Behavior Detection

You can view the detections for the file, process, network, system, and registry in EDR.

Note

Detection is done based on suspicious behaviors, which V3 detected as a malicious code.

You can view the following information from Detection:

• Detection for the file, process, network, system and registry. 

Note

If a digital signature is inserted into an operating system file in the default system or exception condition is satisfied, behavior log will not be created.

File

Detection for a file. Detects when the following behaviors are found in a file:

• Creating a file: Detects a behavior of creating files in a directory where a suspicious process attempted to execute to restart a system, or in a system root directory. Also detects creating files copied from a network shared folder or a portable storage device.
• Creating an executable file: Detects a behavior of creating files, which execute in several system directories (root, Windows system, trash bin, IE toolbar, path for autorunner, etc) The created file name can be same with the system file name, or a very well-known file extension can also be included in the created executable file.
• Download an executable file: Detects a behavior of downloading a suspicious executable file into the cached folder for Internet Explorer.
• Delete an executable file: Detects a behavior of deleting an executable file. Could be an attempt to remove a trace of a malicious behavior.
• Renames an executable file: Detects a behavior of changing an executable file name. Could be an attempt to replace a normal file with a malicious file. Changes the name of files both in or out of the system directories to the system file name, or a very well-known file extension can also be included in the created executable file.
• Modify an executable file: Modifies a file in the several system directories (system directories, trash bin, system root, etc) A modified DLL cache file cannot be restored or malware-modified files can have in malicious behaviors.
• Replicates itself Replicates its executable file into the several locations of the system (system directories, trash bin, Windows directories, etc). A file not located in the system directory can replicate itself with the same name of system file. This can be a behavior of a malicious code to hide itself in a specific location.
• Deletes itself: Deletes a file used for executing itself using a command prompt or an injection process. Could be an attempt to remove a trace of malicious behaviors.
• Renames itself Changes a file name, which executes by itself, to become a same executable file name or to ha e a well-known file extension. This could be a malicious behavior to pretend to be a normal file.
• Changes system files: Changes system configuration files used for system booting or files for the control panel or the Internet Explore default settings.
• Changes the Hosts file: Changes the hosts file and the network connection configuration file. A user can be unknowingly exposed to a phishing threat by being connected to a malicious code.
• Creates an Autorun.inf file: Creates the autorun.inf file. Malicious codes can start malicious behaviors only by recognizing a device.
• Registers a scheduled task Registers a task to the task scheduler. A malicious code can be run at a specific time.
• Writes data to the MBR: Detects a behavior of changing the MBR (master boot record) information in the drive where an operating system is installed. It might be a malicious code manipulating a system booting.
• Downloads data files: Detects a behavior of downloading data file (cab, zip, doc, etc) from websites. Perform a scan for malicious codes as downloaded files can possible contain malicious codes.
• Opens document files: Detects a specific process accessing MS Office files, several media files and system information files.
• Accesses multiple document files: Detects a specific process changing several document files (changing the file name and content, or deleting a file).
• Changes file properties: Detects a suspicious process changing a file property. Detects a behavior of changing a file date, a file property to a hidden file or to a system file.
• Accessed a system document file: Detects a specific process changing a Windows sample graphic file where a ransomware file frequently accesses.
• Attempted to modify multiple document files: Detects a specific process attempting to change several document files.
• An injected process accessed a system document file: A specific process changes the decoy file created to introduce a ransomware or detects a behavior of changing the Windows graphic files.
• Changed a document file name: Detects a specific process attempting to change a file name. Detects an attempt to replace a specific document file with another file or change a file extension.
• Accessed a (Decoy) 2.0 file: Detects a specific process is accessing the decoy file.
• Modified a (Decoy) 2.0 file: Detects a specific process is modifying the decoy file to encrypt.
• Deleted a (Decoy) 2.0 file: Detects a specific process deletes the decoy file as the process recognizes the decoy file as a original one.
• Creates shortcut: Detects a behavior of creating a shortcut.

