Andy Ful

Level 45
Verified
Trusted
Content Creator
I read many posts on MT forum and some other forums about using Behavior Blockers. It seems that there is no general agreement on what are the capabilities of Behavior Blocker (BB) and which AVs use Behavior Blockers (BBs). So, I made a little research to clarify this.

I did not find any widely accepted definition of BB, because AV vendors used very different definitions for their BBs. But, there are some sources which can tell what BB is not.

Let's start from an old Kaspersky's article from the year 2005, about proactive protection: Proactive Protection Made Easy
The author mentions some proactive techniques, like: Heuristics, IPS, Buffer Overrun protection, Policy-based protection, Alerting system, Behaviour Blocker.
But, that was many years ago and the terminology could change. So, here is a fragment included in another article from the year 2017 (MRG Effitas report): https://media.kaspersky.com/pdf/201704-MRG-Ransomware-Test.pdf
"Endpoint protection systems have had a long journey from traditional signature-based protection to that which is implemented in a modern protection system. Advanced heuristics, behaviour control, sandboxing, intrusion prevention systems, URL filtering, cloud based reputation systems, JavaScript analysers, memory corruption protection, etc. are now used to combat modern malware threats."

We can see the term "behavior control" which is another name for BB (and HIPS).

Now let's see how looks the BB protection of AVs which uses the term BB in the documentation:

G-DATA: How G DATA protects customers from unknown threats
"This form of behavior-based malware detection detects, for example, when programs automatically create autostart entries or change other suspicious values in the Windows system database (registry). This is especially the case with file less malware. In addition, .exe or .dll files are detected that want to copy themselves into the system32 directory. Similarly suspicious is a change in the hosts files – which can relay requests to certain IP addresses or web pages to another address. This attack was used for attacks on online banking in the past. If some of these features are detected together, a recognition is triggered."

Emsisoft: Efficient protection against new malware: Emsisoft's Behavior Blocker | Emsisoft | Security Blog
"It is also able to detect and stop the following potentially dangerous actions:
  • Installation of unknown drivers and services
  • Installation of new BHOs (Browser Helper Objects) and toolbars
  • Modification of browser settingsInvisible installation of software
  • Modification of the hosts file (redirecting of websites)
  • Installation of debuggers in your system
  • Creation of auto-run entries
  • Simulated mouse and keyboard input
  • Direct access to hard-drive sectors
  • Modification of system security policies"

Comodo (BB in ver. 7.0): Behaviour Blocker, Network Access, Internet Protection | Internet Security v7.0
"The Behavior Blocker is an integral part of the Defense+ engine and is responsible for authenticating every executable image that is loaded into the memory. The Behavior Blocker intercepts all files before they are loaded into memory and intercepts prefetching/caching attempts for those files. It calculates the hash of the executable at the point it attempts to load into the memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe and the Behavior Blocker allows it to run. If no matching hash is found on the safelist, then the executable is 'unrecognized' and is run inside the auto-sandbox. You will be notified via an alert when this happens."

From the modern perspective, Comodo's BB should be probably classified as a HIPS, like Kaspersky's HIPS.

As can be seen from the above examples BBs use only some behavior blocking capabilities in the real system (not in the virtual environment or in the cloud). Many behavior blocks used in proactive protection are not from BB, but from other proactive modules like sandboxing, IPS, Anti-Exploit (memory corruption vulnerabilities), etc.

Advanced Heuristics can use behavior monitoring to detect malware. So, the BB which uses behavior patterns consisting of many suspicious actions, will work in practice similarly to some heuristic behavior-based detections.

Both BB and behavior-based detections use behavior monitoring, but the second does not block suspicious behavior patterns. Each suspicious action is scored and an overall score is computed for each process. High scoring will trigger the detection of the process as malicious. The patterns used by behavior-based detections are usually more complex as compared to BB. But, BBs can work in interactive mode, so the user has more control on what actions should be blocked, without blocking the whole process.

