What is behavior blocker ?

Discussion in 'other anti-malware software' started by alex_s, Nov 30, 2008.

Thread Status:
Not open for further replies.
  1. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Can anybody explain (technically, with examples) what does mean behavior blocker ? What is the difference betweet behavior blocker and HIPS ? (with examples).
     
  2. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Re: What is behavior blokcker ?

    My Educated guess, would be that HIPS alerts you to all activity, And Behavior Blockers would only alert you to suspicious activity that is similar to that of malware, but i don't deal with either of these so its only my best educated guess ^^
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    See the CastleCops HIPS FAQ for a decent discussion of the topic.

    Blue
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Re: What is behavior blokcker ?

    Hm .. interesting. I never knew OA is behavior blocker. I always thought it is classical HIPS :)
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Ahh. Thanks. If I got it right BB is some subset of more common name "HIPS".

    cite:
    "The most common type of HIPS for home users are behavior blockers."

    Then there hardly can be strict criteria. Sigh.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think you can differentiate them as, ThreatFire is a behavior blocker and OA is a tripwire.
    The tripwire part is easy, the BB is ambiguous. :/
     
  7. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    As experienced OA tester I can say it pays very much attention to reduce user interaction, and yes, this is very tricky part to reduce interaction and preserve security. But there is visible progress. For example the latest beta runs here for two day now after fresh install without ANY interaction :)

    Though, I'd like to hear more strict criteria of BB, because HIPS provided with "intellect" seems to do the same.

    Edit. Nope, I was wrong, there was a single popup (FW-specific) about "new network discovered" and either I trust it or not.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I may have complicated that post. When i say "The tripwire part is easy, the BB is ambiguous." i mean only the terms. :p
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Hi alex_s,

    both H.I.P.S. and Behavior Blockers intercept Program and Procedure Call APIs.

    The main difference is that H.I.P.S. need to build a whitelist database of the files on the host machine and then treat any application/file newly introduced to the host as hostile. This means that until the user add this application to their whitelist they will warn the user about any action that the file/program tries to perform.

    On the other hand Behavior Blockers are "H.I.P.S. with Artificial Inteligence". They do not need a whitelist database (although it could help) and treat every application as equal; neither friendly nor hostile. They are configured to alert the user only on certain actions or sequences of actions that seem suspicious (for example creation, modification or elimination of multiple files on the system) or try to access critical areas of the system.

    hope it helps,
    Panagiotis
     
  10. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Just a bit :)
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OK. Let us take direct disk acces for example. On what basis BB can block/allow/ask user about it if it treats every program equally ? Many system programs (for example svchost) use dda (I dunno what for). Then how BB can decide "this is svchost, it can be allowed" or "this is malware, this should be blocked" without some kind of whitelist ?
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think it has to know something about Windows no? :)
     
  13. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    svchost uses dda? What for? This is new to me since I have never seen svchost to try to access directly the disk. :blink:

    Some blockers use the certification and the vendor information of the app for identificate it as legitimate. Others use whitelists. Others use on the cloud technology with statistics about the actions of an app. Others could have another approach that I do not know; (you must ask the developers of the various BBs for that). But all have a user whitelist, needed when a user accepts an application as legitimate after an alert.

    Panagiotis
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Sure, but then we come to the very beginning. Knowning something about Windows it knows that svchost is "good" process which is conceptually nothing, but whitelisting :)
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    VERY generally speaking...

    1- Classical HIPS (C-HIPS) & Behavior Blockers (BB) both monitor to detect behavior that is *typical* of the behavior of malware.

    2- A C-HIPS will also monitor for *significant changes* to your computer, over & beyond behaviors commonly typical of malware. Although those changes may not be *typical* of malware, they are nevertheless deemed to be sufficiently *significant* to be brought to the user's attention.

    3- Some BB *reportedly* monitor for a SERIES of behaviors, no single one of which is necessarily typical of malware, but the SERIES of behaviors IS typical of malware. C-HIPS, however, do not monitor series.

    4- BB usually have a goodly degree of artificial intelligence such that they will automatically take action against certain types of threats. C-HIPS, on the other hand, are dumber, and tend to ask the user about every little action they perceive to be significant.

    5- C-HIPS are highly configurable. Some of them have fairly large sets of default rules, whereas others have barely any. In any event, tweaking of rules is very much in the hands of the user. On the other hand, BB are less user-configurable, & tend to have LOTS of built-in/default rules, many of which are invisible to, & un-tweakable by, the user.

