Behavioral Blocking Rules
June 3rd, 2010
Panda Cloud Antivirus 1.1 incorporates two types of behavioral protections; behavioral blocking and behavioral analysis. In this post we are going to concentrate on the behavioral blocking rules, which are included by default in both the Free Edition and Pro version of Panda Cloud Antivirus.
The behavioral blocking engine is composed of a collection of rules of typical malicious actions performed or exploited by or through a group of programs. The types of behavior blocking rules included in Panda Cloud Antivirus can be grouped into four main areas.
Malware family specific rules
- Rule 4001: Generic rules to block TDSS Rootkit installations.
- Rules 4002 & 4003: Block autorun type of malware by limiting autorun.inf file creation and modifications.
- Rules 4004 & 4005: Generically block certain rogue malware installers.
- Rules 4006 & 4007: Prevent installations of Lineage trojan family generically.
- Rules 4009 & 4010: All W32/Viking virus variants create files with a common name, so we don’t allow execution or creation of these files.
- Rule 4011: Typical files and processes from the W32/Beagle malware have been blocked from being created or executed.
Operating System Security Policies
- Rule 4008: Some application (email clients, MSN, IM, video/sound players) is trying to modify the host file. This is typical of malicious modifications to the Operating System to redirect websites to compromised hosts.
- Rules 4013 & 4014: Windows will always look if c:\explorer.exe exists and, if it does, Windows will execute it instead of the real Windows Explorer. If you receive an alert, some kind of malware is trying to create or execute the file c:\explorer.exe. This is a dangerous operation.
- Rule 5001: During normal behaviour DNS Server Application shouldn’t need to create or execute any executable. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5003: During normal behaviour, email clients, MSN, IM, video/sound players, text editors, Office app, compressors, shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5004: During normal behaviour, Network Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5008: During normal behaviour some applications shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5023: During normal behaviour SQL Server process shouldn’t need to create or execute any executable programs. If you receive an alert, some kind of vulnerability is being exploited.
Browser vulnerability exploit prevention rules
- Rule 5002: During normal behaviour, Web browsers shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited.
- Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from downloaded programs directories. This rule prevents some IE vulnerabilities normally exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is being exploited.
- Rules 5020 & 5021: Prevents Internet Explorer vulnerabilities from exploiting Microsoft HTML Application Hosts to create and execute malicious code. If you receive an alert, some kind of IE vulnerability is being exploited.
Generic application vulnerability exploit prevention rules
- Rule 5006: During normal behaviour multimedia aplications shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5007: During normal behaviour Windows Media Player shouldn’t need to execute files. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5009 & 5014: During normal behaviour Microsoft Word shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5010 & 5015: During normal behaviour Microsoft Excel shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5011 & 5016: During normal behaviour Microsoft PowerPoint shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5012 & 5017: During normal behaviour PDF readers shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rules 5013 & 5018: During normal behaviour Open Office shouldn’t need to create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.
- Rule 5019: During normal behaviour Exchange Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of Exchange Server vulnerability is being exploited.
- Rule 5022: During normal behaviour IIS Web Server Applications shouldn’t need to execute administration, network or command shell tools. If you receive an alert, some kind of IIS vulnerability is being exploited.
- Rule 5024: Generic rule to block exploitation of certain Operating System and third-party applications that try to create and execute malicious code. If you receive an alert, some kind of vulnerability is being exploited.
Thanks to this behavioural blocking engine Panda Cloud Antivirus is able to proactively and genericaly protect against a large variety of malware and exploits which specializes in bypassing signature and heuristic detection. More importantly, it is able to do this without any impact on performance.
Pedro Bustamante Categories: architecture behaviour block, cloudav 1.1, free edition, kre, truprevent, version 1.1
awesome information, thx for sharing
thanks for the article, Pedro
pedro 1 question: on products page
http://www.cloudantivirus.com/en/basicProtection/
its mentioned that free version dosen’t have behaviour analysis but on this blog its mentioned as
“Panda Cloud Antivirus 1.1 (Free Edition and Pro) incorporates two types of behavioral protections; behavioral blocking and behavioral analysis”
plz tell us which is it correct information and does panda free version includes usb vacine
The Free includes a Behavioral Blocker, but NOT the Behavioral Analysis as the Pro does.
