Activities Virus Control Improved

Been to own tests, AVC and IDS are unable to monitor the following malicious behavior, in order to help improve the AVC and IDS, I propose the following behaviors hope improved. Thank you

Behavior Description: inject code, modify EIP execute their own code, perpetrating a fraud, so that users considered normal process

For example:% WINDIR% \ explorer.exe of Explorer.exe of

Behavior Description: After running delete itself.

Behavior Description: tampering with system files

This AVC unable to detect:% system% \ config \ system.LOG

Behavior Description: Disable Registry Editor

Behavior Description: Disable Task Manager

Behavior Description: Modify function entry point attribute to writable

This AVC unable to detect: ws2_32.dll getaddrinfows2_32.dll gethostbyname!!

Behavior Description: inline hook own process

This AVC unable to detect: xxx.exe WS2_32.dll gethostbyname Ordinal:! 52 HookType: InlineHook

Behavior Description: using the global message hook injected into other processes specified file

This AVC unable to detect:% system% \ ftpdll.dll

Behavior Description: Create a common file system of the same name, suspected of hijacking the normal file system, common in virus behavior

This AVC unable to detect: [shell] - explorer.exe


  • Hi. I am not entirely sure about this but I think you're referring to File Integrity Monitoring here, not Intrusion Detection. Please correct me if I'm wrong. 1.gif