    6- BB are primarly *expert systems* such that the developers of the program exercise almost SOLE control over the basic operations of their application. On the other hand, C-HIPS are primarily a team effort -- the user and the program developers (in effect) work together as a team by jointly developing and applying a rule set to provide high protection -- see "7" below.

    7- C-HIPS usually have "learning" modes, so that the user can (in effect) *train* the C-HIPS to recognize the apps the user is using, and learn the ways in which s/he typically uses those apps. During this learning period, the C-HIPS builds a rule set on its own, based upon the apps the user uses & what s/he does with them. BB, on the other hand, often do not use learning modes inasmuch as they are more on the order of apps *designed by geniuses for execution by doofuses*.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    THERE-- I have written well beyond my own depth of knowledge, so that those who know more than I do will have something to pick apart or add onto. And awaaaay we go...
     
    Last edited: Dec 1, 2008
  16. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Do not ask me why and what for svchost uses DDA, I dunno :) But I see in my log:

    [15:56:28.978] D00 ---- --- AppName: C:\Windows\system32\wbem\wmiprvse.exe
    [15:56:28.978] D00 ---- --- FileName: \??\PHYSICALDRIVE0
    [15:56:28.978] D00 ---- --- Access: C0100080

    [15:57:02.040] EA0 ---- --- AppName: C:\Windows\System32\svchost.exe
    [15:57:02.040] EA0 ---- --- FileName: \??\PhysicalDrive0
    [15:57:02.040] EA0 ---- --- Access: 100180

    This is under Vista.

    Well, what I see there is no clear difference between so called "classical HIPS" and BB. In the end they use the same techniques (more or less the same, I mean).
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think the very thought that something just might be more sophisticated than OA makes you ignore what the others are (trying to) telling you.
    You might need beer and a shot of tequila. :D
     
  18. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    the difference between HIPS and behaviour blocker is that behaviour blocker is an actual descriptive term that indicates what it specifically does, while HIPS is an entirely ambiguous term that many people (and organizations) have used to mean many things...

    i seem to recall gartner had a HIPS grid that showed virus scanners in one of its quadrants... that's how ambiguous and unspecific the term host intrusion prevention system (HIPS) is... virtually anything that prevents malware can be labeled as such...
     
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Oh, no. I just want to understand it clear. To compare what is sophysticated and in what extence you should run some set of the tests and compare outcome. This is not enough just to say "this is sophysticated because it is called BB" and "this is less sophysticated bacause it is called HIPS". After all this is vendor who calls product in this or other way and different vendors can just have different points of view. This is something like "SPI" question. Everybody knows the word and everybody uses it, but very few actually understand what does it mean, what it is for and what practical value does it have. My personal position is not ot use the term if I can't explain very clear what does it mean (at least for me). You see, we have here some different opinions and no clear statement. Ehhh .. as analist I hate this kind of things, they bring a lot of confusion ..

    PS. and "holy wars" :)
     
    Last edited: Dec 1, 2008
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    That's why i try to avoid getting into technical details and showing how dumb i am :D

    I think you can look at it this way. What we've been calling BB, or what Pandlouk calls "H.I.P.S. with Artificial Inteligence", try to detect/ should detect only real malware, and state something like "this is behavior typical of malware, quarantine?". The rest is FP's.
    Some will be more "intelligent" than others, all have flaws and so on. But this is their purpose.

    What bellgamin calls fries, pardon, C-HIPS, are tripwires, alerting on single events regardless of context /application.

    The distinction can and will blur on this or that program, but you can look at this as the main difference or starting point.
     
  21. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I agree, the focus, I believe, is not " if " or " how " a software is sophysticated, but how it is effective to ensure the system protection. And imho an HIPS well setted and well used is too far efficient than a BB.
     
  22. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    But BB is also HIPS :)

    Actually, "Better" here is a complex function of security/reliability/usability (I mean they do have the main value, there are many other less essential parameters). The first two parameters can be "more or less" estimated by the tests, though the last one is very difficult to formalize, and there is a problem.
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    a behabiour blocker can be consider as light hips
     
  24. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Not a real HIPS: it has not the complete control on the system, neither allows to create rules, limits and blocks on all the applications, processes, services...
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i know i red an article where they call bb as hips,but i think you are correct 150%:thumb: plus you can get more protection with a pure hips app:cool:
     
Loading...
Thread Status:
Not open for further replies.