behavior_monitoring_logs

Behavior Monitoring Logs

Clients log unauthorized program access instances and send the logs to the server. A client that runs continuously aggregates the logs and sends them every 60 minutes, by default.

To keep the size of logs from occupying too much space on the hard disk, manually delete logs or configure a log deletion schedule. For more information about managing logs, see Managing Logs.

To view behavior monitoring logs:

• Logs > Networked Computer Logs > Security Risks > View Logs > Behavior Monitoring Logs
  
  Networked Computers > Client Management > Logs > Behavior Monitoring Logs

1. Specify log criteria and click Display Logs.

2. View logs. Logs contain the following information:

• Date/Time unauthorized process was detected

• Computer where unauthorized process was detected

• Event monitoring rule violated by the process

• OfficeScan action performed when violation was detected

• Type of object accessed by the program

• Risk level of the unauthorized program

• Program, which is the unauthorized program

• Operation, action performed by the unauthorized program

• Target, which is the process that was accessed

• Policy name of the event monitoring rule

To configure the Behavior Monitoring log sending schedule:

1. Access <Server installation folder>\PCCSRV.

2. Open the ofcscan.ini file using a text editor such as Notepad.

3. Search for the string "SendBMLogPeriod" and then check the value next to it. The default value is 3600 seconds and the string appears as SendBMLogPeriod=3600.

4. Specify the value in seconds. For example, to change the log period to 2 hours, change the value to 7200.

5. Save the file.

6. Go to Networked Computers > Global Client Settings.

7. Click Save without changing any setting.

8. Restart the client.

See also:

• Behavior Monitoring