• Downloads file: Detects a behavior of download a file.

• Hide executable file: Detects a behavior of hiding an executable file.

• Executable file created (over 25MB): Detects a behavior of creating a PE file more than 25MB.

• Renames PE file in system folder: Detects a behavior of renaming the PE file name in the system folder.

• File created in the Recycle Bin: Detects a behavior of creating a file in the recycle bin.

• Modify PE file in system folder: Detects a behavior of modifying the PE file in the system folder.

• Compressed file downloaded: Detects a behavior of downloading a compressed file.

• PDF file downloaded: Detects a behavior of downloading a PDF file.

• Class file downloaded: Detects a behavior of downloading a class file.

• Jar file downloaded: Detects a behavior of downloading a jar file.

• Changes file properties: Detects a behavior of changing the file properties.

• Checks disk drive information Detects a behavior of accessing the disk drive information. The disk drive information can be modified.

• Accesses disk drive with write permission: Detects a behavior of accessing the disk drive using the write permission. It could be an attempt to manipulate the disk drive.

• Attempts to access a document: Detects a specific process is accessing a document file to change the properties (changing the file name or content, or deleting a file).

• Accesses the file created by the redirect operator: Detects a specific process (cmd.exe) is creating a file using a redirection operator or accessing the created file.

• Decompresses compressed file: Detects a behavior of a compressed file is decompressed.

• Changed Decoy file: Detects a specific process changes the decoy file created to introduce a ransomware.

• Deletes file: Detects a suspicious process deletes a file.

• Changes file: Detects a suspicious process changes a file in the system root.

• Changes file name: Detects a suspicious process changing a file name.

Process

A behavior for detecting a process. Detects when the following behaviors are found for a process.

• Creates a process: Detects the Windows command processor or command prompt runs a net.exe to detect a behavior of adding a user account to the system.

• Runs abnormal execution of process: Detects a behavior of running a normal process using a general procedure call or other abnormal methods. It could be a malicious code abusing the vulnerability or a behavior of hiding itself using a process.

• Executes a suspicious process: Detects a process, which uses the command prompt in a suspicious way. It could be a malicious code abusing the vulnerability or a behavior of hiding itself using a process.

• Loads DLLs: Detects a behavior of loading an untrusted DLL file.

• Loads suspicious DLL: Detects a suspicious behavior of loading DLL, which causes execution for other processes (Disable checking the DEP status, stealing a Windows account, etc).

• Recursive process execution; Detects a process is executing itself. The created process can have a new malicious activity.

• Terminate Process: Detects an unknown process forcefully terminates a normal process. 

System

A behavior for detecting a system. Detects when the following behaviors are found for a system.

• Loads drivers: Detects a behavior of loading a driver by calling a specific API. Could be a malicious code hiding itself and keep having a malicious behavior.

• Performs injection: Detects a behavior of detecting an injection into a memory or a DLL. The malicious code can have a new malicious activity.

• Writes to child process memory: Detects a behavior that a specific process tries to overwrite a child process in the memory. Could be a behavior of dropping a malicious code.

• Writes to self-process memory: Detects a behavior that a specific process tries to overwrite a process having a same process name with itself in the memory.

• Writes to other process memory: Detects a behavior of overwriting an executable file image (PE) in another process' memory. Could be a malicious behavior to the process.

• Opens physical memory object: Use data of the unassigned disk area. A malicious code hides data in the unassigned disk area to sneak itself.

• Opens process: Detects a behavior of calling API to obtain a process handle.

• Acquires debug permission: Detects a behavior of obtaining a debugging permission. Could be a malicious code having a malicious behavior for a specific process.

• Detects virtual debug mode: Detects a behavior of confirming the operating environment is in the debugging mode of virtual environment. Could be a malicious code, which does not execute in the virtual environment.

• Detects virtual environment: An executable program detects the virtual environment. Could be a malicious code, which does not execute in the virtual environment.