From the below documents it follows that:
Kaspersky and Eset use HIPS for behavior blocking. The HIPS is not the same as BB. For example, behavior monitoring/analysis in Kaspersky HIPS is usually made on the pre-execution phase.
Behavior-based detections are used by Windows Defender (Behavior-based ML, AMSI ML), Trend Micro (OfficeScan), Symantec (Sonar), Kaspersky (System Watcher), F-Secure (DeepGuard), Eset (DNA), BitDefender (Advanced Threat Defense), Avast (Behavior Shield).

https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/
https://docs.trendmicro.com/all/ent/officescan/v10.6/en-us/osce_10.6_sp1_olh/behav_monit_malware_block.html#id11CDHD000X4
https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology

I do not use actually any 3rd party AV, so please let me know if I misunderstood something or incorrectly used in my post.

Post edited - the term "Behavior Control" used in MRG Effitas report is slightly more general than BB.
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
In fact, any behavior-based detection module could be redesigned to be an advanced BB. The vendor could simply add an interactive mode for some simple behavior patterns, and set the score for those patterns to 0 if the user allowed the action. But this will not happen because behavior-based detection modules evolved from BBs to avoid user interactions.
 

davisd

Level 2
Verified
Opcode already explained this. "Behavior blocking" refers to blocking behavior. We are communicating in English so why should we change the meaning of the english words? are you continuing previous discussion in your own separate thread to seek for validation?
 
  • Wow
  • Like
Reactions: ichito and stefanos

Andy Ful

Level 45
Verified
Trusted
Content Creator
Opcode already explained this. "Behavior blocking" refers to blocking behavior.
...
are you continuing previous discussion in your own separate thread to seek for validation?
https://malwaretips.com/threads/how-to-know-if-my-antivirus-is-really-necessary.93636/
This thread is about Behavior Blocker as the AV module, we do not discuss here the meaning of behavior blocking.(y)
The meaning of Behavior Blocker is only loosely related to the English language, and very closely related to the AV proactive protection modules.
You can think this thread as a continuation of some other threads about BBs:
https://malwaretips.com/threads/what-is-behavior-blocker.12130/
https://malwaretips.com/threads/what-is-the-difference-between-hips-behavior-blocker-and-intrusion-detection-system.55501/
https://malwaretips.com/threads/hids-hips-behavior-blockers-nids.11914/
https://malwaretips.com/threads/antivirus-signatures-vs-behavior-blocker-heuristics.29747/
https://malwaretips.com/threads/suites-with-proven-behavior-blockers-that-you-trust-and-recommend.91072/
 
Last edited:
4

436880927

This thread is about Behavior Blocker as the AV module, we do not discuss here the meaning of behavior blocking.(y)
In the AV industry, this would usually refer to blocking behavior carried out by software.

HIPS is a form of behavior blocking.
Sandboxing is a form of behavior blocking.
Dynamic heuristics might be a form of behavior blocking depending on how it functions - if it is just monitoring for behavior and using a scoring system then that is different.

Dynamic heuristics with the scoring stuff isn't employed by every single dynamic heuristics implementation. All of it is vendor-dependent. It isn't a generic concept applied by literally everyone. There is no generic formula to it. One vendor's dynamic heuristics might just watch for one or two things and immediately quarantine the sample when those two expectations are met, whereas another might wait for a score threshold and update the score depending on what the application is doing.

Interpret it differently if you want, whatever. This is getting old. I'm yawning. I'm unfollowing the thread. Please can no one involve me in this debate again.
 
Last edited by a moderator:
  • Like
Reactions: roger_m and davisd

Andy Ful

Level 45
Verified
Trusted
Content Creator
I would like to avoid fighting on personal opinions. That is why I put the reference links in the first post. The conclusions follow logically from the references. If someone disagree, please do the same, or stop posting here.
For now, from the references I found, it follows that there are some other AV modules based on behavior blocking and they are clearly considered by some people from AV industry as something else than Behavior Blockers.:emoji_thinking:
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
In the AV industry, this would usually refer to blocking behavior carried out by software.
...
Prove it.:giggle:(y)
...
HIPS is a form of behavior blocking.
Sandboxing is a form of behavior blocking.
Dynamic heuristics might be a form of behavior blocking depending on how it functions - if it is just monitoring for behavior and using a scoring system then that is different.
...
That is true, but how from this it follows that HIPS, Sandboxing, or dynamic heuristics are 'Behavior Blockers'?
So far, I found some faithful references (included in the first post) which clearly differentiate between 'Behavior Blocker' (Behavior Control) and Sandboxing or Advanced Heuristics. Please show references which say otherwise.

