Sophos implements behaviour blocking
Sophos has equipped its products with their so-called Behavioral Genotype Protection enhancement. This is aimed at identifying applications which exhibit suspicious behaviour, such as adding autostart keys to the registry and opening a port in listening mode.
In contrast to competitor products, the code is not executed - the behavioural blocking is purely an enhancement to the scan engine and is essentially signature-based in its function. According to Senior Technology Consultant Jens Freitag, a static code analysis, which recognises and evaluates characteristic activities, such as the creation of registry keys, is also carried out. It is therefore similar to Symantec's Bloodhound technology (PDF), which is also static. Other manufacturers, such as Norman, execute code within a so-called Sandbox in order to analyse its behaviour. Yet others, such as Bitdefender and Kaspersky, monitor the live system and raise the alarm when they identify a program behaviour as suspicious.
Sophos Behavioral Genotype Protection is similar to classical heuristics and should, as with all signature based procedures, be comparatively easy to fool. In initial spot tests by heise Security, it was able to identify new malware for which it did not have a specific signature and assign designations such as "Mal/Behav-007". Whether this will bring long-term improvements in the detection rate will remain unclear until systematic testing has been carried out. Sophos is releasing the Behavioral Genotype Protection enhancement through the regular update mechanism for all Sophos scan engines. It is automatically active in Scan Engine 2.38.2 and higher and Threat DB version 4.10 and higher.