What is a Behavior Blocker?

What is a Behavior Blocker?

OK, so I told you I would blog about the Spycar test file – I will, but first you need to understand behavior blocking technology for anything about Spycar to make sense. Scanners and behavior blockers both attempt to stop viruses, spyware and other bad programs. The approaches used by scanners and behavior blockers are complementary

OK, so I told you I would blog about the Spycar test file – I will, but first you need to understand behavior blocking technology for anything about Spycar to make sense. Scanners and behavior blockers both attempt to stop viruses, spyware and other bad programs. The approaches used by scanners and behavior blockers are complementary

OK, so I told you I would blog about the Spycar test file – I will, but first you need to understand behavior blocking technology for anything about Spycar to make sense.

Scanners and behavior blockers both attempt to stop viruses, spyware and other bad programs. The approaches used by scanners and behavior blockers are complementary when a skilled user applies them.

Traditional anti-virus products offer protection by blocking bad programs from running. There is virtually no level of expertise required by the user, the scanner recognizes a bad program and will not let it run. You might call this an intelligent approach. Good programs run without the scanner bugging you and bad programs are blocked, regardless of whether you are an expert or a novice.

Behavior blockers do not care what the motive of the program is, they stop certain things from happening. Airport security is a lot like a behavior blocker.  It doesn’t matter if a person is the best surgeon in the world, the doctor cannot take a knife onto an airplane. Behavior blockers do not generally care what the program is, if it tries to perform a specific action the behavior blocker will stop it. If the behavior blocker is set to stop programs from writing to the registry then many bad programs will fail to work and many good programs will be completely unusable as well.

If you wish to use a behavior blocker effectively it generally requires that you understand a lot about computers. You have to know when to tell the blocker an action is ok and when to say no. If you say no all of the time you will not be able to use much software. If you say yes all of the time a behavior blocker will not help you and it will probably annoy you so much that you remove it.

Microsoft Office introduced a behavior blocker in Word 97. The blocker was macro protection. If you turned on macro protection then every time you opened a document that macros it would ask you if you wished to let macros run. If you knew when to choose no and when to choose yes then this behavior blocker could very effectively protect you against macro viruses. Most people just clicked yes and so the behavior blocker was mostly ineffective

Is a behavior blocker right for you? It depends on how much you know and what your tolerance is for interruption. If you know what it means to write to the hosts file, the start menu, HKCU run, HKLM RunOnce, and so on then you may be able to use a behavior blocker effectively. If you do not understand when these actions are or are not ok then a behavior blocker is probably not the right security approach for you. If you try to install a networked printer a good behavior blocker will probably warn you. Will you know that it is your printer installation program that is changing your hosts file, why it is changing it, and if it is ok? Is it ok for a chat program to modify the hosts file?

Spycar does not test products to see how well they detect bad programs, Spycar allows knowledgeable users to test behavior blocking programs to see what actions, they block – regardless of whether the action is good or bad. It is up to you to determine when the behavior is good or bad.

Here is a real life scenario for you. Some Internet browser toolbars are ok. Some toolbars install spyware or adware. When you install a toolbar it will make some changes that a good behavior blocker will detect and warn you about. The behavior blocker will not tell you which toolbar is good and which one is bad, only that the toolbar is trying to do something. If you are like most people the if the toolbar with spyware looks like something really cool you will tell the behavior blocker to let you install it and your computer will become infected. If you go to install the good toolbar, but think it might be bad because the behavior blocker told you the program is doing something, you will block it and then be denied the benefits of the good toolbar.

Behavior blockers are tools that indicate activities, not programs that detect spyware, viruses or anything else – determining whether or not the action is good or bad is your job when you use a behavior blocker.

More on Spycar real soon!

Randy Abrams
Director of Technical Education
ESET LLC

Discussion