Edit.
Please do not treat my post as a personal challenge. My actual opinion is based on some references (+ personal experience with computers from 35 years), and maybe there are some other references which say otherwise. From the fact that I could not find any, it does not follow that they do not exist. It would be interesting to compare them with those that I found. (y)

Edit2.
The language argument should not be used in the thread on AV protection.
By the way, it is not valid. For example, from the fact that one can think, it does not follow that she/he must be a thinker or similarly from the fact that one can drink it does not follow that she/he is a drinker.:emoji_thinking:
 
Last edited:

davisd

Level 2
Verified
Prove it.:giggle:(y)

That is true, but how from this it follows that HIPS, Sandboxing, or dynamic heuristics are 'Behavior Blockers'?
So far, I found some faithful references (included in the first post) which clearly differentiate between 'Behavior Blocker' (Behavior Control) and Sandboxing or Advanced Heuristics. Please show references which say otherwise.

Edit.
Please do not treat my post as a personal challenge. My actual opinion is based on some references (and personal experience from 35 years), and maybe there are some other references which say otherwise. From the fact that I could not find any, it does not follow that they do not exist. It would be interesting to compare them with those that I found. (y)

Edit2.
The language argument should not be used in the thread on AV protection.
By the way, it is not valid. For example, from the fact that one can think, it does not follow that she/he must be a thinker.:emoji_thinking:
You didn't read Opcode's reply did you. He stated that HIPS and sandboxing are both forms of behavior blocking and that dynamic heuristics could be included as a form of behavior blocking depending on how it functions. The differentiation is commonly provided with the difference in feature names: HIPS; sandbox; dynamic heuristics.

He has already told you more than once in different threads that all of these features relay on the same technology internally, most of the time part. He went as far to specify when dynamic heuristics wouldn't count as "behavior blocking" for you. You ignored it and kept pushing your belief. Look at your own comodo reference. They have literaly used sandbox as the most important part of their "Behavior Blocker" named "Defense+".
You ask for references but your own references have generally been agreeing with him this entire time, so what are you trying to prove here?
All of this has to do with english language, if the feature name is based on genuine english words then it should make sense in english, no? The term "real-time protection" makes sense in the english when you compare to how it functions in traditional AV solutions whereas the name "firewall" isn't a word that was from the english language, it was made up, and such it has its own definition by whoever thought of the word and used it first or based on how it has been used in the industry by different vendors.

The language argument should obligatory be used because it is the only argument that can provide a clear definition of what "behavior blocker" or similar means due to how the different terms are thrown around differently by diferent vendors and how peoples personal interpretation of changes are when they use the different terms.

You are making this personal by talking about your 35 years of experience which means you have already lost few screws, you wouldn't need to tell this if you had a genuine argument to come up with. You have nothing to say other than reiterate numerous times how you have references (which I have read and most of them back up what Opcode has been saying about how features like HIPS, sandbox are forms of behavioral blocking and ocassionally dynamic heuristics too) and make comments about how you do not want to argue with people, yet you are doing exactly that, challenging with who has the better understanding and proofs what is "Behaviour Blocking" in your self made dictionary, ignoring the english language. The G Data reference basically explains watching for suspicious behavior and then blocking when it is found, that is literally a form of dynamic heuristics.

Avast Behavior Shield isn't HIPS based. It monitors for behavior but it can block the application before suspicious behavior is carried out once it thinks a threshold has been met, so it can also block behavior, it doesn't just let behavior happen and block after it has seen it if it's of interest to the component.

If your 35 years of experience isnt for the behavior blocking tech then it is completely irrelevant.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
@davisd,
Your post was not necessary and only bloats the thread. You simply repeat arguments which were presented already by Opcode. Furthermore, I agree with Opcode with everything about behavior blocking, which you did not notice. I only do not see any evidence for saying that Advanced Heuristics, Sandboxing and some other AV modules which are based on behavior monitoring/blocking could belong to the category "Behavior Blocker". Of course, they could belong If most AV related industry would agree on such a meaning.
It is true that the name "Behavior Blocker" comes from behavior blocking. But, this does not prove that 'Behavior Blocker' is an equivalent of AV module based on 'behavior blocking'. This argument is not convincing even on the ground of semantics, and I already showed the counterarguments in my previous post:

"Edit2.
The language argument should not be used in the thread on AV protection.
By the way, it is not valid. For example, from the fact that one can think, it does not follow that she/he must be a thinker or similarly from the fact that one can drink it does not follow that she/he is a drinker.
"

This thread is not for fighting and pushing personal opinions. Please read again my post:
https://malwaretips.com/threads/what-behavior-blocker-is-and-what-it-is-not.93785/post-824873

Be safe.
 
