Micropoint Forum
 
» Guest:  Register | Login

 

Author:
Subject: the misunderstanding about the behavior analysis
sidineyqiao
Moderator





Credit 86
Totalpost 83
Registered 2007-12-24
#1  the misunderstanding about the behavior analysis

[draft translation by sidineyqiao]


This post tries to talk about the technique to the question, not the some corporation. refusing the other people settle to me. Thank you.
There have some sayings when I read A post "micropoint occurs when the virus do the actions and the machine has infected with virus. Better to clean it. They suggest add the scan technique into the micropoint." These represent the some internet friend real thoughts. So we discuss it into two parts.

1."Better to clean the virus, so I suggest add the scan technique into the micropoint"
This saying is right. it is high efficient to kill the virus before the virus loaded .

it is easy to know that Eigen Values scan only few points, and virus load need read all the program and  initialize. Judging the behavior is surely lower than the Eigen values on the processing speed .so micropoint add the Eigen values into the monitor to improve the whole program runtime efficiency and anti-virus efficiency. Using the behavior engine at the same time can do a lot of things. Eigen values are useless to unknown virus, so monitoring the behavior is necessary. Integrated into the micropoint proactive defense system is known characteristic scan, unknown characteristic scan and the judgments of the behavior these three parts. the technique structure of Monitoring the Program Behavior  real-time monitor and the micropoint does the best in real. There should be opinions. I think the perfect one to monitor the program behavior real time is the safest way to protect the system security. if the monitor is better to excellent, the scan is unnecessary. The scan has the effects when ignore the report in monitor real time. So I am not yearning for the scan engine in future by micropoint. However, depending on the different hobbits  And thoughts, I can't represent other people's needing am more excited that micropoint can accept the user's suggestion open-minded and try to content the user's needing.

PS:
Maybe someone thinks proactive defense equals to the behavior analysis. I don't quite agree with this opinion. The former is greater than the latter. Former is the complicated and integrated frame system. at least it concludes the characteristic scan ,behavior analysis, extract the local characteristic automatically, the system assist to analyze(mainly the tool and the log) and so on. In consideration of the advanced actions of the former, so in the hot post (the specimen test report of the three great forums about the micropoint and other anti-virus software) surely occurs the wide distance .I recommend Kaspersky, jiangmin and MacAfee update the defense manually to proactive defense, then came to a REAL PK FOR THE LOW MISTAKE REPORT. There has only one proactive defense product that is micropoint at present and it surely is the big potato.

2."Micropoint occurs after the virus active so infected the machine,"
This is unscientific. but this is very common .because only the few learn the coding and know the running principle of the program. In fact, the program can't run in the windows OS atomically. The running of the program reports to the kernel windows through the api interface, and executes by the windows in deed.

In my opinion, the part of the monitor by the micropoint is between the application program and the kernel system, but the enforcement level of the micropoint is embedded into the window kernel. This comes out that the micropoint monitors the program  
Behavior real time---IT FORCEFULLY STOPS THE VIRUS PROCESS WHEN IT DETECTS THE EXCEPTION BY THE AUTHORITY OF KERNAL SYSTEM. That is to say: it alarms and takes effect on time while virus destroying the system or program. Because micropoint prevents the virus to pass the destroy behavior to the kernel windows, so the virus can't take effect on the machine in fact that when micropoint alarms and intercepts the virus. Destroying behavior and the infecting with virus is absolute nothing.

So the monitor behavior of the micropoint is absolutely safe in the technique principle, although it looks like a little dangerous. I design a small experiment to let everyone to understand the truth of the API. Please atomically se test it by yourself who interested in. I am idled to grab the pic. Please paste the pic who is convenient.



Tools:
Registry editor-regidit.exe,IE property,micropoint registry protect

steps:
(1) use the protect function to protect IE home page in micropoint registry editor
(2) open the IE property to modify the IE home page
(3) apply the IE property, try to save the result after modify the IE home page
(4) choose "prevent" when  the alarming message of the micropoint pop-up
(5) open the registry editor, locate to IE home page to check the value is modify or not.
Relevant key :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Conclusion
The display result of the IE property is the fake impression, if you want to modify the IE home page in fact, you must change the corresponding value of the IE property. We can see nothing change in IE home page in registry editor. so it is available!
That micropoint prevent the behavior which modify the IE property in the IE home page which make this behavior failure in the behavior to the kernel windows .so do the other program behavior. The way based upon the monitor the behavior can clean the virus safely and can't be infected with the machine the example of the micropoint above explains the micropoint behavior, anyone who want to use  other software to test it,(you can use the hips ,for example,ssm,gss,mcafee,kabar,jingmin2007)

[ Last edited by sidineyqiao on 2008-8-22 at 11:15 ]

2008-8-22 11:09
Profile  Email  Pm   Edit



Forum Jump ...:

[ Contact Us :: Micropoint Forum ]