What exactly is being monitored specifically? For something like creation of autostart entries that's really "Adding an entry to the registry" or to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\ And for manipulation of the hosts file it would be "Writing to the hosts file in \etc\hosts" or something. I am just wondering what API calls are being intercepted when that's the case or what else is being monitored specifically. ex: I don't know what "Spyware behavior" entails - I'd like an indepth explanation. in short, what specific actions compose each of these behaviors?