Last edited:

BoraMurdar

Community Manager
Verified
Staff member
In todays terms behavior blockers doesn't exist, yet. All called BB use predefined rules or patterns, which can be static or updated (dynamic), more or less. Real BB should be able to detect a malicious behavior in a situations never seen before by the rules it follows. That could fall into Artificial Inteligence as the program could theoretically split good and evil by trial and error mechanism.
BB X
- is executed program trusted
- does it ask for privilegdes elevation
- does it access system files
- is it modifying any of files
- is it creating new files
- etc.

So, if rules are satisfied, programmer should code the new rule which says
" If all 5 are positive then trigger the remediation process, if 1,2 and 3 are positive modify heuristics to high (basically holds the current operation, copies the exe in question and continues the process in restricted or sandboxed environment).
And so on...
This way we cannot say where HIPS area of effect ends and where the BB starts.

As long as program is only following those rules the programmer created, it is a HIPS or whatever you want to call it.
When program can operate on its own and creates new rules by trial and error, then you can call it a Behavior Blocker.

My 2 cents
 

davisd

Level 2
Verified
@BoraMurdar My uncle invented a fully fledged BB system in the late 1990s and he sat me down and said "Hey little man, I need you to listen carefully. I need to go exploring the world to uncover deep dark secrets, but here is my written definition of a "Behavior Blocker" and I need you to keep it safe for when I return." and I said yes.

I unfolded the paper and it said "it blocks behavior".

He has been exploring the world for the last 20 years and hasn't come back yet. Legend says he is the Indiana Jones of the Eastern world... put into sacred books of history about defeating the undead.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
This is a research thread so I am still trying to find some independent (faithful) sources which could say something about "Behavior Blockers". Here is the fragment from the AV-Comparatives report:
"The scope of protection offered by antivirus programs is extended by the inclusion of e.g. URL-blockers, content filtering, cloud reputation systems, ML-based static and dynamic detections and user-friendly behavior-blockers. If these features are perfectly coordinated with the signature-based and heuristic detection, the protection provided against threats increases."

Everyone on MT will probably agree that dynamic detections depend on behavior monitoring/blocking (the malware is blocked after detection). So again, 'Behavior Blocker' (BB) can do only a part of behavior blocking on the host machine. Many behavior blocks will come from other AV modules which can dynamically detect malicious behavior.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
@BoraMurdar My uncle invented a fully fledged BB system in the late 1990s and he sat me down and said "Hey little man, I need you to listen carefully. I need to go exploring the world to uncover deep dark secrets, but here is my written definition of a "Behavior Blocker" and I need you to keep it safe for when I return." and I said yes.

I unfolded the paper and it said "it blocks behavior".

He has been exploring the world for the last 20 years and hasn't come back yet. Legend says he is the Indiana Jones of the Eastern world... put into sacred books of history about defeating the undead.
My first move was reporting this post as off-topic and remove it from the thread. But in fact, you may be right. Seeking the truth about "Behavior Blockers" can have a similar end.(y):giggle:
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
As I already mentioned, my experience with personal computers is very long (from the year 1984), so I may be slightly conservative about "Behavior Blockers". I can see a kind of evolution:
simple HIPS ---> Behavior Blockers ----> Advanced Heuristics (behavior-based detections)
Somewhere before the end, BBs have vanished from the view (except a few AV vendors) and it is very hard to find something useful about BBs. In fact, this term is used mostly on MT or Wilderssecurity forums, and in the AV-Comparatives reports. MRG Effitas uses the term "Behavior Control" which probably includes HIPS and BBs. Also the term 'behavior block' is usually used as the cause of the general behavior blocking, and not as the action of "Behavior Blocker" module. Generally, it is sometimes hard to understand what the author had in mind. :giggle:
 

