Behavior monitoring
As part of on-access scanning, Sophos Behavior Monitoring protects Windows computers from unidentified or "zero-day" threats and suspicious behavior.
Run-time detection can intercept threats that cannot be detected before execution. Behavior monitoring uses the following run-time detection methods to intercept threats:
- Malicious and suspicious behavior detection
- Malicious traffic detection
- Buffer overflow detection
Malicious and suspicious behavior detection
Suspicious behavior detection uses Sophos's Host Intrusion Prevention System (HIPS) to dynamically analyze the behavior of all programs running on the computer to detect and block activity that appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
Suspicious behavior detection watches all system processes for signs of active malware, such as suspicious writes to the registry or file copy actions. It can be set to warn the administrator and/or block the process.
Malicious behavior detection dynamically analyzes all programs running on the computer to detect and block activity that is known to be malicious.
Malicious traffic detection
Malicious traffic detection detects communications between endpoint computers and command and control servers involved in botnet or other malware attacks.
Buffer overflow detection
Buffer overflow detection is important for dealing with zero-day exploits.
It dynamically analyzes the behavior of programs running on the system in order to detect when an attempt is made to exploit a running process using buffer overflow techniques. It will catch attacks targeting security vulnerabilities in both operating system software and applications.