This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

Behavior-Based Spyware Detection

    Requires Free Membership to View

Click here for a comparison of behavior-based spyware detection. (PDF).

Behavior-based Detection
Behavior-based detection is a double-edged sword: While it improves detection, it increases the likelihood of false positives, which could break an unusual but legitimate enterprise application. Still, there's great value in blocking or alerting on suspect behavior.

Based on our experience with AV tools, we fully expected the antispyware products to have heuristic or behavior-based detection abilities to cope with a rapidly morphing threat. However, McAfee is the only one that detected any of our tests in its default configuration; eSoft, Lavasoft and Webroot turn off behavior-based detection by default; and CA, SurfControl and Trend Micro have no behavior-based detection capabilities. Because many enterprises run security software with a default configuration, you'll have to consider your own policy.

To test behavior-based detection, we created 25 small custom programs, each of which attempted to perform a single spyware-like behavior. We dubbed the collection "SPYCAR" in homage to the well-known EICAR antivirus test file.

Our SPYCAR specimens tested each antispyware tool's ability to detect the following:

  • The addition of new registry values or start menu entries to run programs loaded by SPYCAR.
  • Various changes to the "Internet Options" panel in IE (including changes that lock out users' ability to change their home page).
  • Changes to the home page of both IE and Firefox.
  • Additions to the hosts file.
  • The launch of a keylogging application.
  • Addition of a browser helper object (BHO) to IE.
  • Changes to the default wallpaper.
We were quite surprised to discover how few of these spyware-like behaviors were detected or blocked (see "Behavior-Based Spyware Detection").

Interestingly, McAfee's default settings block programs from being run from IE's "Temporary Internet Files," a simple protection that can defeat many "drive-by" spyware installs.

eSoft, Lavasoft and Webroot produced a mixed bag of results when behavior-based detection was enabled. Webroot detected and blocked attempts to install values under the "Run" and "RunOnce" keys in HKCU and HKLM, which are often used to start spyware automatically at system boot or user logon. However, Webroot completely missed additions to RunOnceEx, a registry key that operates in much the same fashion as RunOnce. By blocking only two of the three most commonly used registry keys for launching spyware, Webroot missed a major portion of the defensive puzzle.

Lavasoft's behavior-based detection has to be enabled on each individual client. When set to its highest level of detection, Lavasoft alerted the user to an attempt to install a value under RunOnceEx and even offered the option to block it, but then failed to actually block the activity. Lavasoft was, however, the only product to detect a rather tricky attempt to replace IE as the default Windows shell in order to launch a spyware application.

eSoft's behavior-based detection was weaker than that of Lavasoft or Webroot, though it did detect and roll back an installed BHO when an on-demand scan was performed.

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: