Behavior Blocker

[cutting_edgetech 25]

Does Eset Smart Security, or NOD 32 have a behavior blocker? I know Eset has great Heuristics, but I have never heard any mention of a BB. I think it would be a great feature to have that could report back to the cloud to help identify new threats.

[SweX 871]

I guess you could say that AMS (Advanced Memory Scanner) is a kind of behavior blocker/monitor/inspector....

 

I no longer test against malware, but when I did, I saw that AMS was successful at detecting malware shortly after execution that had not been detected by one of the earlier layers in the product.

 

 

Advanced Memory Scanner complements Exploit Blocker, as it is also designed to strengthen protection against modern malware. In an effort to evade detection, malware writers extensively use file obfuscation and/or encryption. This causes problems with unpacking and can pose a challenge for common anti-malware techniques, such as emulation or heuristics. To tackle this problem, the Advanced Memory Scanner monitors the behavior of malicious processes and scans them once they decloaks in the memory. This allows for effective detection of even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed already. However, it steps into the protection chain when everything else fails.

 

hxxp://www.eset.com/int/about/technology/#advanced-memory-scanner

Edited July 1, 2015 by SweX

[cutting_edgetech 25]

Thank you for the response! I wonder exactly what behavior AMS looks for.  Maybe it could be turned into a more comprehensive BB. It's hard to say without knowing what it looks for to identify threats.

[Marcos 4,909]

AMS merely triggers a memory scan when a suspicious process activity has been detected.

[Aryeh Goretsky 366]

Hello,

 

Are you thinking of HIPS, perhaps? 

 

Regards,

 

Aryeh Goretsky

[cutting_edgetech 25]

No, I am not thinking of Eset's HIPS. I see how Eset's HIPS aids in blocking exploits, but I was thinking of something more like Emsisoft's BB.

[chrcoluk 2]

I too would like more information on this, the description from eset on AMS is extremely vague and whilst marcos has offered a bit more insight he still hasnt clarified how nod32 determines a process to be suspicious.  

 

The post above mine is proof customers of eset are looking at the competition the fact they researched what emsisoft are doing, and I too can confirm I was doing the same, yesterday I spent about 3-4 hours mulling whether to buy nod32 licenses or emsisoft licenses for my laptop and w10 testing machine.  I came very close to emsisoft due to the behaviour blocker (of which their documents and staff explains what it looks for as well as been configurable) but in the end stayed loyal to eset because I have used it for so long, and I have made some developed HIPS rules for use in nod32.

 

Maybe eset think its not wise to reveal how this stuff works as then a bad guy reading this forum knows how to work round it, but it also makes your customers not trust your product so much as they cannot be sure they are protected from certain types of malware.

 

I run hitman pro alert alongside nod32, and disabled nod32's EB and AMS because I fear it conflicts with HMPA, and I use HMPA for exploit blocking because they have gone into detail what they do to block exploits, whilst eset's description is very vague.

 

I used to run EMET alongside nod32 before using HMPA, and things EMET protected against such as bypassing OS level DEP, nod32 never blocked, so I am honestly very confused specifically what exploit blocker does and what behaviour AMS looks for.

[toxinon12345 32]

Advanced Memory Scanner does a dynamic DNA scan without the need of emulation.

AMS is propietary technology and extends proactive longevity, reaching high (>90%) detection rates.

Edited May 13, 2016 by toxinon12345

[itman 1,627]

More and more malware these days is being downloaded packed and obfuscated. This type of malware is designed to only unpacked and un-obfuscate after it has been loaded into memory i.e. started execution.

Since the malware is packed on download, conventional signature based methods cannot detect it in that state. What Eset's AMS does is detect the unpacking activity and then scans the malware in memory using its DNA signatures.

As is explained in Eset's write up on AMS, it is post-execution detection. As such, there is a chance that partial infection has occurred.

HMP-A is first and foremost anti-exploit software that over time has expanded its scope to include other protections such as for ransomware and the like. Exploits attack allocated process memory by heapspraying and the like. They also attack kennel table areas and the like. Note that malware packing is not an exploit technique. Exploits need a vulnerability.

Edited May 19, 2016 by itman

[Marcos 4,909]

As is explained in Eset's write up on AMS, it is post-execution detection. As such, there is a chance that partial infection has occurred.

 

The good news is that this normally doesn't happen I've seen cases when a trojan was detected by AMS upon execution but it was not terminated due to a reason. We've recently made some improvements in this regard and those who have LiveGrid enabled and working can benefit from it even more. Currently these improvements are in modules on pre-release update servers and will be released for general public soon.