Behavior monitoring

As part of on-access scanning, Sophos Behavior Monitoring protects Windows computers from unidentified or "zero-day" threats and suspicious behavior.

Run-time detection can intercept threats that cannot be detected before execution. Behavior monitoring uses the following run-time detection methods to intercept threats:

  • Malicious and suspicious behavior detection
  • Malicious traffic detection
  • Buffer overflow detection

Malicious and suspicious behavior detection

Suspicious behavior detection uses Sophos's Host Intrusion Prevention System (HIPS) to dynamically analyze the behavior of all programs running on the computer to detect and block activity that appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.

Suspicious behavior detection watches all system processes for signs of active malware, such as suspicious writes to the registry or file copy actions. It can be set to warn the administrator and/or block the process.

Malicious behavior detection dynamically analyzes all programs running on the computer to detect and block activity that is known to be malicious.

Malicious traffic detection

Malicious traffic detection detects communications between endpoint computers and command and control servers involved in botnet or other malware attacks.

Note Malicious traffic detection requires Sophos Live Protection to be enabled in order to perform lookups and obtain the data. (By default, Sophos Live Protection is enabled.)

Buffer overflow detection

Buffer overflow detection is important for dealing with zero-day exploits.

It dynamically analyzes the behavior of programs running on the system in order to detect when an attempt is made to exploit a running process using buffer overflow techniques. It will catch attacks targeting security vulnerabilities in both operating system software and applications.