Web Appliance (Read Only)

Discussions Sophos Behaviour detection

Web Appliance (Read Only) requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 3 replies
Subscribers 0 subscribers
Views 10868 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Behaviour detection

cyberjog over 13 years ago

Hello,

I believe, for performing behaviour based detection , there may not be any signatures , and most of the detection is based on

husristics/scan performed on the code/attachment etc.

Can anybody please provide samples/examples of behaviour based malware.

Deployement of Sophos engine would be in a security gateway .

This thread was automatically locked due to age.

Parents

0 QC over 13 years ago

Hello again,
your post sounds a little bit confused and confusing so for clarification I suggest reading the Glossary of Terms and the page about Suspicious Behavior. Perhaps this information helps you to rephrase your question and get the desired answers.
Just a few remarks: "Behavior" is ambiguous - it could mean what a program is expected to do based on an analysis of the code and what it actually does at runtime. But as with signatures (which are still in use - although it's not a simple search for strings of bytes) the final decision depends on the context. Download a file from the Internet and run it - good or bad? Well, you actually expect that from your browser. But it should do this in a decent manner - loading a file from the Internet into memory and branching there is definitely bad. Analysis might include executing certain pieces of code in a small emulator.
Scanning is similar to the security check on an airport. There are some basic checks and for most that's it. Anything and anyone out of the normal (whatever this exactly is) is subjected to closer inspection. A weapon in your luggage would be a signature. Some electronic devices would be suspicious. And so on. Eventually you might pass the gate which does not mean that you won't show malicious behaviour later one the airplane.
security gateway
Which communications should be intercepted? Email, downloads, IM, VoIP ...?
Christian
:17811
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 13 years ago

Hello again,
your post sounds a little bit confused and confusing so for clarification I suggest reading the Glossary of Terms and the page about Suspicious Behavior. Perhaps this information helps you to rephrase your question and get the desired answers.
Just a few remarks: "Behavior" is ambiguous - it could mean what a program is expected to do based on an analysis of the code and what it actually does at runtime. But as with signatures (which are still in use - although it's not a simple search for strings of bytes) the final decision depends on the context. Download a file from the Internet and run it - good or bad? Well, you actually expect that from your browser. But it should do this in a decent manner - loading a file from the Internet into memory and branching there is definitely bad. Analysis might include executing certain pieces of code in a small emulator.
Scanning is similar to the security check on an airport. There are some basic checks and for most that's it. Anything and anyone out of the normal (whatever this exactly is) is subjected to closer inspection. A weapon in your luggage would be a signature. Some electronic devices would be suspicious. And so on. Eventually you might pass the gate which does not mean that you won't show malicious behaviour later one the airplane.
security gateway
Which communications should be intercepted? Email, downloads, IM, VoIP ...?
Christian
:17811
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data