hjlbx

Clarification - File Guard, Behavior Blocker, Cloud Look-up

Recommended Posts

Hello,

 

File Guard covers routine file manipulations - copy, paste, save, send to, etc.

 

Behavior Blocker covers files and code that are running - installations, processes, scripts, hooks, setting changes, etc, etc, etc.

 

Cloud Look-up occurs when new executables are installed.

 

Is my understanding correct?

 

Thanks,

 

hjlbx

Share this post


Link to post
Share on other sites

Your understanding is unfortunately not entirely correct. You are correct that the File Guard cares about file manipulations. There are in fact 3 specific events we care about: File open, file write and file map. The later is a technique implemented by most modern OSes these days. It essentially allows you to map the content of a file into your process' memory view without actually having to read it. Instead mechanisms like paging are used to only read the required parts of the file when you access the memory areas the file is mapped into. All high level operations like the ones you mentioned (copy, paste, save, send to, but also execute) will eventually break down to either of these 3 primitives that we are looking for. The File Guard will use the data captured through these events to scan any files involved depending on your settings.

The Behavior Blocker cares about these file system activities as well. But in addition it also cares about registry accesses and interaction with other objects on your system like other processes, your internet connection, the Windows GUI and so on. These events are then used by the Behavior Blocker to get a bigger picture of what an application is doing on your system. As soon as specific combinations of behaviors are detected or a certain threshold is reached the Behavior Blocker will alert you about the program.

If such an alert is triggered, the cloud comes into play. If you do have the community based alert reduction enabled in the behavior blocker, EAM/EIS will contact our servers and ask if we have seen this application behave this way before to figure out if we have updated information on how to deal with that application in the proper way. So we don't actually submit information about all programs you install to the cloud, as we think it is too big of an invasion of privacy, but only those that we are suspicious of to begin with due to what they are doing on your system which in our opinion is an acceptable compromise for most users.

To make things short:

  • File Guard cares about all files that are either opened, changed or mapped to scan them using the on-demand scan engine depending on your settings.
  • The Behavior Blocker cares about any processes' interactions with any major Windows subsystem including but not limited to file system, registry, network, GUI and other processes.
  • The Cloud jumps in if the Behavior Blocker found a process to look suspicious.

Hope that helps :).

Share this post


Link to post
Share on other sites

Hello Fabian,

 

You always have the really good stuff... ;)

 

What I am seeing on my system is if I download and execute (Save and Run) a program that EIS 9 does not recognize an Anti-Malware Network notification will appear.  So, in other words, I am seeing cloud lookup primarily during installation.

 

I have also seen AMN lookup notifications when modules are loaded into active memory - whether during installation or executed.

 

EAM/EIS - simple, but very clever protection.

 

I will have to study up.

 

Thanks,

 

hjlbx

Share this post


Link to post
Share on other sites

......There are in fact 3 specific events we care about: File open, file write and file map......The File Guard will use the data captured through these events to scan any files involved depending on your settings.

 

File Guard settings:  Fast = file open,  Balanced = file write, and Thorough = file mapping ("On Access?")....Correct?

 

Also, can anyone give me the proper definition of terminology of "Open?"

 

For example, when saving a malicious file to desktop File Guard will generate two prompts (FG setting at "Thorough"):

 

1st is "Data has been saved"; and

 

2nd is "System is trying to open (but all I did was save file - not save and run)

 

I did not know that "opening" a file is not simply limited to executing a file.

 

Thanks,

 

hjlbx

Share this post


Link to post
Share on other sites

File Guard settings:  Fast = file open,  Balanced = file write, and Thorough = file mapping ("On Access?")....Correct?

No. Fast is on file mapping only, because file mapping is done when executing code. Balanced is on file mapping and file write. Thorough is on file open, file write and file mapping.

 

Also, can anyone give me the proper definition of terminology of "Open?"

Open means that an application obtains a handle to that file object using Windows APIs like CreateFile or OpenFile.

 

2nd is "System is trying to open (but all I did was save file - not save and run)

Browsers usually download files to a temporary location first and after they are done move it to the correct location. We will trigger a "on write" scan as soon as the browser finished downloading and closed the file. We will trigger a "on open" scan once it then tries to move the file.

 

I did not know that "opening" a file is not simply limited to executing a file.

That is because you think of "open" as the high level construct that Windows teaches you where "opening a file" means starting it if it is a program or start the program associated with it. Opening as a primitive operation however just means obtaining a file handle to a file to somehow interact with it. That can mean execution, but it can also mean just obtaining it's size, reading from or writing to it. Instead of "opening" think more along the line of "accessing" it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.