Event Monitoring Parent topic

Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It monitors system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.
The following table provides a list of monitored system events.

Monitored System Events

Duplicated System File
Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.
Hosts File Modification
The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.
Suspicious Behavior
Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.
New Internet Explorer Plugin
Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
Internet Explorer Setting Modification
Many virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.
Security Policy Modification
Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.
Program Library Injection
Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.
Shell Modification
Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.
New Service
Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.
System File Modification
Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.
Firewall Policy Modification
The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.
System Process Modification
Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.
New Startup Program
Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.
When Event Monitoring detects a monitored system event, it performs the action configured for the event.
The following table lists possible actions that administrators can take on monitored system events.

Actions on Monitored System Events

OfficeScan always allows programs associated with an event but records this action in the logs for assessment.
This is the default action for all monitored system events.
This option is not supported for Program Library Injections on 64-bit systems.
OfficeScan always allows programs associated with an event.
Ask when necessary
OfficeScan prompts users to allow or deny programs associated with an event and add the programs to the exception list
If the user does not respond within a certain time period, OfficeScan automatically allows the program to run. The default time period is 30 seconds. To modify the time period, see Modifying the Time Period Before a Program is Allowed to Run.
This option is not supported for Program Library Injections on 64-bit systems.
OfficeScan always blocks programs associated with an event and records this action in the logs.
When a program is blocked and notifications are enabled, OfficeScan displays a notification on the OfficeScan client computer. For details about notifications, see Behavior Monitoring Notifications for OfficeScan Client Users.