Process Protection- Bitdefender TechZone

ATC is a proactive and dynamic behavioral detection technology that continuously monitors process activities in real-time, including groups of processes. Its primary objective is to identify whether these activities exhibit malicious or benign behavior. ATC utilizes over 300 heuristics for detection. A selection of examples includes:

To look at the ransomware heuristics as an example, ATC takes a proactive stance to detect ransomware before it inflicts any damage on a compromised system. Most ransomware strains are identified in their early stages of execution, typically during activities such as reconnaissance, defense evasion via code injection, or attempts to establish persistence. The next layer of defense involves identifying ransomware when it attempts to remove backups, for example, by erasing volume shadows utilized by some antivirus vendors for file recovery (our proprietary Ransomware Mitigation uses a different approach). The final line of defense aims to detect ransomware very early in the encryption process to minimize the damage caused. In the event of suspicious file modifications, ATC promptly reports them to the disinfection engine, enabling ransomware remediation, provided that backup and restore technology is available.

In addition to heuristics, ATC leverages machine learning, which involves the analysis of more than 340 features extracted from groups of processes during their execution, including behavioral actions like API calls. These 'features' represent various characteristics or attributes that are relevant to process behavior. This machine learning approach utilizes supervised learning, a technique where an algorithm is trained on labeled data to recognize patterns and make predictions based on input features, helping to minimize false positives and detect threats on the client side.

Keep in mind that ATC is available on Windows and macOS (full version), and on Linux (report-only mode).

Process Introspection is an additional layer of protection against advanced in-memory attacks. It operates by applying advanced security checks during key operations performed by processes, such as process creation or module loading. Through these checks, we can determine whether an operation occurred within a malicious context or if a process has been compromised. These key operations include, but are not limited to:

These heuristics examine the process state to determine whether it has been maliciously altered. Notably, PI focuses on identifying malicious states, rather than merely monitoring malicious behaviors. For example, it can detect the process hollowing, regardless of the specific technique used.

A key distinction of PI is that it operates in kernel mode, eliminating the need for injecting user-mode components or placing hooks into protected processes. This improves performance, stability, and reduces the attack surface. PI exhibits resilience against user-mode attacks and remains resistant to most user-mode-based evasion techniques such as DLL unhooking. It has been validated against various post-exploitation frameworks (such as Metasploit, Cobalt Strike, Powershell Empire…) and their payloads.

In GravityZone, a probability score is assigned to everything, including files, processes, users, and machines. Specifically, this score reflects the likelihood that a process poses a threat. Both ATC and PI contribute to determining this process score, with each suspicious behavior influencing the overall rating. When this rating reaches a predefined threshold, an alarm is triggered, indicating that the process is considered highly likely to be a security threat. The threshold is determined as follows:

Available configuration options, including profile thresholds for applications and actions to be taken when infected applications are detected, are available under GravityZone policy in the section Antimalware -> On-Execute.

The ATC module supports exclusions from policy configuration for various types, such as file, process, file hash, certificate hash, threat name, and command line. Exclusion options can be configured in the Antimalware settings.

ATC offers configuration options for profile thresholds, each with a different approach:

Sensitive Registry Protection, safeguards critical registry keys, including those associated with the Security Account Manager (SAM), from unauthorized access or exploitation via Windows Remote Registry Protocol (MS-RRP), which is used to remotely manage the Windows registry. For example the SAM registry stores hashed passwords for local user accounts. Attackers can use exploitation techniques like malicious registry key dumping to extract the SAM registry and then attempt to crack the hashed passwords. If ATC is active on the remote machine with the Kill Process action, it will terminate the process that attempts to access the registry.

Kernel-API Monitoring enables advanced kernel-level detection of system integrity exploitation attempts. This functionality allows ATC to identify malicious attempts to manipulate kernel APIs for privilege escalation, such as unauthorized modifications to process tokens, indicating an attacker's effort to gain elevated system privileges. For optimal deployment, the module is disabled by default, and we recommend testing it in a controlled environment first to verify its impact and compatibility with your system.

Detailed information about ATC configurations can be found at our Bitdefender Support Center here.

To learn more about the technologies included in the protection layer we recommend reading the next article Software Exploit Protection.