bocl 0 Posted October 22, 2010 Report Share Posted October 22, 2010 Hi, In "Behaviour Blocker" you can choose which behaviour to block or allow for each monitored program Backdoor related behavior Spyware related behavior HiJacker related behavior Worm related behavior Dialer related behavior Keylogger related behavior Trojan Downloader related behavior Injection of code into other programs Manipulation of programs (patching) Invisible installations of software Invisible Rootkit processes Installation of services and drivers Creation of Autostart entries Manipulation of the Hosts file Changes of the browser settings Installation of debuggers on the system Simulated mouse and keyboard activity Direct disk sector access on harddisk Changes of the system group policies Now, my understanding is that a program is either GOOD/LEGITIM and you want to fully perform to capacity so you have to allow ALL of the above OR the program is a MAWARE and you do not want it at all so you have to block ALL of the above. So, the question is : do I need this "complication" (to choose between 19 behavious) OR would have been more elegant just an option ALLOW/DENY? Thanks, Claudiu Quote Link to post Share on other sites
H_D 8 Posted October 22, 2010 Report Share Posted October 22, 2010 In EAM V5, to allow a program you use the controls located above these options. You allow the program and allow monitoring of the program's behaviour telling the behaviour blocker what behaviour traits to monitor, or you exclude it entirely from monitoring if you really trust it, or you choose to block it. I have always assumed that the options you have listed are for those who really need to fine tune the behaviour analysis e.g. software authors who are testing their software. For general use, you don't need to touch these options. Do you choose which of these options should be monitored for any applications that are flagged by Mamutu? Quote Link to post Share on other sites
bocl 0 Posted October 22, 2010 Author Report Share Posted October 22, 2010 Hi H_D, Thank you for your answer! No, I do not choose which of these options should be monitored for any applications that are flagged by Mamutu, however when MAMUTU detects something there is a very confusing option "Allow this behaviour" My understanding is that Mamutu is for general/average user so a simple option Allow/Deny would have benn more appropriate, unless the developers want to show how sofisticated is Mamutu Thanks, Claudiu Quote Link to post Share on other sites
Lynx 34 Posted October 23, 2010 Report Share Posted October 23, 2010 Hi Claudiu, ....I have always assumed that the options you have listed are for those who really need to fine tune the behaviour analysis e.g. software authors who are testing their software.For general use, you don't need to touch these options. What H_D said is an absolutely correct assumption and more. ... do I need this "complication" (to choose between 19 behavious) OR would have been more elegant just an option ALLOW/DENY? Why that would be “more elegant” and what is “more elegant”? That is what you have to choose in any circumstances and nothing else. The users is the only one to decide and you do have those options Exposing (giving an explanations for...) the precise cause is correct thing to do. I am not sure why that would lead to any question? Have you ever used “pure” HIPS? You are alerted on any & every single step that unknown program is performing compare to EAM or Mamutu – you have 5-10 times more alerts even if you run the latter BB in Paranoid Mode Does that make it easier for the “general/average” (according to your terminology) user in order to make a decision? I don't think so. On the contrary - EAM or Mamutu are explaining with much more precision... what was the cause of any given Alert As H_D pointed – you ... don't need to touch these options You have the same choice as you are requesting , which is: “Allow or Deny” … but you will not have any clue Is that what you want & how that possibly make your life easier? As an example – you have Firefox behaving as Backdoor & Spyware – that's because the specifics of its implementation (discussed many times in the forum) At least you know what is going on & can ask … you can stop monitoring those specific behaviour if you want... As for the developers, again mentioned by H_D that may help reducing many Alerts during the development stages If I am developing a code involving “an injection”/ or low level keyboard hooking, why should I have “injection” or any other specific alert(s) to be fired every time I'm re-compiling & running my Software (that's especially annoying in debug mode)? Sure, the developers will add to that, but I am completely supporting what is already done regarding explanations given & in the contrary to your opinion I'll be very glad if that is maintained / new / more precise notes are provided My regards Quote Link to post Share on other sites
