Panda Cloud Antivirus 1.1 incorporates two types of behavioral protections; behavioral blocking and behavioral analysis. In this post we are going to concentrate on the behavioral blocking rules, which are included by default in both the Free Edition and Pro version of Panda Cloud Antivirus.
The behavioral blocking engine is composed of a collection of rules of typical malicious actions performed or exploited by or through a group of programs. The types of behavior blocking rules included in Panda Cloud Antivirus can be grouped into four main areas.
Malware family specific rules
- Rule 4001: Generic rules to block TDSS Rootkit installations.
- Rules 4002 & 4003: Block autorun type of malware by limiting autorun.inf file creation and modifications.
- Rules 4004 & 4005: Generically block certain rogue malware installers.
- Rules 4006 & 4007: Prevent installations of Lineage trojan family generically.
- Rules 4009 & 4010: All W32/Viking virus variants create files with a common name, so we don’t allow execution or creation of these files.
- Rule 4011: Typical files and processes from the W32/Beagle malware have been blocked from being created or executed.
Operating System Security Policies
- Rule 4008: Some application (email clients, MSN, IM, video/sound players) is trying to modify the host file. This is typical of malicious modifications to the Operating System to redirect websites to compromised hosts.
- Rules 4013 & 4014: Windows will always look if c:explorer.exe exists and, if it does, Windows will execute it instead of the real Windows Explorer. If you receive an alert, some kind of malware is trying to create or execute the file c:explorer.exe. This is a dangerous operation.
- Rule 5001: During normal behaviour DNS Server Application shouldn’t need to create or execute any executable. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5003: During normal behaviour, email clients, MSN, IM, video/sound players, text editors, Office app, compressors, shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5004: During normal behaviour, Network Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5008: During normal behaviour some applications shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5023: During normal behaviour SQL Server process shouldn’t need to create or execute any executable programs. If you receive an alert, some kind of vulnerability is being exploited.
Browser vulnerability exploit prevention rules
- Rule 5002: During normal behaviour, Web browsers shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from downloaded programs directories. This rule prevents some IE vulnerabilities normally exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is being exploited.
- Rules 5020 & 5021: Prevents Internet Explorer vulnerabilities from exploiting Microsoft HTML Application Hosts to create and execute malicious code. If you receive an alert, some kind of IE vulnerability is being exploited.
Generic application vulnerability exploit prevention rules
- Rule 5006: During normal behaviour multimedia aplications shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5007: During normal behaviour Windows Media Player shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5009 & 5014: During normal behaviour Microsoft Word shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5010 & 5015: During normal behaviour Microsoft Excel shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5011 & 5016: During normal behaviour Microsoft PowerPoint shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5012 & 5017: During normal behaviour PDF readers shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5013 & 5018: During normal behaviour Open Office shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5019: During normal behaviour Exchange Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of Exchange Server vulnerability is being exploited.
- Rule 5022: During normal behaviour IIS Web Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of IIS vulnerability is being exploited.
- Rule 5024: Generic rule to block exploitation of certain Operating System and third-party applications that try to create and execute malicious code. If you receive an alert, some kind of vulnerability is being exploited.
Thanks to this behavioural blocking engine Panda Cloud Antivirus is able to proactively and genericaly protect against a large variety of malware and exploits which specializes in bypassing signature and heuristic detection. More importantly, it is able to do this without any impact on performance.