I recently received a question at AskESET@eset.com that I thought would be of general interest, so I am answering it here.

Could you tell me what the differences among Behavior Blocker, Immunizers, CRCs, and Active monitors? Thanks.

A behavior blocker is a type of program that prevents certain actions from being taken. A behavior blocker may prevent a program from writing to the registry, the boot sector, or files.
Sometimes behavior blocking technologies are built into programs that have other capabilities as well. When I worked at Microsoft we had an antivirus program that also prevented anything from writing to the boot sector. Boot sector viruses had been a real problem and they virtually disappeared at Microsoft with this technology. That said, behavior blockers have their problems too. When it came time for everyone at Microsoft to upgrade from Windows for Workgroups to Windows 95 the helpdesk was flooded with calls from users who could not upgrade. You see, an operating system writes to the boot sector as well. With a behavior blocker that prevents writes to the registry you can’t install most software unless you give it an exception. Many people do not know when to allow an exception and when not to. Behavior blockers can be a great layer of defense, but in moderation. There are also hardware and firmware behavior blockers as well. Some BIOSes contain a jumper that has to be removed in order to flash the BIOS, or a firmware setting that must be changed in order to write to the boot sector or boot from a CDROM.

Immunizers attempt to prevent infections. This isn’t a technology we see much of as it is limited in scope and must be constantly updated. Some viruses would write a value to the registry when they infected a computer so that if they ran again they would not try to re-infect. The computer could be immunized by simply adding the value to the registry before encountering the threat. Some viruses would leave a marker in some files and if the marker was placed in the file ahead of time then the virus would not infect it.

CRCs are simply a mathematical representation of a file that allows for positive identification. It is a bit like a picture of a person. It is much smaller than the file, just as a picture is not a whole person. If a file is changed, its CRC value changes as well. CRCs can be used for a variety of purposes. A virus scanner can use them to skip files that have been scanned so as to speed up the scanning. The drawback is that the file will need to be scanned again after each update. Some files cannot be validated with CRCs since they are constantly changing. CRCs can be used to identify known good files and known bad files. A security program may check its CRC when it starts up to verify that it has not been tampered with as well. A CRC is a quick way to check that a CD has been burned correctly if you used an image file. In practice, CRCs are not used much for security because there are far too many possibilities for other files to have identical CRCs. We call it a collision when more than one file shares the same CRC. MD5 hashes are used the same as CRCs, but have a lower collision rate. Researchers have demonstrated reliable ways to increase the collision rate for MD5s and so SHA1 and SHA2, especially SHA2 are becoming more common ways to identify files. These technologies have extremely low collision rates and it is much, much more difficult for an attacker to create a file with an identical hash.

Active monitors are used to watch what is happening on a system. This is the real time or on-access portion of your virus scanner. If you only use the on-demand scanner you will only detect files once they have been infected.

Randy Abrams
Director of Technical Education