Thanks for the great product pedro..
@buddee You’re right buddee, its not very clear. I will correct it immediately. Thanks!
thx for your response and congs for this wonderful product
pedro how re-do detection works means how can i re-detect the files i have unlocked
@buddee Check this out buddee:
http://www.wilderssecurity.com/showpost.php?p=1688722&postcount=95
I installed panda cloud av and now vista media center and windows media player cannot access my music collection. I discovered that it was Panda that was blocking these programs from accessing the files and gave rule 5007 as the explanation. If I disable the behavioral protection then they can play just fine, but I would like the protection. Is this a bug or is there something I am doing wrong? Please help. I really like the idea of Cloud AV and I like the program, but this is a home theater pc and if I can’t access music I’ll have to use another av program. don’t want to though. Thanks for any help.
thx pedro u r champ
@Ryan: Panda Security is looking into it
windows vista real player has a 5006 rule. does anyone know how tho fix this. if so email me at jobnmicahsdad@gmail.com thanks
oh… panda cloud is by far the best free antimalware program ive ever heard of. all my friends i tell about it that swith say the same,. thanks panda:)
As the only differences between the free and the pro are behaviour analysis and the usb vaccine, I have stuck with the free for two reasons. First, the behavioural analysis would only work with the 32 bit processes on my 64bit system and second, the usb vaccine is available as a free download. I don’t think the £24.99 cost of the pro is justifiable to me for these reasons. However, the free version is brilliant. It deletes cookies automatically and it’s keylogger blocking is much improved. Althought, keylogger tests will get through (no surprise as they are technically not malicious), it now blocks ones like SpyKeylogger. It also seems to use less resources and runs better on 64 bit than the previous version which would lock the system up at times. I use it with comodo firewall and other security layers and think it makes a good alternative to cumbersome security suites. Well done to Panda.
Finally, to shawn622, I’m not sure if this will work as I don’t have the software you are trying to run but try these steps:
1. Open Panda
2. click on the go wheel (bottom right)
3. click on advanced settings (bottom right)
3. click on exclusions (end tab at right)
4. click add then go to the file you want to allow to run.
Sorry that should have said cog wheel not go. Doh!
Yeah, My media player and media center aren’t working either. I don’t know how to disable any of the settings. eg: Behavioral settings.
@Shane You can do that from the advanced settings (bottom right of the program, flip the screen) and then disable “behaviour blocking”.
I just download panda anti-virus then i scanned my computer…scanned result virus detected does it means my computer is safe now? What does neutralized means? thanks!
Hi Sweetie.
Neutralized means the infection were deleted and put into the quarantine.
Though, If you got one infection you might got more, so I would recommend you to download Malwarebytes and make a scan with it to see if you still got some nasties left.
Download Malwarebytes from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
Is it possible to disable just one instance of a behavior block? In Winamp, when I right click a music file choose “explore item folder” then Panda blocks that action from happening under rule 5006. Is there any option to ignore this one rule for Winamp? I’d rather not disable behavior blocking entirely.
@Bryan It’s a known issue with protected media files. We will be deploying the fix shortly. In the meantime as a workaround disable the BB temporarily and then activate it again. Sorry for the troubles
That’s ok it’s not a deal breaker since I barely use it. I’d just recommend an option to unblock certain behaviors. Good to hear you guys are working on it. Thanks for the info
thanks for making the winamp plugins that i have used for many years worthless.
no wait ,, worthless would be your product. this is bullshit.
@duane You can just disable the behaviour blocker. The fix will be pushed out very soon.
how I can to unblock a “danger operation” I can’t to see my videos in the windows media player!!!!!!!!!!!!!!!
@israel ochoa Open PCAV, click on the bottom-right icon to “flip” the screen, and then disable the “behaviour blocker”. This is a known issue with protected media. The fix will be pushed out shortly.
Because of rule 5007 I can’t play any songs any more in WMP.. Does anyone know what to do now?
Johnny,
I just had the same problem. Just disable the behaviour blocker as israel ochoa said and you’ll be fine. I just did it and it worked.
