Jump to content

Auto-Resolved File Added to Quarantine\ Not in Active Memory Still Appears in Behavior Block GUI List


Recommended Posts

EAM *.7838

Windows 10 Pro 1703 OS Build 15063.540 x64

1. Execute malicious file (Locky variant)

2. Behavior blocker eventually detects suspicious activity, AMN query is performed, Bad reputation is returned, and the behavior blocker auto-resolves the file by terminating and sending to quarantine

3. The malicious process still appears in the behavior blocker list of actively running processes, but the process is not in active memory on the system

4. In the behavior blocker list, right-click on the process and select any of the context menu options and nothing happens (as expected)

5. Reboot system removes process from the behavior blocker active list

6. This same quirk happens when an active Bad reputation process, that just sits there and does nothing to trigger the behavior blocker, self-terminates







  • Like 1
Link to comment
Share on other sites

  • 3 months later...
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...