Following on from my previous two posts (1, 2) on the new protection features we have in the new version of the Sophos Endpoint product, I'd like to briefly discuss the new "HIPS Runtime behavior" functionality.
All Sophos products already include our pre-emptive behavior blocking technique called "Behavioral Genotype". The new runtime functionality provides yet another layer on top of this. In simple terms it works by monitoring the behavior of an application as it runs, which files it accesses, registry keys it changes and so on. We have developed a number of rules that determine what behavior is suspicious so that the program can be terminated before it does any damage.
Let's take an example, there are basic things malware nearly always needs to do in order to be successful. It will modify the registry to ensure that it starts up when the computer is rebooted, it will probably copy itself to a different location, it may launch another process and so on. Combinations of these things can provide a strong indicator of malicious intent. All you need to do is look at a selection of the 'advanced' descriptions (1,2,3) we publish to see the consistent behavior malware has in common.
The problem with any runtime analysis tool is minimizing the interaction with the user, changing the startup registry key, copying files to the system folder and launching other processes are actions carried out by legitimate applications, especially application installers. If the user is constantly being asked to authorise an application, they will get "Message Box" fatigue and stop reading the messages and simply approve everything, or worse still turn off the functionality completely (this of course is the type of criticism levelled at Microsoft Vista, most famously in the Apple adverts).
The challenge therefore is to minimize the "˜unwanted detections' whilst maximising the protection. To do this we have tailored the rules to minimize the impact, we also recommend that when the product is first deployed, that it is run in "˜alert' only mode. This doesn't prevent applications running, simply notifies the administrator console that an event triggered. Legitimate applications can then be authorised so that rules don't trigger for that application in the future. When the administrator is happy that all the pre authorisation is done, it can be enabled to block future threats. The best analogy is that it is exactly the same as deploying a desktop firewall.
The biggest risk of unwanted detections is when installing new applications, and this is where our focus on corporate and enterprise customers is a benefit, especially in conjunction with application control. If an end user is installing an application, and its not one that has been deployed by the central IT department, the administrator, will probably want to know about it, so the fact that the initial install attempt is blocked is allows the administrator to keep a much tighter control over their environment.