Bitdefender Behavioral Scanner Alerts

fungus
edited February 2020 in Bitdefender 2009 products

Yesterday I posted that on my computer that Microsoft XP (sp3) had informed me that a dangerous condition in my computer required a certain software be shut down. That "rogue" software was identified as BDIS-2009. XP shut it down very quickly and left my computer running great but without BD. I'm going to call this "Round One" for want of a better name.


Today I experienced "Round Two" right before my eyes. This time I captured the screen and will attempt to post the image here now.


The computer was running, XP was working obviously, and BDIS-2009 was also operating, seemingly normally.


Now I see a warning: BD tells me about serious problem.


BDIS-2009 has blocked a potentially malicious or infected application. That's what I bought BD for, right?


The name of it? "Microsoft Windows Operating System". Haaaaaa ha ha ha ha! (rotflamo)


I think I have inserted the image here now.


post-18354-1239760029_thumb.jpg


I'm loving this. Finally I'm enjoying something about BD for possibly the first time.


I can't wait for Round Three, if there is one. For now my money is on the big guy in the "blue screen of death" colored trunks.


I wish you all could be here to see the live action. I'll keep you posted.


FUNgus

Comments

  • Hello Fungus,


    BitDefender Behavioral Scanner is a HIPS-based scanner (HIPS = Host Intrusion Protection System). It doesn't use signatures, it doesn't use blacklists, it doesn't use any predefined whitelists either, it just looks at what a certain process is doing along the way and if ANY suspicious things happen, that application is temporarily blocked and the user is asked for permission.


    A HIPS scanner looks at process activity for any of the following:


    - code/DLL/thread injection


    - system hooking


    - process/memory manipulation (like overwriting another process' memory)


    - system file activity (like overwriting critical system files, or a more exact example that I encountered: when something creates autorun.inf files on all partitions, which is a very common way for malware to spread)


    - and other suspicious activity


    - other few details HERE, or on Google


    This matter has been discussed a few times before of this forum!


    So, basic lines:


    - BD shows in that message the field "Product name" from the application's properties. Of course, for all Windows processes, you will see Microsoft Operating System (go figure...)


    - BitDefender Behavioral Scanner doesn't care who owns that process, doesn't care who created it, it just cares about what it does. And there are a lot of legit applications that take the above-described actions.


    - BitDefender products didn't have this kind of scanner in the past. It was introduced in 2009 versions. For a long time, even on this forum, there were users that were asking for such a module, and it was implemented


    - most importantly: HIPS scanners are subject to WRONG alerts. They can't be called False Positives, since they don't use signatures or any other kind of scanning.


    This module should be used by advanced users who can make a difference between what's legit and what isn't. It can significantly increase the protection level, but also the number of alarms. Who can't handle this, please don't use this module (it's the reason why it's disabled by default in the first place).


    I will pin this topic. Any future topics about this issue will be closed and redirected to this one.


    Cris.

  • fungus
    edited April 2009

    Hi Cris:


    Thank you for the detailed response. After I have thought about this overnight I am more in tune with what you have stated here in this reply. I'd rather have AV warn me of something about to happen, than to have the AV tell me later that I'm infected.


    I do hope you understand how hilarious this was to me watching XP kill BD, calling it potentially dangerous, and the very next day having BD tell me that XP was dangerous. Sort of a back alley fist fight.


    At least now my BDIS-2009 can do scans again, like it used to.


    Peace.


    Fungus

  • hmm,BitDefender Behavioral Scanner is a HIPS-based scanner . It doesn't use signatures, it doesn't use blacklists.but it is arelly good one.

  • As an addition: BitDefender Behavioral Scanner is under continuous development and improvement. It is periodically updated automatically, through the normal automatic update system, along with the signatures and product updates.


    That is why, if you enabled this module, after certain updates you will get alerts concerning applications that weren't "detected" in the past by the Behavioral Scanner.


    Whenever this happens, just take a look at the message and, if the application is legit, allow it to run. You won't be asked again about it.


    Cris.

  • Mr.00
    edited May 2009
    Hello everyone


    I hope to answer the question: --


    When will the development of characteristic behavioral scanner settings for the better to protect the pc from the risk .. I hit the my pc the virus did not move when operating both behavioral scanner and Intrusion detection in




    BitDefender Internet Security 2009





    I have to send the sample and detected, but the modus operandi of this sample


    Were not identified by behavioral scanner and Intrusion detection, why ??
  • Hi


    behavioral scanner and Intrusion detection don't have to detect every virus like behaving programme. They might not be harmful and must had been ignored.


    Hemanth

  • alexcrist
    alexcrist
    edited May 2009
    but the modus operandi of this sampleWere not identified by behavioral scanner and Intrusion detection, why ??


    Hello Mr.00,


    First of all, please write your posts using the default formatting. Putting all text on the center makes it difficult to read and follow the ideas. Thank you.


    About your question: Behavioral Scanner looks for specific things in the behavior of a process. If those things don't appear, or the results aren't conclusive enough to deem the file as suspect, Behavioral Scanner won't block the application from running. This also doesn't mean that the application is clean.


    Behavioral detection is very tricky, and under no circumstances it can provide 100% accuracy. It's impossible to detect all malware, whatever method you use. So failing to detect malware is just plain normal. Nothing can ever replace user's experience and you always should be careful what you run on your system.


    Cris.