• Detects user-mode API call: Detects a behavior of calling an API for a specific purpose in the user mode (change a local IP address, check the booting system, terminate the important process, etc). Could be an API call to have malicious behaviors.

• Mutex communication: Detects a behavior of creating or opening Mutex for the communication between processes.

• MailSlot communication: Detects an attempt for communication between processes using MailSlot.

• Pipe communication: Detects a behavior of communication between processes using Pipe with or without a name.

• Calls API from outside of call stack area: Detects a behavior of abnormally calling an API from the outside of the call stack. Could be a malicious behavior abusing vulnerabilities.

• Converts to idle process: Detects a behavior that a process converts itself to the idle status (Sleeping or paused mode). Could have a purpose of attempting a malicious behavior at a specific moment or avoiding analysis.

• Logs key strokes: Detects a process intercepting the keyboard input. Could be a malicious code compromising user information.

• Attempted to attack vulnerability of document program: Detects a behavior that a specific process attempts the exploit attack using vulnerabilities of specific document programs such as Acrobat Reader. 

Network

A behavior for detecting a network. Detects when the following behaviors are found for a network.

• High volume traffic (DDoS): Detects an abnormal network traffic exceeding a threshold. Could be a malicious behavior of a malicious code.

• Network Connection: Detects a behavior that an IP address, which has never connected the Internet before, is initially connected to the Internet. If this event occurs in the system where the Internet connection is not necessary, a user should be cautious as it could be a malicious behavior.

• Abnormal network packets: Detects network packets using an abnormal protocol from a known service port. Could be a malicious access made without user knowing.

• UDP data transmission: Detects a behavior of transferring data using UDP. Could be a malicious code compromising user information.

• DNS query: Detects a behavior of querying a DNS name to a DNS server. Could be an attempt of a malicious bot to make C&C connection.

• Allows TCP connection requests: Detects a behavior of allowing the TCP connection to a user PC. Could be a malicious behavior accessing to a system without user knowing.

• TCP data transmission: Detects a behavior of data transmission using the TCP communication. Could be a malicious code compromising user information.

• Opens TCP port: Detects a behavior of opening the TCP port to allow an external access. Could be a malicious behavior accessing to a system without user knowing.

• Opens UDP port: Detects a behavior of opening the UDP port to allow an external access. Could be a malicious behavior accessing to a system without user knowing.

• Data transmission: Detects a behavior of data transmission by a program. Could be a malicious code compromising user information.

Registry

A behavior for detecting a registry. Detects when the following behaviors are found for a registry.

• Registers an autorun: Detects a behavior of allow the program autorun at system startup. Frequently abused for a vulnerability. If a malicious code is registered for a start program, it can keep having a malicious behavior.

• Registers a screen saver file(*.SCR): Changes the SCR file path executed by the screen saver. The changed SCR file can be abused to run a malicious code.

• Registers an autorun program in registry: Changes the registry for the autorun of program, which is less frequently used at system startup. Could be a malicious code at it is not a common behavior. If a malicious code is registered for a start program, it can keep having a malicious behavior.

• Registers Internet Explorer browser helper object: Creates the Browser Helper Object (BHO) for the Internet Explorer. BHO with a malicious code included can have a malicious behavior without user knowing.

• Registers Internet Explorer toolbar: Registers to the Internet Explorer toolbar. A user can feel inconvenient while using the Internet. The tools installed without user’s consent can be uninstalled from Tools > Manage add-ons.

• Changes Internet Explorer search settings: Changes the settings for the Internet Explorer search provider. The search result can be manipulated or unintended search result can be made.

• Changes Internet Explorer start page: Changes the start page for the Internet Explorer. A user can feel inconvenient while using the Internet Explorer.

• Changes Internet Explorer advanced settings: Changes the advanced settings for the Internet Explorer (proxy settings, delete cookies, configure the start page, etc). A user cannot be aware of the changed settings and the low security level can expose a user to a threat while using the Internet.

• Changes Internet Explorer security settings: Changes the Internet Explorer security settings (confirm signature, create unsecure file, SmartScreen filtering settings, etc). Can expose a user to a threat while using the Internet.

