Configuring Malware Behavior Blocking, Event Monitoring, and the Exception List

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon () to include all agents or select specific domains or agents.
  3. Click Settings > Behavior Monitoring Settings.
  4. Click the Rules tab.
  5. To enable Malware Behavior Blocking:
    1. Select Enable Malware Behavior Blocking and specify the types of threats to block:
      • Known threats: Blocks behaviors associated with known malware threats

      • Known and potential threats: Blocks behaviors associated with known threats and takes action on behavior that is potentially malicious

    2. Select which Ransomware Protection features you want to enable to protect against ransomware threats.
      • Protect documents against unauthorized encryption or modification: Stops potential ransomware threats from encrypting or modifying the contents of documents

        • Automatically back up and restore files changed by suspicious programs: Creates backup copies of files being encrypted on endpoints to prevent any loss of data if OfficeScan detects a ransomware threat

          Note:

          Automatic file backup requires at least 100 MB of disk space on the agent endpoint and only backs up files that are less than 10 MB in size.

      • Block processes commonly associated with ransomware: Blocks processes associated with known ransomware threats before any encryption or modification of documents can occur

      • Enable program inspection to detect and block compromised executable files: Program inspection monitors processes and performs API hooking to determine if a program is behaving in an unexpected manner. Although this procedure increases the overall detection ratio of compromised executable files, it may result in decreased system performance.

        Tip:

        Program inspection provides increased security if you select Known and potential threats in the Threats to block drop-down.

      For details, see Ransomware Protection.

    3. Under Anti-exploit Protection, enable Terminate programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs.
      Note:

      Anti-exploit Protection requires that you select Enable program inspection to detect and block compromised executable files.

      For details, see Anti-Exploit Protection.

  6. In the Newly Encountered Programs section, enable Monitor newly encountered programs downloaded through HTTP or email applications and select whether to Prompt user before executing the downloaded program or to have OfficeScan log the detections only.
  7. Configure Event Monitoring settings.
    1. Select Enable Event Monitoring.
    2. Choose the system events to monitor and select an action for each of the selected events.

      For information about monitored system events and actions, see Event Monitoring.

  8. Click the Exceptions tab to configure the exception lists.
    1. Under Type the full program path, type the full path of the program to approve or block. Separate multiple entries with semicolons (;).
    2. Click Add to Approved List or Add to Blocked List.
    3. To remove a blocked or approved program from the list, click the trash bin icon () next to the program.
      Note:

      OfficeScan accepts a maximum of 1024 approved programs and 1024 blocked programs.

  9. If you selected domain(s) or agent(s) in the agent tree, click Save. If you clicked the root domain icon, choose from the following options:
    • Apply to All Agents: Applies settings to all existing agents and to any new agent added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings.

    • Apply to Future Domains Only: Applies settings only to agents added to future domains. This option will not apply settings to new agents added to an existing domain.