Jump to content

Behaviour-Monitoring


Riker
 Share

Recommended Posts

Hello,

 

I have a question with regard to the behaviour-analysis:

 

When I open it (EAM newest version) I see for example taskhost.exe being under surveillance but the "famous" meta-process svchost.exe not (the same with services.exe for example).

Can you tell me the reason for that? Both are recognized as "good" processes of course but only one being monitored.

 

Background of my question is the following: Let´s take f.e. the Trojan Poweliks which affects dllhost.exe after being stored in the registry. This piece of malware should now be known and presumably/most probably is not a problem for EAM. 

 

But what about a new trojan/zero-day-attack which has the same "procedure" of attacking. Put the case that it affects schost.exe similar like Poweliks does with dllhost.exe, will it be identified by EAM when svchost.exe ist not under behavioural analysis?

 

Best Regards

 

Riker

Link to comment
Share on other sites

... but the "famous" meta-process svchost.exe not (the same with services.exe for example).

Can you tell me the reason for that? Both are recognized as "good" processes of course but only one being monitored.

The applications svchost.exe and services.exe are vital Windows System Files, and they can't be simply blocked whenever a potentially malicious behavior is detected. The only way to effectively police svchost.exe is to determine what service it is running, and thus it would be necessary to monitor it based on what parameters were passed to it when it was executed.

Background of my question is the following: Let´s take f.e. the Trojan Poweliks which affects dllhost.exe after being stored in the registry. This piece of malware should now be known and presumably/most probably is not a problem for EAM.

Infections like Poweliks have to be installed by a trojan (often called a "dropper"), and that trojan would trigger a Behavior Blocker alert when it tried to create the run entry/loadpoint in the registry to execute the malicious commands.

But what about a new trojan/zero-day-attack which has the same "procedure" of attacking. Put the case that it affects schost.exe similar like Poweliks does with dllhost.exe, will it be identified by EAM when svchost.exe ist not under behavioural analysis?

There have been infections in the past that abused svchost.exe, however those are easier to detected than Poweliks was since they required svchost.exe to load a file that contained the malicious code to execute.

Technically, to answer your question, my understanding is that an infection being executed under svchost.exe would not be monitored by the Behavior Blocker since it is automatically trusted, however as with Poweliks you would see the Behavior Blocker alert when the trojan tried to install loadpoint for the infection.

Link to comment
Share on other sites

Thanks for answering my question!

 

As stated in your last paragraph it´s a relief to know that by monitoring the registry an unknown trojan dropper can´t inject code into trusted processes like svchost.exe (even if they can´t be monitored "directly" as pointed out by you).

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...