Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
What Behavior Blocker is, and what it is not.
Message
<blockquote data-quote="Andy Ful" data-source="post: 824736" data-attributes="member: 32260"><p>I read many posts on MT forum and some other forums about using Behavior Blockers. It seems that there is no general agreement on what are the capabilities of Behavior Blocker (BB) and which AVs use Behavior Blockers (BBs). So, I made a little research to clarify this.</p><p></p><p>I did not find any widely accepted definition of BB, because AV vendors used very different definitions for their BBs. But, there are some sources which can tell what BB is not.</p><p></p><p>Let's start from an old Kaspersky's article from the year 2005, about proactive protection: <a href="https://securelist.com/proactive-protection-made-easy/36058/" target="_blank">Proactive Protection Made Easy</a></p><p>The author mentions some proactive techniques, like: Heuristics, IPS, Buffer Overrun protection, Policy-based protection, Alerting system, Behaviour Blocker.</p><p>But, that was many years ago and the terminology could change. So, here is a fragment included in another article from the year 2017 (MRG Effitas report): <a href="https://media.kaspersky.com/pdf/201704-MRG-Ransomware-Test.pdf" target="_blank">https://media.kaspersky.com/pdf/201704-MRG-Ransomware-Test.pdf</a></p><p>"<em>Endpoint protection systems have had a long journey from traditional signature-based protection to that which is implemented in a modern protection system. Advanced heuristics, behaviour control, sandboxing, intrusion prevention systems, URL filtering, cloud based reputation systems, JavaScript analysers, memory corruption protection, etc. are now used to combat modern malware threats</em>."</p><p></p><p>We can see the term "behavior control" which is another name for BB (and HIPS).</p><p></p><p>Now let's see how looks the BB protection of AVs which uses the term BB in the documentation:</p><p></p><p><strong><span style="font-size: 18px">G-DATA</span></strong>: <a href="https://www.gdatasoftware.com/blog/2018/10/31127-next-generation-antivirus-how-g-data-can-protect-customers-from-unknown-threats" target="_blank">How G DATA protects customers from unknown threats</a></p><p>"<em>This form of behavior-based malware detection detects, for example, when programs automatically create autostart entries or change other suspicious values in the Windows system database (registry). This is especially the case with file less malware. In addition, .exe or .dll files are detected that want to copy themselves into the system32 directory. Similarly suspicious is a change in the hosts files – which can relay requests to certain IP addresses or web pages to another address. This attack was used for attacks on online banking in the past. If some of these features are detected together, a recognition is triggered.</em>"</p><p></p><p><span style="font-size: 18px"><strong>Emsisoft</strong></span>: <a href="https://blog.emsisoft.com/en/3466/behavior-blocker-how-it-works/" target="_blank">Efficient protection against new malware: Emsisoft's Behavior Blocker | Emsisoft | Security Blog</a></p><p>"<em>It is also able to detect and stop the following potentially dangerous actions:</em></p><ul> <li data-xf-list-type="ul"><em>Installation of unknown drivers and services</em></li> <li data-xf-list-type="ul"><em>Installation of new BHOs (Browser Helper Objects) and toolbars</em></li> <li data-xf-list-type="ul"><em>Modification of browser settingsInvisible installation of software</em></li> <li data-xf-list-type="ul"><em>Modification of the hosts file (redirecting of websites)</em></li> <li data-xf-list-type="ul"><em>Installation of debuggers in your system</em></li> <li data-xf-list-type="ul"><em>Creation of auto-run entries</em></li> <li data-xf-list-type="ul"><em>Simulated mouse and keyboard input</em></li> <li data-xf-list-type="ul"><em>Direct access to hard-drive sectors</em></li> <li data-xf-list-type="ul"><em>Modification of system security policies</em>"</li> </ul><p></p><p><span style="font-size: 18px"><strong>Comodo </strong></span>(BB in ver. 7.0): <a href="https://help.comodo.com/topic-72-1-522-6307-.html" target="_blank">Behaviour Blocker, Network Access, Internet Protection | Internet Security v7.0</a></p><p>"<em>The Behavior Blocker is an integral part of the Defense+ engine and is responsible for authenticating every executable image that is loaded into the memory. The Behavior Blocker intercepts all files before they are loaded into memory and intercepts prefetching/caching attempts for those files. It calculates the hash of the executable at the point it attempts to load into the memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe and the Behavior Blocker allows it to run. If no matching hash is found on the safelist, then the executable is 'unrecognized' and is run inside the auto-sandbox. You will be notified via an alert when this happens</em>."