  • Hello Mr.00,


    First of all, please write your posts using the default formatting. Putting all text on the center makes it difficult to read and follow the ideas. Thank you.


    About your question: Behavioral Scanner looks for specific things in the behavior of a process. If those things don't appear, or the results aren't conclusive enough to deem the file as suspect, Behavioral Scanner won't block the application from running. This also doesn't mean that the application is clean.


    Behavioral detection is very tricky, and under no circumstances it can provide 100% accuracy. It's impossible to detect all malware, whatever method you use. So failing to detect malware is just plain normal. Nothing can ever replace user's experience and you always should be careful what you run on your system.


    Cris.


    Hello everyone


    But the file is dangerous and see well-functioning of the virus all these changes did not notice them


    behavioral scanner and Intrusion detection


    i to send the sample to a laboratory virus sample Discovered Now


    Trojan.Agent.VB.BBZ


    if both: --


    behavioral scanner and Intrusion detection and heuristic


    Have not been able to stop all these changes why??


    has destroyed my pc and I could not operate all the programs have changed the wording of all the programs


    to see the functioning of the virus and analysis of site threatexpert: --


    -1 --


    http://www.threatexpert.com/report.aspx?md...5865dec43dc7a20


    -2 --


    http://www.threatexpert.com/report.aspx?md...0253446b93e894e


    -3 --


    http://www.threatexpert.com/report.aspx?md...579c9e32bbc3618


    (Behavioral the virus)


    This is a point of interest I hope by the technical support in this

  • I told you, behavioral and heuristic scanning is tricky. What seems obvious to you might not be so obvious to an automated software algorithm.


    Besides, the fact that another behavioral engine detected it doesn't mean anything at all. behavioral engines are not identical and use completely different algorithms. So it's normal that a sample might get caught by one and missed by another. Another sample might get caught by BitDefender and be missed by other engines.


    It's just a matter of perspective, approximations and statistics.


    Cris.

  • This Sample destroyed My pc but without the movement of both: --


    behavioral scanner


    Intrusion detection


    heuristic scanning


    After destroying My pc sent the sample to the support BitDefender of viruses have been detected, but did not disclose during the operation of BitDefender


    behavioral required for the conduct of the virus, which was not previously detected during the operation BitDefender


    This is what I wanted to clarify

  • alexcrist
    alexcrist
    edited May 2009
    behavioral required for the conduct of the virus, which was not previously detected during the operation BitDefender


    This is what I wanted to clarify


    Jesus, you said that 3 times already! What exactly didn't you understand from the explanations I wrote above? Maybe I wasn't clear enough about something and I should explain it again...


    Cris.

  • Mr.Cris


    What I mean, my dear,


    Scanner with the failed behavior of the virus after it was destroyed during the operation of the computers


    To be dear


    (Scanner to study the behavior of this disposition of the virus)


    Was not the first discoverer of the operation of the file when it was malignant and then to sent to the laboratory and the virus is the discoverer of the virus by BitDefender


    Do you want to sent you the virus so as to determine and analyze the behavior of the behavioral scanner


    I'm waiting

  • alexcrist
    alexcrist
    edited May 2009

    OK, let's start from the beginning, maybe this time you will understand.


    Behavioral scanner monitors and analyzes, in realtime, what an application is doing. If a certain application is doing a certain combination of actions in a certain period of time, then the application is marked as suspicious and temporarily blocked by the Behavioral Scanner. Otherwise, the application is left to run.


    The rules used by the BitDefender Behavioral Scanner and other behavioral scanners are NOT the same! Every behavioral engine uses different algorithms and different rules by which they determine if an application is suspicious or not.


    So the fact that BitDefender Behavioral Scanner didn't react on a certain application, but other behavioral engines did doesn't mean too much. There are also cases when BitDefender Behavioral Scanner blocks an application and other behavioral scanners.


    Since the sample is already detected by the antivirus engine, there's no need to submit it again for analysis.


    Also, please try to put your ideas in order and write continuous sentences. It's hard for me to understand what you're asking.


    Cris.

  • OK, let's start from the beginning, maybe this time you will understand.


    Behavioral scanner monitors and analyzes, in realtime, what an application is doing. If a certain application is doing a certain combination of actions in a certain period of time, then the application is marked as suspicious and temporarily blocked by the Behavioral Scanner. Otherwise, the application is left to run.


    The rules used by the BitDefender Behavioral Scanner and other behavioral scanners are NOT the same! Every behavioral engine uses different algorithms and different rules by which they determine if an application is suspicious or not.


    So the fact that BitDefender Behavioral Scanner didn't react on a certain application, but other behavioral engines did doesn't mean too much. There are also cases when BitDefender Behavioral Scanner blocks an application and other behavioral scanners.


    Since the sample is already detected by the antivirus engine, there's no need to submit it again for analysis.


    Also, please try to put your ideas in order and write continuous sentences. It's hard for me to understand what you're asking.


    Cris.


    First: --


    thoughts because my English a bit sick


    (Please do not anger me)


    Second: --


    Scanner behavior is not good to stop the risk from malicious programs


    The algorithms could be developed future


    Thank you my brother Cris on dialogue and debate


    Mr.0


    :)

  • The behavioral engines are under continuous development, and are updated through Live Update whenever a new version is released, as I already said in post #5 in this topic.


    Cris.

This discussion has been closed.