davisd

Level 2
Verified
As I already mentioned, my experience with personal computers is very long (from the year 1984), so I may be slightly conservative about "Behavior Blockers". I can see a kind of evolution:
simple HIPS ---> Behavior Blockers ----> Advanced Heuristics (behavior-based detections)
Somewhere before the end, BBs have vanished from the view (except a few AV vendors) and it is very hard to find something useful about BBs. In fact, this term is used mostly on MT or Wilderssecurity forums, and in the AV-Comparatives reports. MRG Effitas uses the term "Behavior Control" which probably includes HIPS and BBs. Also the term 'behavior block' is usually used as the cause of the general behavior blocking, and not as the action of "Behavior Blocker" module. Generally, it is sometimes hard to understand what the author had in mind. :giggle:
It all comes down to HIPS. HIPS stands for Host Intrusion Prevention System. What does a Behavior Blocker do? It stops intrusion on the host. What does a sandbox do? You can already answer that. What does dynamic heuristics try and do? It doesn't want the host to be compromised by something that doesn't get accepted by the algorithms. Get it?

HIPS is a form of behavior blocking.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
It all comes down to HIPS. HIPS stands for Host Intrusion Prevention System. What does a Behavior Blocker do? It stops intrusion on the host. What does a sandbox do? You can already answer that. What does dynamic heuristics try and do? It doesn't want the host to be compromised by something that doesn't get accepted by the algorithms. Get it?

HIPS is a form of behavior blocking.
Ha, ha. The problem is not with what we think, but what think the IT professionals. I read some posts of ESET and Emsisoft staff who thought that BB is not the same as HIPS. Messing the sandboxing with BB would be very unusual, even Comodo separated BB from the sandbox:


Comodo Defense.png


Look closely, the Defense+ (in Comodo 7) contains three different modules: HIPS, Behavior Blocker, and Sandbox. HIPS and "Behavior Blocker" were fully functional without auto-sandbox (auto-sandbox set to block). In fact, a similar thing is done by Kaspersky HIPS.
Of course, no one denies that HIPS, "Behavior Blockers", and Sandboxes use behavior blocking. If you would disable Comodo's HIPS and auto-sandbox, then Comodo would use only "Behavior Blocker" capabilities for behavior blocking. You could also do it with "Behavior Blocker" and Sandbox to use only HIPS behavior blocking.
 
Last edited:

davisd

Level 2
Verified
Lets say, if Claire is going shopping for bananas and says to her friend, "I am going shopping for bananas!" then her friend may interpret this as "Claire, my friend, will soon have bananas". Another interpretation which would be the same could be, "Claire is buying bananas". If Claire were to say to friend, "I am being silly and the teacher is going to block my behavior" then this can be understood as "Claire has been misbehaving but it will be prevented from continuing the actions any further."

Things can be expressed in many different ways without changing the meaning, and so is for the "Behaviour Blocking".
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 45
Verified
Trusted
Content Creator
Lets say, if Claire is going shopping for bananas and says to her friend, "I am going shopping for bananas!" then her friend may interpret this as "Claire, my friend, will soon have bananas". Another interpretation which would be the same could be, "Claire is buying bananas". If Claire were to say to friend, "I am being silly and the teacher is going to block my behavior" then this can be understood as "Claire has been misbehaving but it will be prevented from continuing the actions any further."

Things can be expressed in many different ways without changing the meaning, and so is for the "Behaviour Blocking".
On the beginning of XXI century, 'Behavior Blocker' was something special and interesting in the AV industry, so people accepted that BBs are for blocking in a smart way some suspicious actions or some suspicious behavior patterns (Mamutu, ThreatFire, etc.). After that, people discovered that many of those suspicious behaviors can be in fact not blocked, but run isolated and virtualized. So, the vendors had a choice to block or run in a special environment. The second choice was named sandboxing. That is why people used the special meaning both for 'Behavior Blocker' and for Sandbox. Both could use behavior blocking, but very differently. For example, the Sandbox will try to block any action which could break the isolation of processes in the Sandbox from processes outside the Sandbox. But, it will allow (via virtualization) most actions usually blocked by BB.

Yet, the semantics can still matter if the term is rarely used. I am afraid that this could happen with BBs after the year 2010. Nowadays most AV vendors do not use the term 'Behavior Blocker' (except G DATA and EMSISOFT). Most young IT professionals did not use BBs, and the traditional meaning of BB is unknown to them. They will prefer to interpret 'Behavior Blocker' as something that can apply behavior blocking (HIPS, BB, Sandbox, Advanced Heuristics, etc.).
 
Last edited: