Suspicious Behaviour Monitoring

The suspicious behavior approach does not attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do.
The suspicious behavior approach provides protection against zero day viruses that are not yet in the dictionary. However, it can also sound a large number of false positives and users may become desensitized to the warnings. This problem has worsened since 1997, since many more non-malicious program designs came to modify other executablea without regard to this false positive issue. In recent years, however, sophisticated behaviour analysis has emerged, which analyzes processes and calls to the kernel in context before making a decision, which gives it a lower false positive rate than rules-based behavior monitoring.