Sophos Anti-virus for Windows 2000+: HIPS runtime behavior Frequently Asked Questions

  • Article ID: 48765
  • Updated: 05 Jul 2010

Q. The term HIPS seems to mean different things to different security vendors. What is included in Sophos HIPS?

A. A Host Intrusion Prevention System (HIPS) monitors the behavior of code to stop malware before a specific detection update is released. Many HIPS solutions monitor code when it runs and intervene if the code is deemed to be suspicious or malicious. Sophos goes one step further — our technology uniquely analyzes the behavior of code at two stages:

  • Pre-execution: the behavior of code is analyzed before it runs and is prevented from running if it is considered to be suspicious or malicious (e.g. Behavioral Genotype ®, Suspicious File Detection)
  • Runtime: runtime detection intercepts threats that cannot be detected before execution (e.g. Suspicious behaviour detection, Buffer Overflow Protection (BOPS)).

Q. What is the difference between Behavioral Genotype, Suspicious File detection and Suspicious behavior detection?

A. Behavioral Genotype® is a technology used to identify specific characteristics of files before they execute, to determine whether they have malicious intent. Using this technology, we can detect new versions of malware without analysis, as it can be determined that although the file may look different to other malware samples seen previously, the fundamental characteristics remain the same, and those characteristics are malicious.

Suspicious File Detection uses Behavioral Genotype® technology, but in a looser way. Sophos Anti-Virus' Suspicious File Detection also examines the characteristics of a file before it executes. The program flags the file as "Suspicious" (prefix Sus/) if it contains a combination of characteristics commonly, but not exclusively, found in malware.

Suspicious Behavior detection is a runtime HIPS technology that evaluates process behavior during execution and alerts users of potentially malicious actions being performed. Suspicious Behavior detection also uses Behavioral Genotype® technology to inspect running processes and tries to determine whether the observed behavior is being performed by a process with malware characteristics. In this way, Suspicious Behavior detection is effective at preventing infection from unknown malware.

Suspicious Behavior detection can be configured to simply alert users to these behaviors or to take action to prevent them.

Q. What does HIPS runtime behavior analysis protect me from?

A. Sophos HIPS runtime behavior analysis identifies the suspicious behavior of processes that are running and present on the computer at the time. This analysis protects you against attacks from malware, spyware, hacking tools and Potentially Unwanted Applications as well as some exploits and intruder attacks.

Q. What kinds of behaviors does Sophos HIPS runtime behavior analysis look for?

A. Sophos HIPS runtime behavior analysis monitors active processes for behaviors associated with known malware. Examples of these behaviors would be registry modifications that reference, or are set by, suspicious-looking files, suspicious-looking files being written to the file system and processes being started in a suspicious or unusual way. For further information please refer to the Sophos HIPS runtime behavior analysis rule descriptions at

Q. How does Sophos Runtime HIPS compare to products from other vendors?

A. Cascadia labs have performed a comparative study which you can find at

Q. How effective is Sophos HIPS runtime behavior analysis and why should I use it?

A. SophosLabs perform HIPS runtime behavior analysis tests each day on the latest malware not otherwise detected at the time. These tests show that HIPS runtime behavior analysis correctly identifies up to 45% of this new malware (zero day threats).

Q. How can I tell whether a HIPS runtime behavior alert is an unwanted detection or a genuine threat? Is there any process I should follow to help me come to a decision?

A. Please refer to Sophos Anti-Virus for Windows 2000+: deciding whether to allow or block a file for a decision-making guide.

Q. I need more detail about what is going on. Why don't the online rule descriptions have more information?

A. The online rule descriptions are designed to give a concise overview of the behavior that has been detected so that it may help you decide whether to submit the file for analysis or authorise it for use. However, it would not be wise to detail exactly how the technology works for all the world (including malware authors) to see. Refer to the online HIPS descriptions for more technical detail.

Q. I don't want to know if a process might be malware, I want to know if it is malware. You are the experts, so why should I have to decide for myself?

A. Sophos does aim to provide a definitive answer about whether or not a file or process is malicious. We even have targets to keep "suspicious" detections below a certain percentage of all detections because we understand that our primary role is to take that decision on behalf of our customers.

HIPS runtime behavioral analysis provides an additional layer of protection against unknown malware by identifying up to 45% of previously unseen malware, but it does not replace any of our more precise standard anti-malware technologies, which are amongst the best in the industry.

In order to deliver this extra layer of protection, it is sometimes necessary that a human being interprets the results of a scan. In some instances, an understanding of the context of the detection can make the difference in determining whether a file or process is malicious. We appreciate that there is an overhead to taking advantage of this extra protection and have made HIPS runtime behavioural analysis optional as a result.
Sophos continues to create new technologies to find and detect malware, and we will continue to improve our detection rate while minimising the management overhead associated with that protection. It is our objective to detect all malware and accurately classify "suspicious files" as either "clean" or "malicious" without user involvement.

Q. What is an "unwanted detection"? Isn't it the same as a false positive?

A. No. We use the term “unwanted detection” with regard to suspicious behavior alerts on clean files. It is not the same as a false positive, as the reported file HAS actually performed some behavior more commonly seen in malware than legitimate software. Occasionally, legitimate software exhibits these behaviors, which is why we need you to assess the alert and decide whether you are confident that the item is in fact legitimate. If you are unsure, we are always available to analyse the file and confirm whether it is a genuine threat or not.

Every effort is made to keep the number of unwanted detections to a minimum and in the unlikely event that a clean file consistently triggers an alert, we may choose to suppress that alert in a future version of the software.

Q. How should I use Sophos HIPS runtime behavioural analysis in order to get fewer unwanted detections?

A. Please refer to the HIPS runtime behavior analysis best practice document for more details.

Q. Why do I need to turn Sophos HIPS runtime behavior analysis to Alert Only mode while I install software? Won't I get infected?

A. You will still have excellent protection using Sophos' other anti-malware technologies, including Behavioral Genotype and Suspicious File Detection, when HIPS runtime behavioural analysis is turned to Alert Only mode.

Software installations usually cause many changes to both the registry and the file system of the computer. Obviously these changes are necessary for the installation to be successful, but they can be confusing for runtime behavior checking. With new files appearing/disappearing and registry changes being made in high volumes, there is an increased likelihood that some behavior will be performed that, outside of the context of a software install, would normally be considered to be suspicious. For this reason we recommend that you set HIPS runtime behavior analysis to Alert Only mode during software installations in order to prevent unwanted detections. Please refer to the HIPS runtime behavior analysis best practice document for more information.

The risk of getting infected during installation is minimal provided that you have taken steps to ensure that the software you wish to install is from a trusted and legitimate source and has not been altered in any way.

Q. I have software that is set to automatically install updates and patch itself, including the OS. Should I turn Sophos HIPS runtime behavior analysis to Alert Only mode permanently?

A. That is one way of protecting your systems from malware using HIPS runtime behavior analysis, however, we recommend that you authorise these applications instead. This will allow you to use HIPS runtime behavior analysis to automatically block malware from executing, as well as allowing your update software to run as usual, without generating alerts.

Also bear in mind that some behavior is easier to determine as malicious with Alert Only mode switched off, as described in this SophosLabs blog article:

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent