Activities Virus Control Improved
Been to own tests, AVC and IDS are unable to monitor the following malicious behavior, in order to help improve the AVC and IDS, I propose the following behaviors hope improved. Thank you
Behavior Description: inject code, modify EIP execute their own code, perpetrating a fraud, so that users considered normal process
For example:% WINDIR% \ explorer.exe of Explorer.exe of
Behavior Description: After running delete itself.
Behavior Description: tampering with system files
This AVC unable to detect:% system% \ config \ system.LOG
Behavior Description: Disable Registry Editor
Behavior Description: Disable Task Manager
Behavior Description: Modify function entry point attribute to writable
This AVC unable to detect: ws2_32.dll getaddrinfows2_32.dll gethostbyname!!
Behavior Description: inline hook own process
This AVC unable to detect: ******.exe WS2_32.dll gethostbyname Ordinal:! 52 HookType: InlineHook
Behavior Description: using the global message hook injected into other processes specified file
This AVC unable to detect:% system% \ ftpdll.dll
Behavior Description: Create a common file system of the same name, suspected of hijacking the normal file system, common in virus behavior
This AVC unable to detect: [shell] - explorer.exe
Comments
-
Hi. I am not entirely sure about this but I think you're referring to File Integrity Monitoring here, not Intrusion Detection. Please correct me if I'm wrong.
0