Behavior Monitoring works in conjunction with Web Reputation Services and Real-time Scan to verify the prevalence of files downloaded through web channels, email applications, or Microsoft Office macro scripts. After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.
Behavior Monitoring scans the following file types for each channel:
Web (HTTP/HTTPS): Scans .exe files.
Email applications: Scans .exe, and compressed .exe files in unencrypted .zip and .rar files.
Administrators must enable Web Reputation Services on the agent to allow the Security Agent to scan HTTP or HTTPS traffic before this prompt can display.
The Security Agent matches the file names downloaded through email applications during the execution process. If the file name has been changed, the user does not receive a prompt.