</p><p></p><p>From the modern perspective, Comodo's BB should be probably classified as a HIPS, like Kaspersky's HIPS.</p><p></p><p>As can be seen from the above examples BBs use only some behavior blocking capabilities in the real system (not in the virtual environment or in the cloud). Many behavior blocks used in proactive protection are not from BB, but from other proactive modules like sandboxing, IPS, Anti-Exploit (memory corruption vulnerabilities), etc.</p><p></p><p>Advanced Heuristics can use behavior monitoring to detect malware. So, the BB which uses behavior patterns consisting of many suspicious actions, will work in practice similarly to some heuristic behavior-based detections.</p><p></p><p>Both BB and behavior-based detections use behavior monitoring, but the second does not block suspicious behavior patterns. Each suspicious action is scored and an overall score is computed for each process. High scoring will trigger the detection of the process as malicious. The patterns used by behavior-based detections are usually more complex as compared to BB. But, BBs can work in interactive mode, so the user has more control on what actions should be blocked, without blocking the whole process.</p><p></p><p>From the below documents it follows that:</p><p>Kaspersky and Eset use HIPS for behavior blocking. The HIPS is not the same as BB. For example, behavior monitoring/analysis in Kaspersky HIPS is usually made on the pre-execution phase.</p><p>Behavior-based detections are used by Windows Defender (Behavior-based ML, AMSI ML), Trend Micro (OfficeScan), Symantec (Sonar), Kaspersky (System Watcher), F-Secure (DeepGuard), Eset (DNA), BitDefender (Advanced Threat Defense), Avast (Behavior Shield).</p><p></p><p>[URL unfurl="true"]https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf[/URL]</p><p>[URL unfurl="true"]https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf[/URL]</p><p>[URL unfurl="true"]https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_HIPS_ENG.pdf[/URL]</p><p>[URL unfurl="false"]https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/[/URL]</p><p>[URL unfurl="false"]https://docs.trendmicro.com/all/ent/officescan/v10.6/en-us/osce_10.6_sp1_olh/behav_monit_malware_block.html#id11CDHD000X4[/URL]</p><p>[URL unfurl="true"]https://symantecevents.verite.com/media/SEP12_JimmySandberg.pdf[/URL]</p><p>[URL unfurl="true"]https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf[/URL]</p><p>[URL unfurl="true"]https://www.bitdefender.com.tr/download/bitdefender_ts_2018_userguide_en.pdf[/URL]</p><p>[URL unfurl="false"]https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology[/URL]</p><p></p><p>I do not use actually any 3rd party AV, so please let me know if I misunderstood something or incorrectly used in my post.</p><p></p><p>Post edited - the term "Behavior Control" used in MRG Effitas report is slightly more general than BB.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 824736, member: 32260"] I read many posts on MT forum and some other forums about using Behavior Blockers. It seems that there is no general agreement on what are the capabilities of Behavior Blocker (BB) and which AVs use Behavior Blockers (BBs). So, I made a little research to clarify this. I did not find any widely accepted definition of BB, because AV vendors used very different definitions for their BBs. But, there are some sources which can tell what BB is not. Let's start from an old Kaspersky's article from the year 2005, about proactive protection: [URL='https://securelist.com/proactive-protection-made-easy/36058/']Proactive Protection Made Easy[/URL] The author mentions some proactive techniques, like: Heuristics, IPS, Buffer Overrun protection, Policy-based protection, Alerting system, Behaviour Blocker. But, that was many years ago and the terminology could change. So, here is a fragment included in another article from the year 2017 (MRG Effitas report): [URL]https://media.kaspersky.com/pdf/201704-MRG-Ransomware-Test.pdf[/URL] "[I]Endpoint protection systems have had a long journey from traditional signature-based protection to that which is implemented in a modern protection system. Advanced heuristics, behaviour control, sandboxing, intrusion prevention systems, URL filtering, cloud based reputation systems, JavaScript analysers, memory corruption protection, etc. are now used to combat modern malware threats[/I]." We can see the term "behavior control" which is another name for BB (and HIPS). Now let's see how looks the BB protection of AVs which uses the term BB in the documentation: [B][SIZE=5]G-DATA[/SIZE][/B]: [URL='https://www.gdatasoftware.com/blog/2018/10/31127-next-generation-antivirus-how-g-data-can-protect-customers-from-unknown-threats']How G DATA protects customers from unknown threats[/URL] "[I]This form of behavior-based malware detection detects, for example, when programs automatically create autostart entries or change other suspicious values in the Windows system database (registry). This is especially the case with file less malware. In addition, .exe or .dll files are detected that want to copy themselves into the system32 directory. Similarly suspicious is a change in the hosts files – which can relay requests to certain IP addresses or web pages to another address. This attack was used for attacks on online banking in the past. If some of these features are detected together, a recognition is triggered.