[utsav.0202]

Hi,
I am trying to detect a malware process on the basis of its behavior.
e.g. a process creates a file that has the same name as that of any "Microsoft.exe" or
it loads modules into address space of other processes or
opens different ports
and so on.

I don't know what are the possible malware process's behavior.
How to differentiate it from a "white process"?

Thanks and Regards

[Buster_BSA]

I coded a malware behaviour analyzer (Buster Sandbox Analyzer) so I know what you mean.

In my experience generically you can not tell a program has a malware behaviour and be sure 100%. You can only show to the user the most representative actions that look like malware behaviour and let the user decide if they look suspicious or not. Why? Because many times the "suspiciousness" depends of the program you are analyzing.

[utsav.0202]

....actions that look like malware behaviour......

what actions exactly??

[Buster_BSA]

....actions that look like malware behaviour......

what actions exactly??

Modify certain registry keys/values.
Drop certain types of files like EXE, DLL, SYS.
...

Those actions can be performed by trusted software too, that´s why only the user can decide if they are suspicious or not. Just one example:

When you install the software for your webcam, a driver will be dropped to disk and registry will be modified so Windows loads the driver when it starts.

Is that ok? For sure.

Now imagine a keygen does the same actions. Is that ok? For sure it´s not.

Conclusions: the same actions can be ok and wrong.

[utsav.0202]

but there are antiviruses that kill processes on the basis of their behaviour without any user interaction.

[Buster_BSA]

but there are antiviruses that kill processes on the basis of their behaviour without any user interaction.

And I guess they have white/trusted lists because it´s not possible to know what process is malware and what process is not.