hjlbx

CONFIRMED Auto-Resolved File Added to Quarantine\ Not in Active Memory Still Appears in Behavior Block GUI List

Recommended Posts

EAM *.7838

Windows 10 Pro 1703 OS Build 15063.540 x64

1. Execute malicious file (Locky variant)

2. Behavior blocker eventually detects suspicious activity, AMN query is performed, Bad reputation is returned, and the behavior blocker auto-resolves the file by terminating and sending to quarantine

3. The malicious process still appears in the behavior blocker list of actively running processes, but the process is not in active memory on the system

4. In the behavior blocker list, right-click on the process and select any of the context menu options and nothing happens (as expected)

5. Reboot system removes process from the behavior blocker active list

6. This same quirk happens when an active Bad reputation process, that just sits there and does nothing to trigger the behavior blocker, self-terminates

 

 

Cap10.PNG
Download Image

Cap11.PNG
Download Image

Locky_Variant__diablo6.zip

termsrv.zip

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.