Question about the "process view" monitoring feature

I think is a great addition btw. One question though as I haven't played around with it much.

1. When WSA loads up, will it automatically monitor any new process that runs and and begin analyze it for suspicious behavior on its own (i.e don't trust anything at first) or is this something that users have to manually control (if we think something is suspicious the user has to then enable it for monitoring).

2. If something is being monitored and it does not display malicious behavior, will it eventually earn a Trusted-state on it's own? Or again, do users need to manually decide that?

I think if WSA automatically started monitoring every process upon start-up this would be a good feature. Perhaps even monitor whitelisted processes as well since those can taken over.

Thanks for any explanation. I look forward to testing it out more.

 

- It heavily monitors Unknown processes (They will show up as Monitor in the list).
- It heavily monitors Known-Good processes that have any code loaded from any Unknown source (Unknown DLL in Known-Good rundll32? Monitored!)
- It lightly monitors Known-Good processes at all times Just In Case something stupid happens (darn you Flash!)

Monitoring rules originate from the cloud, however the user can decide to override these and set something to not be monitored, or force it to be monitored when it is known-good in the cloud. When something is highly-distributed and checked to known-good, it's revised in the cloud and no longer heavily monitored.

 

one word comes to mind. "impressive".

thanks for clearing that up!

 

One concern/question I have:

Let's say a process that's being monitored is in fact a trojan. Assume it's a keylogger. Now, while this may trojan is monitored, is the malicious process still able run free on the system and record my keystrokes? If so, the damage has been done. Value information could have been stolen during that monitoring window. Would that be correct?

A solution to this maybe is have all suspicious files automatically sandboxed immediately, giving them either little-to-no system rights ensuring that they cannot execute and run whatever it is they were intended to do.

 

Not really, keylogging features of the malware will be jammed by the WSA identity shield component on https sites. You are still perfectly protected.

 

That and the fact that monitoring also watches for impolite activity. An unknown item logging keys would more likely than not end up triggering heuristics and thus being blocked in its entirety when it even tried to hook the keyboard filters or log the keystrokes in any other manner.