What is behavior blocker ?

Can anybody explain (technically, with examples) what does mean behavior blocker ? What is the difference betweet behavior blocker and HIPS ? (with examples).

 

Re: What is behavior blokcker ?

My Educated guess, would be that HIPS alerts you to all activity, And Behavior Blockers would only alert you to suspicious activity that is similar to that of malware, but i don't deal with either of these so its only my best educated guess ^^

 

See the CastleCops HIPS FAQ for a decent discussion of the topic.

Blue

 

Re: What is behavior blokcker ?

Hm .. interesting. I never knew OA is behavior blocker. I always thought it is classical HIPS

 

Ahh. Thanks. If I got it right BB is some subset of more common name "HIPS".

cite:
"The most common type of HIPS for home users are behavior blockers."

Then there hardly can be strict criteria. Sigh.

 

I think you can differentiate them as, ThreatFire is a behavior blocker and OA is a tripwire.
The tripwire part is easy, the BB is ambiguous. :/

 

As experienced OA tester I can say it pays very much attention to reduce user interaction, and yes, this is very tricky part to reduce interaction and preserve security. But there is visible progress. For example the latest beta runs here for two day now after fresh install without ANY interaction

Though, I'd like to hear more strict criteria of BB, because HIPS provided with "intellect" seems to do the same.

Edit. Nope, I was wrong, there was a single popup (FW-specific) about "new network discovered" and either I trust it or not.

 

I may have complicated that post. When i say "The tripwire part is easy, the BB is ambiguous." i mean only the terms.

 

Hi alex_s,

both H.I.P.S. and Behavior Blockers intercept Program and Procedure Call APIs.

The main difference is that H.I.P.S. need to build a whitelist database of the files on the host machine and then treat any application/file newly introduced to the host as hostile. This means that until the user add this application to their whitelist they will warn the user about any action that the file/program tries to perform.

On the other hand Behavior Blockers are "H.I.P.S. with Artificial Inteligence". They do not need a whitelist database (although it could help) and treat every application as equal; neither friendly nor hostile. They are configured to alert the user only on certain actions or sequences of actions that seem suspicious (for example creation, modification or elimination of multiple files on the system) or try to access critical areas of the system.

hope it helps,
Panagiotis

 

Just a bit

 

OK. Let us take direct disk acces for example. On what basis BB can block/allow/ask user about it if it treats every program equally ? Many system programs (for example svchost) use dda (I dunno what for). Then how BB can decide "this is svchost, it can be allowed" or "this is malware, this should be blocked" without some kind of whitelist ?

 

I think it has to know something about Windows no?

 

svchost uses dda? What for? This is new to me since I have never seen svchost to try to access directly the disk.

Some blockers use the certification and the vendor information of the app for identificate it as legitimate. Others use whitelists. Others use on the cloud technology with statistics about the actions of an app. Others could have another approach that I do not know; (you must ask the developers of the various BBs for that). But all have a user whitelist, needed when a user accepts an application as legitimate after an alert.

Panagiotis

 

Sure, but then we come to the very beginning. Knowning something about Windows it knows that svchost is "good" process which is conceptually nothing, but whitelisting

 

VERY generally speaking...

1- Classical HIPS (C-HIPS) & Behavior Blockers (BB) both monitor to detect behavior that is *typical* of the behavior of malware.

2- A C-HIPS will also monitor for *significant changes* to your computer, over & beyond behaviors commonly typical of malware. Although those changes may not be *typical* of malware, they are nevertheless deemed to be sufficiently *significant* to be brought to the user's attention.

3- Some BB *reportedly* monitor for a SERIES of behaviors, no single one of which is necessarily typical of malware, but the SERIES of behaviors IS typical of malware. C-HIPS, however, do not monitor series.

4- BB usually have a goodly degree of artificial intelligence such that they will automatically take action against certain types of threats. C-HIPS, on the other hand, are dumber, and tend to ask the user about every little action they perceive to be significant.

5- C-HIPS are highly configurable. Some of them have fairly large sets of default rules, whereas others have barely any. In any event, tweaking of rules is very much in the hands of the user. On the other hand, BB are less user-configurable, & tend to have LOTS of built-in/default rules, many of which are invisible to, & un-tweakable by, the user.

