What is a Behavior Blocker?

OK, so I told you I would blog about the Spycar test file – I will, but first you need to understand behavior blocking technology for anything about Spycar to make sense.

Scanners and behavior blockers both attempt to stop viruses, spyware and other bad programs. The approaches used by scanners and behavior blockers are complementary when a skilled user applies them.

Traditional anti-virus products offer protection by blocking bad programs from running. There is virtually no level of expertise required by the user, the scanner recognizes a bad program and will not let it run. You might call this an intelligent approach. Good programs run without the scanner bugging you and bad programs are blocked, regardless of whether you are an expert or a novice.

Behavior blockers do not care what the motive of the program is, they stop certain things from happening. Airport security is a lot like a behavior blocker.  It doesn’t matter if a person is the best surgeon in the world, the doctor cannot take a knife onto an airplane. Behavior blockers do not generally care what the program is, if it tries to perform a specific action the behavior blocker will stop it. If the behavior blocker is set to stop programs from writing to the registry then many bad programs will fail to work and many good programs will be completely unusable as well.

If you wish to use a behavior blocker effectively it generally requires that you understand a lot about computers. You have to know when to tell the blocker an action is ok and when to say no. If you say no all of the time you will not be able to use much software. If you say yes all of the time a behavior blocker will not help you and it will probably annoy you so much that you remove it.

Microsoft Office introduced a behavior blocker in Word 97. The blocker was macro protection. If you turned on macro protection then every time you opened a document that macros it would ask you if you wished to let macros run. If you knew when to choose no and when to choose yes then this behavior blocker could very effectively protect you against macro viruses. Most people just clicked yes and so the behavior blocker was mostly ineffective

Is a behavior blocker right for you? It depends on how much you know and what your tolerance is for interruption. If you know what it means to write to the hosts file, the start menu, HKCU run, HKLM RunOnce, and so on then you may be able to use a behavior blocker effectively. If you do not understand when these actions are or are not ok then a behavior blocker is probably not the right security approach for you. If you try to install a networked printer a good behavior blocker will probably warn you. Will you know that it is your printer installation program that is changing your hosts file, why it is changing it, and if it is ok? Is it ok for a chat program to modify the hosts file?

Spycar does not test products to see how well they detect bad programs, Spycar allows knowledgeable users to test behavior blocking programs to see what actions, they block – regardless of whether the action is good or bad. It is up to you to determine when the behavior is good or bad.

Here is a real life scenario for you. Some Internet browser toolbars are ok. Some toolbars install spyware or adware. When you install a toolbar it will make some changes that a good behavior blocker will detect and warn you about. The behavior blocker will not tell you which toolbar is good and which one is bad, only that the toolbar is trying to do something. If you are like most people the if the toolbar with spyware looks like something really cool you will tell the behavior blocker to let you install it and your computer will become infected. If you go to install the good toolbar, but think it might be bad because the behavior blocker told you the program is doing something, you will block it and then be denied the benefits of the good toolbar.

Behavior blockers are tools that indicate activities, not programs that detect spyware, viruses or anything else – determining whether or not the action is good or bad is your job when you use a behavior blocker.

More on Spycar real soon!

Randy Abrams
Director of Technical Education

Author , ESET

  • Ylu

    Could you tell me what the differences among Behavior Blocker, Immunizers, CRCs, and Active monitors?

    • Randy Abrams

      I’ll write a blog on that!

  • We are putting the final touches to our latest Behavioural Blocker (BB) development software – think Sana SafeConnect. Education is vital so that individuals understand what these programs do and that users will not see much going on. The best defense is to use a combination of AV, BB and anti-spware. Actually if all computers came with BB as standard (out of the box) this would provide complete protection alongside the standard AV and anti-spyware security.
    Warm regards
    Julian Evans

  • Pingback: wHAT IS YOUR sECURITY SET UP?()

  • spyware blockers

    I’ve found that spyware infects my computer all the time nowadays. I now use a paid for spyware blocker rather than a free one. I got my fingers burnt with a free one which turned out to be spyware itself. The paid ones generally do what they say and I just run it a couple of times a week. I don’t have it on all the time as it sucks my cpu.

  • Mathieu


    I recently attempted to test my security setup using Spycar, only to find that ESET blocks it based on signatures, deleting the EXE before I can even run the software. This defeats the purpose of the spycar package, and makes it harder for me to test the integrity of my system. It identifies the various tests as variants of ‘Win32/Hoax.Spycar.A application,’ and the removal/scoring tool as a variant of ‘Win32/Agent.DTFKFDG trojan.’

    When will this problem be addressed, if ever? And yes, it is a problem – if I cannot run Spycar due to signature-related removal, it means I can’t test ESET’s behavioral blocker abilities, leaving my knowledge of and trust in the security of my system incomplete and in question.

    Thank you.

    • David Harley

      Mathieu, Spycar hasn’t, to my knowledge, been developed/supported in its original form for some years, exactly because AV packages were detecting it. I’m not convinced that it was ever a dependable test of AV behaviour blocking, irrespective of the AV, frankly: it’s based on the author’s preconceptions of how AV works, not necessarily on how individual packages work.

  • Mathieu

    Thank you for the response.

    Considering this information, what is a behavior blocker test you would recommend?

    Also, I would recommend you pass on this advice to Maximum PC ( http://www.maximumpc.com ), who actively uses spycar as part of their review process when testing antivirus products, as well as an recommendations you may have for alternatives. As this magazine reaches many hundreds of thousands of American PC users at minimum, and is incredibly well-respected, it has quite an influence in the industry. If they are using a tool for review purposes that is unadvisable for this use, I would think it would be in everyone’s best interest to rectify this error.

    Once again, thank you. I await your response.

    • David Harley

      Point taken. But it’s not as though the Spycar guys haven’t acknowledged its limitations. From their own web page:
      “Is Spycar a Comprehensive Test of Anti-Spyware Tools?
      No. Spycar models some behaviors of spyware tools to see if an anti-spyware tool detects and/or blocks it. But, spyware developers are very creative, adding new and clever behaviors all the time. Spycar tests for some of these common behaviors, but not all. Also, with its behavior-based modeling philosophy, Spycar does not evaluate the signature base, the user interface, and other vital aspects of an anti-spyware tool. Thus, Spycar alone cannot be used to determine how good or bad an anti-spyware product is. We’ve used it to find several gaps in anti-spyware product defenses, but Spycar is but one tool for analyzing one set of characteristics of anti-spyware products. A comprehensive review of anti-spwyare tools should utilize a whole toolbox, of which Spycar may be one element. Ed Skoudis and Tom Liston wrote an article for Information Security Magazine comparing various enterprise anti-spyware tools, and Spycar was a small subset of our more comprehensive tests. You can see that article here.”
      There’s also a link to a techtarget article there that expands on that.

      Rather than have a single vendor follow up with the magazine, that’s probably something that AMTSO might consider addressing. I’ll make that suggestion.

  • Pedro

    Is advanced heuristics vulnerable to obfuscation?
    What would happen if advanced heuristics could be performed without emulation?Would it act as a behavior blocker? Should increase False Positives?

    • David Harley

      I’m not sure what you mean. Obfuscation in this context would be a defence, not an attack. A heuristic algorithm could obviously be stymied by code it can’t read. However, for code to execute without “de-cloaking” is a little more difficult. Emulation isn’t the only possible heuristic approach, though it’s a darned useful one. Behaviour blocking is heuristic, but it’s a way of reacting to a positive detection, not an alternative to heuristics.

Follow us

Copyright © 2017 ESET, All Rights Reserved.