[/I]" [SIZE=5][B]Emsisoft[/B][/SIZE]: [URL='https://blog.emsisoft.com/en/3466/behavior-blocker-how-it-works/']Efficient protection against new malware: Emsisoft's Behavior Blocker | Emsisoft | Security Blog[/URL] "[I]It is also able to detect and stop the following potentially dangerous actions:[/I] [LIST] [*][I]Installation of unknown drivers and services[/I] [*][I]Installation of new BHOs (Browser Helper Objects) and toolbars[/I] [*][I]Modification of browser settingsInvisible installation of software[/I] [*][I]Modification of the hosts file (redirecting of websites)[/I] [*][I]Installation of debuggers in your system[/I] [*][I]Creation of auto-run entries[/I] [*][I]Simulated mouse and keyboard input[/I] [*][I]Direct access to hard-drive sectors[/I] [*][I]Modification of system security policies[/I]" [/LIST] [SIZE=5][B]Comodo [/B][/SIZE](BB in ver. 7.0): [URL='https://help.comodo.com/topic-72-1-522-6307-.html']Behaviour Blocker, Network Access, Internet Protection | Internet Security v7.0[/URL] "[I]The Behavior Blocker is an integral part of the Defense+ engine and is responsible for authenticating every executable image that is loaded into the memory. The Behavior Blocker intercepts all files before they are loaded into memory and intercepts prefetching/caching attempts for those files. It calculates the hash of the executable at the point it attempts to load into the memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe and the Behavior Blocker allows it to run. If no matching hash is found on the safelist, then the executable is 'unrecognized' and is run inside the auto-sandbox. You will be notified via an alert when this happens[/I]." From the modern perspective, Comodo's BB should be probably classified as a HIPS, like Kaspersky's HIPS. As can be seen from the above examples BBs use only some behavior blocking capabilities in the real system (not in the virtual environment or in the cloud). Many behavior blocks used in proactive protection are not from BB, but from other proactive modules like sandboxing, IPS, Anti-Exploit (memory corruption vulnerabilities), etc. Advanced Heuristics can use behavior monitoring to detect malware. So, the BB which uses behavior patterns consisting of many suspicious actions, will work in practice similarly to some heuristic behavior-based detections. Both BB and behavior-based detections use behavior monitoring, but the second does not block suspicious behavior patterns. Each suspicious action is scored and an overall score is computed for each process. High scoring will trigger the detection of the process as malicious. The patterns used by behavior-based detections are usually more complex as compared to BB. But, BBs can work in interactive mode, so the user has more control on what actions should be blocked, without blocking the whole process. From the below documents it follows that: Kaspersky and Eset use HIPS for behavior blocking. The HIPS is not the same as BB. For example, behavior monitoring/analysis in Kaspersky HIPS is usually made on the pre-execution phase. Behavior-based detections are used by Windows Defender (Behavior-based ML, AMSI ML), Trend Micro (OfficeScan), Symantec (Sonar), Kaspersky (System Watcher), F-Secure (DeepGuard), Eset (DNA), BitDefender (Advanced Threat Defense), Avast (Behavior Shield). [URL unfurl="true"]https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf[/URL] [URL unfurl="true"]https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf[/URL] [URL unfurl="true"]https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_HIPS_ENG.pdf[/URL] [URL unfurl="false"]https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/[/URL] [URL unfurl="false"]https://docs.trendmicro.com/all/ent/officescan/v10.6/en-us/osce_10.6_sp1_olh/behav_monit_malware_block.html#id11CDHD000X4[/URL] [URL unfurl="true"]https://symantecevents.verite.com/media/SEP12_JimmySandberg.pdf[/URL] [URL unfurl="true"]https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf[/URL] [URL unfurl="true"]https://www.bitdefender.com.tr/download/bitdefender_ts_2018_userguide_en.pdf[/URL] [URL unfurl="false"]https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology[/URL] I do not use actually any 3rd party AV, so please let me know if I misunderstood something or incorrectly used in my post. Post edited - the term "Behavior Control" used in MRG Effitas report is slightly more general than BB. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