I’m just wondering why this started to happen suddenly. I never had this kind of problem, maybe I have some infection and now I am in danger?
Thanks israel.
@Johnny & @Julio Cesar We will push out an autofix very soon with this correction. In the meantime a temporary workaround is to go to advanced configuration and turn off the behavioural blocker.
Rule 5007 – is it possible to hold it?
I have an add-on im windows media player that launches LastFM.
That is blocked now by Panda.
@Giantbullfrog Known workarounds:
1- Launch LastFM client manually before clicking on any radio links
2- Go to Panda CloudAV advanced configurations and disable the behaviour blocker.
The ultimate fix for this rule 5007 and Windows Media Player will be published very soon, so PCAV will fix itself automatically in a few days.
So i can see that there is problem w/ media player and rule 5007 but how can you explain this; two computers, both w/ WinXP and PCAV (same version – but do not look the same). On one WMP works but on the other not!
@ihm When you play a media file with WMP, it can be two types of media: protected and un-protected. If you play unprotected media (avi, mp3, etc.) WMP simply plays the file and there is no problem with PCAV (ie it is not blocked). But when you play protected files, WMP launches an EXE to verify the validity of the protected media license. This EXE is what is being blocked by PCAV. Try playing the same files (protected and unprotected) in the different computers and you should see the same behaviour.
Windows 7 Action Center warned me that I should update my Foxit Reader (PDF reader software). To do this, I open Foxit and run update…which is blocked by rule 5012. I added Foxit to the exclusion list, but it still gets blocked. Why can’t exclusions apply to behavioral heuristics?
@Larry Yes this is also a known issue with the behaviour blocker which will be fixed in the next few days. In the meantime do the following:
1- Open Panda CloudAV and go to advanced options. Deactivate behaviour blocking.
2- Update FoxIt Reader
3- Back to PCAV and activate behaviour blocker.
@Pedro I am talking about the exact same american music challel in both cases ie. I am not playing specific music files but listening to internet radio
The Next time i will play something witn WMP i will get 5007
Panda keeps throwing a 5023 for Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe. I just installed ACT! and it uses MS SQL. How do I tell Panda it’s OK?
Hi, i downloaded this stereoscopic video (Knights_Quest_576p.wmv) from nvidia site (3d vision) and tried playing it in windows media player. It played once well after that i am reciveing a 5007 blocked message. why?
@Roger
@Suraj
it is known issue, the updates will be soon pushed to PCA, in mean time you can disable the BB in PCA settings.
Pedro,
Whenever I click Winamp Agent from the Windows 7 system tray, all the pinned programs on my taskbar “refresh”. The large icons in the taskbar are replaced by a white colored file icon and after about five seconds go back to normal. When I stop Panda Cloud and try again, the Winamp window loads normally without disrupting the taskbar icons. My behaviour blocking is turned off btw.
@nick plz run winamp after disabling behavior blocker in PCA setting
@ Buddee: I already did it that to begin with and it’s still causing the issue. Please read the last post carefully.
@Nick
my mistake ! i suggest you to come to support forums and post new thread, to solve your problem we need more detail.
Thx
@Ryan
@buddee
I’m hitting the same problem as Ryan in Windows 7 with Windows Media Player and rule 5007. I did a little expiramentation and noticed that if I ripped music from my CDs with the ‘Copy protect music’ option set, playing the resultant file will trigger rule 5007. But if I rip the discs without ‘Copy protect music’ set then Panda doesn’t complain when I try to play the file.
Could be Panda freaks out because WMP is using the protected pipeline for the audio file.
@Andrew yes Andrew you are correct. The problem is that when WMP plays a protected media file, it executes a program to verify its license status. What PCAV is blocking is WMP from launching a new EXE from within its process. It will be fixed this week. In the meantime apply the fixes mentioned above.
I have a problem with the Rule 5006, because blocks the exploring items in winamp >=( How can I make a exception for that?
(sorry for the bad english)
@Ricardo
OK, it seems the problem it solved by itself =P If the problem persists please someone could give me some info =P
We released a fix for this yesterday so it should fix itself automatically. If it hasn’t fixed it on your PC yet, reboot for the fix to take affect and that should do it.