6- BB are primarly *expert systems* such that the developers of the program exercise almost SOLE control over the basic operations of their application. On the other hand, C-HIPS are primarily a team effort -- the user and the program developers (in effect) work together as a team by jointly developing and applying a rule set to provide high protection -- see "7" below.

7- C-HIPS usually have "learning" modes, so that the user can (in effect) *train* the C-HIPS to recognize the apps the user is using, and learn the ways in which s/he typically uses those apps. During this learning period, the C-HIPS builds a rule set on its own, based upon the apps the user uses & what s/he does with them. BB, on the other hand, often do not use learning modes inasmuch as they are more on the order of apps *designed by geniuses for execution by doofuses*.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THERE-- I have written well beyond my own depth of knowledge, so that those who know more than I do will have something to pick apart or add onto. And awaaaay we go...

 

Do not ask me why and what for svchost uses DDA, I dunno But I see in my log:

[15:56:28.978] D00 ---- --- AppName: C:\Windows\system32\wbem\wmiprvse.exe
[15:56:28.978] D00 ---- --- FileName: \??\PHYSICALDRIVE0
[15:56:28.978] D00 ---- --- Access: C0100080

[15:57:02.040] EA0 ---- --- AppName: C:\Windows\System32\svchost.exe
[15:57:02.040] EA0 ---- --- FileName: \??\PhysicalDrive0
[15:57:02.040] EA0 ---- --- Access: 100180

This is under Vista.

Well, what I see there is no clear difference between so called "classical HIPS" and BB. In the end they use the same techniques (more or less the same, I mean).

 

I think the very thought that something just might be more sophisticated than OA makes you ignore what the others are (trying to) telling you.
You might need beer and a shot of tequila.

 

the difference between HIPS and behaviour blocker is that behaviour blocker is an actual descriptive term that indicates what it specifically does, while HIPS is an entirely ambiguous term that many people (and organizations) have used to mean many things...

i seem to recall gartner had a HIPS grid that showed virus scanners in one of its quadrants... that's how ambiguous and unspecific the term host intrusion prevention system (HIPS) is... virtually anything that prevents malware can be labeled as such...

 

Oh, no. I just want to understand it clear. To compare what is sophysticated and in what extence you should run some set of the tests and compare outcome. This is not enough just to say "this is sophysticated because it is called BB" and "this is less sophysticated bacause it is called HIPS". After all this is vendor who calls product in this or other way and different vendors can just have different points of view. This is something like "SPI" question. Everybody knows the word and everybody uses it, but very few actually understand what does it mean, what it is for and what practical value does it have. My personal position is not ot use the term if I can't explain very clear what does it mean (at least for me). You see, we have here some different opinions and no clear statement. Ehhh .. as analist I hate this kind of things, they bring a lot of confusion ..

PS. and "holy wars"

 

That's why i try to avoid getting into technical details and showing how dumb i am

I think you can look at it this way. What we've been calling BB, or what Pandlouk calls "H.I.P.S. with Artificial Inteligence", try to detect/ should detect only real malware, and state something like "this is behavior typical of malware, quarantine?". The rest is FP's.
Some will be more "intelligent" than others, all have flaws and so on. But this is their purpose.

What bellgamin calls fries, pardon, C-HIPS, are tripwires, alerting on single events regardless of context /application.

The distinction can and will blur on this or that program, but you can look at this as the main difference or starting point.

 

I agree, the focus, I believe, is not " if " or " how " a software is sophysticated, but how it is effective to ensure the system protection. And imho an HIPS well setted and well used is too far efficient than a BB.

 

But BB is also HIPS

Actually, "Better" here is a complex function of security/reliability/usability (I mean they do have the main value, there are many other less essential parameters). The first two parameters can be "more or less" estimated by the tests, though the last one is very difficult to formalize, and there is a problem.

 

a behabiour blocker can be consider as light hips

 

Not a real HIPS: it has not the complete control on the system, neither allows to create rules, limits and blocks on all the applications, processes, services...

 

i know i red an article where they call bb as hips,but i think you are correct 150% plus you can get more protection with a pure hips app