed, hence why vendors are migrating to newer technologies and implementing default-deny modules. Identificating patterns is a difficult job when each new piece of malware that's released changes it's evasion techniques. The future of cybersecurity does not rely upon static modules that can be easily learnt and avoided (databases, standard rules, behaviour blocking). I think that's the point of @Andy Ful and it's totally right.
There are many forms of behavior blocking.

1. Dynamic heuristics is a form of behavior blocking depending on how it was designed.

2. HIPS is a form of behavior blocking.

3. Sandbox is a form of behavior blocking.

This is really simple to understand.

You're confused because of your personal interpretation with the concept but if you understood how these technologies worked behind the hood, you'd understand that they tend to use the same techniques that your average "Behavior Blocker" feature relies on except it has a different name and interactive features which security forum members are accustomed to associating with the term "Behavior Blocker".

ESET has an exploit protection module and has for a long time. It has functions within it which can intercept behavior of running programs like any typical Behavior Blocker would for something like monitoring the use APC in code injection attacks... so it can stop it. Yet, people forever claimed that ESET didn't have any behavior blocking technology simply because they weren't giving into the gimmick at the time. The understanding of behavior blocking technology and how there's more than just one form of it needs to be explained.

I will admit though, there was some aspect of trolling in all of this. I should be fair to Andy and apologize for that. I did take it too far.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The problem with behavior blocking comes from the fact that modern AVs can block the file both due to its behavior and design. For example, the below file features can hardly be connected with behavior:
  1. The source from the file was downloaded.
  2. The file prevalence.
  3. The file digital certificate (EV, standard, open source, SHA1, SHA256, no certificate).
  4. The file entropy.
  5. The code similarities to the known malware.
  6. etc.
The above factors can be crucial for making decisions by machine learning models. Some AVs will block the malware without any information about using the behavior models, so many users think that the AV does not have any.

Edit.
As usual, I can agree with most facts posted by Veloce. We differ only with interpretations and semantics, which are not important to this thread. The main fact is that many users do not see AV behavior-based features if these features are not called Behavior Blocker.
 
Last edited:

SearchLight

Level 13
Thread author
Verified
Top Poster
Well-known
Jul 3, 2017
625
I think what causes all the confusion is the marketing hype that the AV companies use to frighten the consumer, and get him or her to buy their products. The operative words nowadays seem to be Zero Day infection prevention, and which technique is most effective. That said, what does one use when the AV companies have yet to develop a signature defintion to react to the new virus? Moreover, do we want our AV to over react with FPs? So we come to the age old question of whether you want a Behavior Blocker module incorporated in the product, or a Default-Deny setup, or both to react to a Zero Day.

It is all a matter of personal choice: being an informed user, reading reviews and postings here on MT, trial and error on your machine, and a little old common sense when surfing.

I myself am a victim of the hype, and reading reviews. For example, I had installed Cf/cs, then uninstalled it because of stability issues posted elsewhere on MT. Then I tried ESET IS because people said it was light but somewhat weak without tweaks, so I followed some, and then added VS. I even tried AVG IS but found that to be so bloated, over 1GB installed on my PC, that I found it sometimes slowed my PC down. So now I am trying Trend Micro by itself. For me, I am learning that less is more, and efficient.

I guess there is no 100% AV solution but imo you want to get as close as possible without ill effects. Of course, I backup everything once a week, just in case all else fails, and I need to recover. Cannot stress the importance enough of image backups!

Decisions, decisions:).
 
Last edited:

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
@SearchLight: I do agree, for me there isn't a perfect solution, you either end up with things you don't want or need or not enough. I use VS & most of the time it's great but IMHO & no offense to anyone it can be a pain in the arse or brilliant, yesterday it decided to block Spotify & I wasn't in, this caused huge derision from the family member wanting to use it, etc etc etc.

As for behavior blocking my other half is an expert with bells on, she now has worked out any unapproved behavior I may even think of doing before I have & block it. Sadly the list of my unappoved behaviour is growing weekly, Webroot should employ her without any doubt!
 
  • Like
Reactions: oldschool and Nevi

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I think what causes all the confusion is the marketing hype that the AV companies use to frighten the consumer, and get him or her to buy their products. The operative words nowadays seem to be Zero Day infection prevention, and which technique is most effective. That said, what does one use when the AV companies have yet to develop a signature defintion to react to the new virus? Moreover, do we want our AV to over react with FPs? So we come to the age old question of whether you want a Behavior Blocker module incorporated in the product, or a Default-Deny setup, or both to react to a Zero Day.
...
The AV technologies evolve and the terminology evolves too. Some AV vendors like Emsisoft still use the term Behavior Blocker, probably to maintain product continuity, but this term seems less appropriate when machine learning technologies are involved.
Even a Zero-day term is not clear nowadays. A few years ago it was related exclusively to exploits. So, the Zero-day protection had a meaning to protect against Zero-day exploits.
To avoid confusion it is better to say about protection/prevention against UDs or FUDs.
UD - undetectable by signatures, but uses known techniques so can be detected/removed by one or more AVs.
FUD - undetectable by AVs for some time.

The protection against FUDs may look strange, but it is possible in the era of machine learning based on the complex telemetry from all computers in the AV network (Big Data Analytics). The AVs will miss the FUD malware, so it can infect some computers. But after some minutes/hours the telemetry from infected computers can alarm the AV cloud. The infection chain is now analyzed by the special methods including human expert analysis and most FUDs will be detected in this way and the infection cannot spread out.(y)

So, you probably are interested in AVs with strong UD protection like CIS, KIS, etc.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top