• Changes Internet Explorer extensions: Changes the Internet Explorer extensions for the Internet Explorer. A user can feel inconvenient while using the Internet. The extended programs installed without user’s consent can be uninstalled from Tools > Manage add-ons.

• Changes Internet Explorer pop-up settings: Changes the Internet Explore settings for blocking a popup message. A user can be exposed to unwanted popup messages.

• Attempts to change the security level: Detects a behavior of changing the registry to adjust the security level. A user should be cautious as they can be exposed to threats as a result of getting the security level lower and changing the various network security settings.

• Configures program concealment: Registers the registry to hide a program. Changes the local security authority (LSA), Internet explore settings and Windows auto update settings. The concealed program cannot be recognized in a general way, and therefore a malicious behavior can be persistent.

• Changes WinSock2 communication settings: Changes the WinSock2 communication settings. A malicious code falsifies the registry to interrupt the repair process.

• Changes security zone level for Internet options: Changes the default security area used in a specific protocol (FTP, HTTP, HTTPS) to the lower level. Can expose a user to a threat while using the Internet.

• Changes autorun setting of CD/USB drives: Changes the autorun setting of CD-ROM or removable USB drives. Autorun for a untrusted program or a malicious code can expose a user to a threat.

• Changes shell folder: Changes the folder where the shortcut icons for the startup programs are stored.

• Sets to change file name on system startup: Registers in the registry to allow changing a file name at system startup. Could be a behavior of concealing a malicious code, itself.

• Registers recursive autorun: Registers itself for autorun. The registration is normal but it highly can be a malicious code. A malicious behavior can keep persistent from the system startup.

• Registers abnormal autorun: Abnormally registers itself for autorun. Highly can be a malicious code. A malicious behavior can keep persistent from the system startup.

• Registers itself in Service: Registers to run itself using the system process, svchost.exe. Can be used to conceal itself and to keep having activities.

• Registers itself in the screen saver; Register to run itself using the screen saver. Could be a malicious code. A malicious behavior can keep persistent from the system startup.

• Registers itself on the Internet Explorer toolbar: Registers itself to the Internet Explore toolbar. Highly can be a malicious code. Can automatically be run when running the Internet Explorer and a malicious behavior can persist.

• Changes network connection properties: Changes the network adapter connection properties (gateway, DNS address, etc). Can manipulate the network connection and have a malicious activity.

• Registers itself in Internet Explorer BHO: Detects a behavior of registering itself as the Browser Helper Object (BHO) for the Internet Explorer. Highly can be a malicious code. Can automatically be run when running the Internet Explorer and a malicious behavior can persist.

• Registers DLL/Driver files as a service: Detects a behavior of changing the registry to register DLL/driver files as a service. This file can be run by a system process, svchost.exe. A malicious code conceals itself to keep attempting a malicious behavior.

• Registers itself to run in shell: Detects a behavior of connecting itself with a specific file format or protocol. If a file with a specific extension is run by changing specific information under the registry key (HKCR) on the purpose of obtaining the higher permissions by abusing vulnerabilities, a malicious code be run.

• Accesses Internet Explorer history: Accesses the recently opened pages list in the Internet Explorer. The Internet accesses of a user can be exposed.

• Removes JIT debugger settings Removes the settings for JIT debugger, which is run on the system error. Could be a behavior on the purpose of interrupting malicious code analysis.

• Registers the program installation information: Detects the installation information for a program, which can be used by all users or only by current user.

• Account access attempt detected (Outlook): Detects a behavior of accessing the registry for the Outlook account information.

• Creates registry key: Detects a suspicious process creates a registry key.

• Deletes registry key Detects a suspicious process deletes a an accessed registry.

• Sets registry key value: Detects a suspicious process registers a registry key value.

• Deletes registry key value: Detects a suspicious process deleting a registry key value.

• Opens registry key: Detects a suspicious process opening a registry key.

Related Information

• Detection Status