Maniak2000

Behavior blocker alert

Recommended Posts

Hello, I'm currently using trial version of Emsisoft internet security, and I'm liking it so far,  but I would like some help with behavior blocker,  and I also have some questions.

 

So, I have this game on steam (actually it's more like 3 games in 1)  and it uses launcher to let people choose which part to start.   When I select any part, behavior blocker comes up with an alert "Program is attempting to manipulate another process" (red).  Now since it is legit steam game, I select "Allow always",  but this raises several questions \ possible suggestions.

1) Alert window (more info)  says "Anti Malware Network status: Unknown", so how do I send the file for analysis? Or is it automatic? Also, how long does the analysis usually take?

2) Alert gives you an option to allow behavior one, allow it always,  close the program or quarantine it. But what about block behavior once \ always, but continue executing (maybe suggestion to add these options)?

3) Alert window (more detail)  gives tons of info about source (launcher, in this case), but not about the target (in this case, what process is it trying to manipulate), why?  I think it would be better to provide info about the target of the action (if possible), since it may make it easier to decide if this behavior malicious or not. 

Share this post


Link to post
Share on other sites
11 hours ago, Maniak2000 said:

1) Alert window (more info)  says "Anti Malware Network status: Unknown", so how do I send the file for analysis? Or is it automatic? Also, how long does the analysis usually take?

When you see an alert, you can click on View details in the upper-right to see the MD5 and SHA-1 hashes. All you have to do is copy the SHA-1 hash and do a search for it on VirusTotal, and that should help you get an idea of whether or not the file is safe.

 

11 hours ago, Maniak2000 said:

2) Alert gives you an option to allow behavior one, allow it always,  close the program or quarantine it. But what about block behavior once \ always, but continue executing (maybe suggestion to add these options)?

We used to offer options to block specific behaviors without closing the program that was being monitored, however that would cause a lot of programs to hang and/or crash since they didn't expect something to be blocking their functions.

 

11 hours ago, Maniak2000 said:

3) Alert window (more detail)  gives tons of info about source (launcher, in this case), but not about the target (in this case, what process is it trying to manipulate), why?  I think it would be better to provide info about the target of the action (if possible), since it may make it easier to decide if this behavior malicious or not.

We don't give more information because it exposes too much about how our Behavior Blocker works, which would make it easier to devise ways to bypass it.

Share this post


Link to post
Share on other sites

As to not create another topic, I'll ask here.

What behavior alerts mean exactly?    I mean some of them pretty self explanitory, like "Backdoor related activity",  "Spyware related activity",  others  not so much  like   "Access disk seсtors directly" "Register a debugger in the system".

I mean if I get an alert "Access disk seсtors directly" what should I do?  Do programs usually do that? or Not?     Also some alerts are yellow and some red, I assume red ones are almost certainly malware,  while yellow ones might be ok?

Is there a detailed explanation of these alerts somewhere? 

I think you might want to add some more info to alerts, for example:

"Access disk seсtors directly"

Most programs don't require direct sector access,  unless this is specialized program, it is advised to block this action.

or something.

Share this post


Link to post
Share on other sites
11 hours ago, Maniak2000 said:

What behavior alerts mean exactly?

Normally we don't elaborate on what these mean, since it exposes too much about how our Behavior Blocker works, and what it checks for when monitoring programs.

 

11 hours ago, Maniak2000 said:

"Access disk seсtors directly"

Most programmers should already know what this one means, so I can give a short explanation. It's referring to "Direct Disk Access" (DDA). Basically a program is bypassing Windows API's for reading data from the hard drive, and trying to read that data directly through its own method of reading from NTFS or FAT filesystems. It could also be writing (saving) data rather than reading it. Many security programs do this, as do many data recovery programs, however it can also be done for malicious purposes in an attempt to avoid being detected by anti-virus software.

 

11 hours ago, Maniak2000 said:

"Register a debugger in the system"

This is another one that most programmers should already be familiar with. A "debugger" is used to monitor running programs, and either display debug output or save debug output for later review. When a debugger is registered, Windows will try to run it every time a program is launched, and Windows will tell the debugger to run the program rather than trying to run it directly, this way to debugger can properly monitor the running program. Malware can abuse this to not only execute a copy of itself whenever a program on your computer is launched, but also to prevent programs from running.

 

Our behavior alerts are generally rather vague, and the best way to act on them is based on whether or not you trust the program the alert is for. If you trust it, then you should allow it to run. If you don't trust it, then you should block it or quarantine it.

Share this post


Link to post
Share on other sites

Yes, most programmers probably know what  "Register a debugger in the system" is,  but I assume most of your user base are not programmers, and throwing this terminology without some sort of description is confusing.

I'm not asking to explain how EXACTLY  it works, I understand that detailed explanations will probably help malware creators, but I ask you to provide some sort of info on these alerts.

I mean these descriptions you gave me are pretty good, at least now I have a general idea of what these 2 alerts mean,  why not include descriptions like that in the program?    If they're too big for an alert window, why not use "learn more" link  that goes to a section in help file or your site explaining the alert?

Share this post


Link to post
Share on other sites
On 2/24/2017 at 2:44 AM, Maniak2000 said:

Yes, most programmers probably know...

I apologize for any confusion. I was trying to say "most programmers know ... therefore it is safe for me to say this here. ;)

 

On 2/24/2017 at 2:44 AM, Maniak2000 said:

why not include descriptions like that in the program

The alerts are vague because many of them are generated by more than one trigger, and we don't want it to be obvious what those triggers are. The two examples you gave were obvious enough to the bad guys that I didn't think there was an issue explaining them here, however many of the others (the ransomware behavioral alerts especially) can not be elaborated on very much. It's just far too likely that someone will bypass them quickly if we give any sort of explanation of what they mean.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.