CLOSED Auto-Resolved File Added to Quarantine\ Not in Active Memory Still Appears in Behavior Block GUI List

Recommended Posts

EAM *.7838

Windows 10 Pro 1703 OS Build 15063.540 x64

1. Execute malicious file (Locky variant)

2. Behavior blocker eventually detects suspicious activity, AMN query is performed, Bad reputation is returned, and the behavior blocker auto-resolves the file by terminating and sending to quarantine

3. The malicious process still appears in the behavior blocker list of actively running processes, but the process is not in active memory on the system

4. In the behavior blocker list, right-click on the process and select any of the context menu options and nothing happens (as expected)

5. Reboot system removes process from the behavior blocker active list

6. This same quirk happens when an active Bad reputation process, that just sits there and does nothing to trigger the behavior blocker, self-terminates



Download Image

Download Image



  • Like 1

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.