Activities Virus Control Improved


Been to own tests, AVC and IDS are unable to monitor the following malicious behavior, in order to help improve the AVC and IDS, I propose the following behaviors hope improved. Thank you


Behavior Description: inject code, modify EIP execute their own code, perpetrating a fraud, so that users considered normal process


For example:% WINDIR% \ explorer.exe of Explorer.exe of


Behavior Description: After running delete itself.


Behavior Description: tampering with system files


This AVC unable to detect:% system% \ config \ system.LOG


Behavior Description: Disable Registry Editor


Behavior Description: Disable Task Manager


Behavior Description: Modify function entry point attribute to writable


This AVC unable to detect: ws2_32.dll getaddrinfows2_32.dll gethostbyname!!


Behavior Description: inline hook own process


This AVC unable to detect: ******.exe WS2_32.dll gethostbyname Ordinal:! 52 HookType: InlineHook


Behavior Description: using the global message hook injected into other processes specified file


This AVC unable to detect:% system% \ ftpdll.dll


Behavior Description: Create a common file system of the same name, suspected of hijacking the normal file system, common in virus behavior


This AVC unable to detect: [shell] - explorer.exe

Comments

  • Hi. I am not entirely sure about this but I think you're referring to File Integrity Monitoring here, not Intrusion Detection. Please correct me if I'm wrong. 1.gif