About behavior monitoring

As part of on-access scanning, Sophos Behavior Monitoring protects Windows computers from unidentified or "zero-day" threats and suspicious behavior.

Runtime detection can intercept threats that cannot be detected before execution. Behavior monitoring uses the following runtime detection methods to intercept threats:

  • Malicious and suspicious behavior detection
  • Buffer overflow detection

Malicious and suspicious behavior detection

Suspicious behavior detection uses Sophos’s Host Intrusion Prevention System (HIPS) to dynamically analyze the behavior of all programs running on the computer to detect and block activity that appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.

Suspicious behavior detection watches all system processes for signs of active malware, such as suspicious writes to the registry or file copy actions. It can be set to warn the administrator and/or block the process.

Malicious behavior detection dynamically analyzes all programs running on the computer to detect and block activity that is known to be malicious.

Buffer overflow detection

Buffer overflow detection is important for dealing with zero-day exploits.

It dynamically analyzes the behavior of programs running on the system in order to detect when an attempt is made to exploit a running process using buffer overflow techniques. It will catch attacks targeting security vulnerabilities in both operating system software and applications.