bocl 0 Posted October 23, 2010 Author Report Share Posted October 23, 2010 Hi Lynx, Thank you for your answer! "As an example – you have Firefox behaving as Backdoor & Spyware.... " Good example! OK, from 1000 users how many do you think will choose "Allow this behaviour" rather than "Do not monitor" for well known application Firefox???? probably none.... OR for a suspicious item which you do not recognize, from 1000 users how many do you think will choose "Allow this behaviour" rather than "Block this application"? again none...... So what's the point in having these options as long as ONLY /MAYBE 0.001% of users will play whit them??? About "Why that would be “more elegant” and what is “more elegant”?" First rule of engineering : keep it simple!!! In your car , if there is a malfunction you have a simple light "Check engine soon" rather than a small LCD display to tell you "P1374 CKP High to Low Resolution Frequency Correlation " (from GM Trouble Codes) For average driver "Check engine soon " light is enough and THIS IS AN ELEGANT SOLUTION!!!! Thank you for your time, Claudiu Quote Link to post Share on other sites
Lynx 34 Posted October 23, 2010 Report Share Posted October 23, 2010 Claudiu, 1) I'm not sure where & how you calculated the “statistics” as in your post. Currently the number of users = 5,646,238 For 5 years or more that I am with the Software I can remember just several requests from those users who've blocked Firefox /IE or some “known/trusted” Applications; 2) setting “Normal” or “Paranoid Mode” is important too. The latter is for more advanced users; 3) Again... no matter what – any Alert is a notification that has to be answered by the user You must know your Software/(a car ? ) to a certain degree even if you are an “ordinary” user/ driver (… definitely, taking into consideration that the developers are doing their best in order to reduce the number of alerts); 4) the “simple light <<Check engine soon>>" is your “Allow/Block” - you have to respond or you can be ignorant enough and end up with broken engine despite getting very “simple message”; 5) You are always encouraged to learn. That's why you have more precise explanations within the Alert messages and then being set as ticked check-boxes – that is important either for advanced/ more experienced users & for the average users, who are willing to understand or just simply ask any technician (car mechanic / Software developer) So, you do have the “simple” question where you have to answer simply “Yes/No” and in addition to that you have “small LCD display to tell you <<P1374 CKP High to Low Resolution Frequency Correlation>> (from GM Trouble Codes)”, which is not redundant but rather very important in order to understand / investigate. How that is not “elegant”? Finally, there are “automatic rule creation” / the options for auto-blocking / etc. I'm never using those, but that is your choice and that will reduce the number of Alerts as well. How that would make the situation more clear or transparent for the “ordinary” user - I have doubts Cheers! Quote Link to post Share on other sites
H_D 8 Posted October 24, 2010 Report Share Posted October 24, 2010 I'm with Lynx. Personally, I think you are trying to read too much into this. Mamutu will display an alert describing the specific type of behaviour that has been detected - so, going back to your initial post, you do not need to determine which behaviour to allow/block. Mamutu does it all for you. Taking your example where you are presented with an alert that describes exactly what type of behaviour has been detected: Do you trust this application? Yes? Allow the behaviour. If other, different behaviour is detected you will be alerted. No or you are unsure? Run your anti-malware scanner in custom mode to analyse the program and/or an online scanner(s) to determine if the application has been compromised. Search online for information about the application's exe file. I always use intelligent alert reduction and paranoid mode and I rarely see any alerts (my PC is pretty clean, though...). There's nothing wrong with being careful about what is running on your machine and monitoring it, but you need to temper that with being able to use the machine without worrying about your security. That's why Mamutu was created - all I do is think, 'hey, yeah, I trust this program, that is acceptable behaviour. I'll allow it', or vice versa. Finally, regarding the community alert function, remember that this is for guidance only. You take the action you are comfortable with. If you are unsure, do some research, then ask questions on the forum for further advice if required. Remember that although a program can be detected as displaying a behaviour type that Mamutu is programmed to detect, that behaviour may be legitimate in the context that the application is running in. For example, I receive notifications about new games when run for the first time - the usual notification is that keylogging behaviour has been detected. This is normal - the game monitors the keystrokes. The game allows the keys to be customised so that functions can be performed when particular keys are pressed. This is not malicious behaviour - it is normal and expected. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.