Guest Tempus

IDS, Behavior blocker, Heuristic, what is the difference?

Recommended Posts

Guest Tempus

Hello =)

 

Yesterday, I had a long constructive discussion with some of my friends. It was after that we had played som Elders scroll online, that the question was raised. What is the difference between, "IDS" (Intrusion detection system) - "Behaviour blocker" and "Advanced Heuristics", that is capable of emulation, to determine if a script should be of malicious content.

  • Is the IDS a mini behavior blocker that monitor system and network activities, but without user interaction?
  • Is Advanced Heuristic another kind of behavior blocker, but capable of through simulation to determine if software has suspicious behaviour or not ?
  • And is a behaviour blocker like the one we have in Emsisoft, a more static blocker ( static block = without Heuristics detection) that will stop a program if it perform a specific action, that is defined by a set of rules, predefined by the coder/ developer.

As you can hear we were, inclusive me, more and more confused as we discussed that subject. So please Emsisoft or other knowledgeable person, can you cast some light over this question?...please.

 

Thanks

 

Legend
 

Share this post


Link to post
Share on other sites

Hi Legend,

You bring up a good question, but unfortunately there isn't one answer here. :) That is because a lot of definitions are being used for the same term. See for example also Fabian's explanation here.

Is the IDS a mini behavior blocker that monitor system and network activities, but without user interaction?

For Emsisoft you can just say its about the same thing, just a different term. Behavior blocking or IDS both can have user interaction, its the fact that the program is able to recognize a certain intrusion or behavior that counts, after that its the user or program settings that decide what is actually done with it.

The issue is, IDS implies already something malicious is going on. That is sometimes misleading, because not each alert is generated by malware. Behavior blocking covers it better IMO, because it suggests it is behavior that causes an alert, which doesn't necessarily mean this behavior is also malicious (and here community based input plays a role, in Emsisoft products you usually will see that plain malware will be auto-blocked by community input (90% of the users blocked it, so EAM will block it) while questionable or even legitimate programs will respectively prompt for action or be automatically allowed. That system isn't 100% fail safe, but will help quite a bit reducing alerts.

Advanced heuristics is really a very general term as well. In most cases (as explained also in the post I linked you to above) it implies some sort of emulation is going on. That sounds quite good, but malware can also protect itself against this type o emulation (and refuse to be executed when it detects emulation for example).

And is a behaviour blocker like the one we have in Emsisoft, a more static blocker ( static block = without Heuristics detection) that will stop a program if it perform a specific action, that is defined by a set of rules, predefined by the coder/ developer.

Yes, EAM does not use emulation.

Again, this is really a generalization, each security program may have their own definitions of these terms and/or use this in their own way. EAM's behavior blocker works quite well as you can also see by observing for example AVC's real world protection tests. In EAM9 some additional functionality has been added (static is nice, but that doesn't mean we're not continuously working to find new ways to block malware as early as possible :)).

 

I hope this answers your questions (and didn't cause more confusion).

  • Upvote 2

Share this post


Link to post
Share on other sites
Guest Tempus

Thanks Elise for your answer . No I am not become more confused, your answer placed  things in perspective actually. But I can see and understand, that I can't necessarily put all things in boxes ^_^ . But now I have at least, an answer to my friends next time we are taking a round of Elders scroll online, if time permits. Onse again thanks Elise, have a nice day.

 

Thanks

 

Legend

Share this post


Link to post
Share on other sites

Intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.

 

Unlike heuristics or fingerprint-based scanners, behavior blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system.

 

The Behavior Blocker intercepts all files before they are loaded into memory and intercepts prefetching/caching attempts for those files. It calculates the hash of the executable at the point it attempts to load into the memory. It then compares this hash with the list of known / recognized applications that are on the Comodo safe list.

Share this post


Link to post
Share on other sites

Hi Rachelle,

While it is okay to quote information, for reference and so everyone knows where you found the information, please provide the link to the information you found as well. :) 

 

In this case that would be: 

http://en.wikipedia.org/wiki/Intrusion_detection_system

http://www.symantec.com/connect/articles/behavior-blocking-next-step-anti-virus-protection

http://help.comodo.com/topic-84-1-499-5566-.html

 

Two of these definitions are vendor specific, this means that Symantec and Comodo both have their definition for behavior blocking, which does not mean they use the same approach or technology.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.