Jump to content

Behavior Blocker Log question

Recommended Posts

I just installed Emsisoft and am running it in trial mode as I am trialing it to decide if I want to use it.  I just ran a scan and the following showed up in the Behavior Blocker Log.  I don't really understand what this means.


It looks like iSyncr was blocked and then allowed anyway with an exclusion.  Is this a false positive?  Why was it originally flagged as a problem?  



Link to post
Share on other sites

The Behavior Blocker is one of our real-time protection components. It monitors running applications, and warns about any potentially malicious behavior. What you're seeing in the log is that an application performed a behavior we monitor for, and one of our mechanisms for reducing the number of alerts you see determined that the application was safe to allow, so it was allowed automatically and a rule to always allow it was created automatically.

"Allowed by community" in the "Event" column means that the application was allowed based on the fact that more than 90% of our customers who have also encountered this application also allowed it. The system that stores this information is called our "Anti-Malware Network", and the information on what programs are safe or not is supplemented with data from VirusTotal.

Link to post
Share on other sites

A good example of this sort of thing (if I've got the details right) is that the BB might warn you that a particular program looks like it might be acting like a keylogger (ie malware that records everything you type).  But, as I understand it, that would be because it had asked Windows to pass to it a copy of all the keystrokes.  And in fact, lots and lots of programs do that so that they can implement 'hot keys' - ie have some key combination that, when you type it, makes that program do something, even if the program was only running in the background.  So you can see that the BB can see /potentially/ malicious behaviour but not be able to distinguish it from perfectly normal behaviour.

Of course, there's no /guarantee/ that the customers who decide that some program is ok, on the Anti-Malware Network, are actually correct.  Very few of them are likely to have seen the source of the program in question, or monitored precisely what it does.  It's more likely that they believe the program is innocent based, perhaps, on the programmer or vendor's reputation.  If such a program, using my example, seems to have no need whatsoever to intercept keystrokes, that would be worrying.  You may still need to make your own judgement - or eg to ask on a vendor's forum WHY your EAM detected that behaviour, and see what the vendor says.

Link to post
Share on other sites
15 hours ago, JeremyNicoll said:

But, as I understand it, that would be because it had asked Windows to pass to it a copy of all the keystrokes.

I would believe that directly accessing input devices can cause the alert as well. Many games will trigger this alert because of that.


5 hours ago, BillH said:

In this case the program does use hotkeys.  It has been around for many years and it does seem trustworthy, although I can't of course know that for sure.

The behavior in this case was "Behavior.Backdoor", which indicates that it was acting in a manner similar to programs that run in the background and send and receive data. In this case the program was determined to be safe.

Link to post
Share on other sites

> See in task manager?

Yes, assuming it was a .exe, but if it's a DLL running under the control of an .exe there might be a differently-named framework around it.  That's what happens for lots of Windows services run under  svchost.exe.  I can't remember if Task Manager shows that but tools like 'Process Explorer' or 'Process Hacker' do.

Link to post
Share on other sites
13 hours ago, JeremyNicoll said:

I can't remember if Task Manager shows that but tools like 'Process Explorer' or 'Process Hacker' do.

In Windows 7 and older that is correct. I'm not certain if newer versions of Windows with the newer Task Manager can be configured to show the full command that was executed when a program was run. Process Hacker and Process Explorer are probably the easiest ways to find that information (both will show that information when you hover your mouse over a running process in the list).

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...