Behavioral Blocking Rules
June 3rd, 2010
Panda Cloud Antivirus 1.1 incorporates two types of behavioral protections; behavioral blocking and behavioral analysis. In this post we are going to concentrate on the behavioral blocking rules, which are included by default in both the Free Edition and Pro version of Panda Cloud Antivirus.
The behavioral blocking engine is composed of a collection of rules of typical malicious actions performed or exploited by or through a group of programs. The types of behavior blocking rules included in Panda Cloud Antivirus can be grouped into four main areas.
Malware family specific rules
- Rule 4001: Generic rules to block TDSS Rootkit installations.
- Rules 4002 & 4003: Block autorun type of malware by limiting autorun.inf file creation and modifications.
- Rules 4004 & 4005: Generically block certain rogue malware installers.
- Rules 4006 & 4007: Prevent installations of Lineage trojan family generically.
- Rules 4009 & 4010: All W32/Viking virus variants create files with a common name, so we don’t allow execution or creation of these files.
- Rule 4011: Typical files and processes from the W32/Beagle malware have been blocked from being created or executed.
Operating System Security Policies
- Rule 4008: Some application (email clients, MSN, IM, video/sound players) is trying to modify the host file. This is typical of malicious modifications to the Operating System to redirect websites to compromised hosts.
- Rules 4013 & 4014: Windows will always look if c:\explorer.exe exists and, if it does, Windows will execute it instead of the real Windows Explorer. If you receive an alert, some kind of malware is trying to create or execute the file c:\explorer.exe. This is a dangerous operation.
- Rule 5001: During normal behaviour DNS Server Application shouldn’t need to create or execute any executable. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5003: During normal behaviour, email clients, MSN, IM, video/sound players, text editors, Office app, compressors, shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5004: During normal behaviour, Network Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5008: During normal behaviour some applications shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5023: During normal behaviour SQL Server process shouldn’t need to create or execute any executable programs. If you receive an alert, some kind of vulnerability is being exploited.
Browser vulnerability exploit prevention rules
- Rule 5002: During normal behaviour, Web browsers shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from downloaded programs directories. This rule prevents some IE vulnerabilities normally exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is being exploited.
- Rules 5020 & 5021: Prevents Internet Explorer vulnerabilities from exploiting Microsoft HTML Application Hosts to create and execute malicious code. If you receive an alert, some kind of IE vulnerability is being exploited.
Generic application vulnerability exploit prevention rules
- Rule 5006: During normal behaviour multimedia aplications shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5007: During normal behaviour Windows Media Player shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5009 & 5014: During normal behaviour Microsoft Word shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5010 & 5015: During normal behaviour Microsoft Excel shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5011 & 5016: During normal behaviour Microsoft PowerPoint shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5012 & 5017: During normal behaviour PDF readers shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5013 & 5018: During normal behaviour Open Office shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5019: During normal behaviour Exchange Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of Exchange Server vulnerability is being exploited.
- Rule 5022: During normal behaviour IIS Web Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of IIS vulnerability is being exploited.
- Rule 5024: Generic rule to block exploitation of certain Operating System and third-party applications that try to create and execute malicious code. If you receive an alert, some kind of vulnerability is being exploited.
Thanks to this behavioural blocking engine Panda Cloud Antivirus is able to proactively and genericaly protect against a large variety of malware and exploits which specializes in bypassing signature and heuristic detection. More importantly, it is able to do this without any impact on performance.
Rule 5013 prevents the OpenOffice.org updater from downloading updates.
Panda Cloud invoked “rule 5006″ and blocked vlc.exe, the main executable for VLC Media Player ver. 1.1.0.0 and 104 KB, published by VideoLAN Team. The file and program are legitimate.
Oops! on Panda
@JMJ squared Did this happen while trying to update the VLC version? If so, open Panda CAV, go to advanced configurations, disable “behaviour blocking” and then update VLC. After it is done updating, go back and enable “behaviour blocking” again.
Panda behavioral blocking prevents my scheduled backups from running, invoking rule 5003 (“dangerous operation detected”). The backup is a scheduled task run by a special user. Panda apparently detects suspicious behavior at winlogon.exe and blocks the task.
Manually disabling, then enabling, behavioral blocking is not a practical solution Is there any other option, apart from giving up on Panda?
I get “5006″ and “5007″ blocking my opening radio stations on WMP 11. No radio on WMP 11 for me; that’s okay. But on WinAmp, I could listen to radio stations. Surprise, indeed. I guess I’ll have to use only WinAmp to access online radio stations, then. Not a big pain.
I’d like to inform further that RealPlayer’s online radio stations aren’t blocked by Panda.
Is there a way to start PCA with behaviour blocking disabled?
I use an external editor for editing textareas on web pages and PCA blocks the launch of the external editor – Rule 5002. I already have flash block so I am not worried about the Adobe exploit and I really want to be able to use vim to edit textareas when needed…
It would be nice if behaviour blocking was configurable to allow certain exe/bat files to be launched…
Thanks.
I would like to second the post made by Phil. Open Office is blocked from downloading updates under rule 5013.
Users with behaviour blocking problems can download the new version 1.1.2 which fixes most of these problems.
More info at http://blog.cloudantivirus.com/2010/07/19/panda-cloud-av-112/
Open Office alerted me to an updated version, but Panda blocked the download from within OpenOffice. I had to go to the website to get the new program. I understand the theory, but exceptions should be permitted.
How can I use Last.fm automatically if Panda blocks it? I’m getting the rule 5007.
How can I play realplayer? Help anyone?
I get the 5007 rule when media player plays why?
Panda blocked my update download of OpenOffice 3.2.1 citing rule 5013.
How I can block the 5006 rule?, To enable the update of VLC!
sorry, the answer is up. Thanks
@Pedro Bustamante
Pedro, it’s possible to permanently disable this sort of rules only for certain programs?
Panda blocks the VLCPlayer’s auto updtate function.
Rule 5006
Please fix that.
With disabled Behavior blocking, it works. But I think, it is not the solution.
@JMJ squared
AGREED! wtf? i like vlc!
Don’t know if this is possible with PCA but it should provide an option to allow potentially dangerous operations after user confirmation.
Many programs include some sort of self updating and some do have a valid reason to start other processes.
IMHO a dialog box telling the user that a program (e.g. vlc.exe) tries to create and execute a file and give him the option to allow or block this action would be a perfect solution for the problem.