Behavior_monitoring
OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software. Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change, or completely block certain programs. In addition, programs with a valid digital signature or have been certified are always allowed to start.
To ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms. To enable this feature on a server computer, enable Unauthorized Change Prevention Service. Refer to Additional Service Settings.
To manage behavior monitoring settings: >>>
Networked Computers > Client Management > Settings > Behavior Monitoring Settings
From the Behavior Monitoring screen, update the following as required:
OfficeScan automatically enables Malware Behavior Blocking and disables Event Monitoring.
Enable Malware Behavior Blocking: Select this option to enable program behavior monitoring for proactive detection of malware and similar threats.
Enable Event Monitoring: Select this option to monitor system events that may introduce threats/security risks into the computer and then select an action for each system event:
Trend Micro recommends enabling Certified Safe Software Service to reduce the likelihood of false positive detections. See To enable Certified Safe Software Service: >>>.
Assess: Always allow processes associated with an event but record this action in the logs for assessment
Allow: Always allow processes associated with an event
Ask When Necessary: Prompts users to allow or deny processes that may have violated Behavior Monitoring policies
A prompt asking users to allow or deny the process and add to the Allowed Programs or Blocked Programs appears. If the user does not respond within the time period specified in the Behavior Monitoring Settings screen, OfficeScan automatically allows the process to continue.
Deny: Always block processes associated with an event and record this action in the logs
Refer to Event monitoring rules for information on the different policies.
|
Events |
Description |
Default Action |
|
Duplicated System File |
Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files. |
Assess |
|
Hosts File Modification |
The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the Web browser is redirected to infected, non-existent, or fake Web sites. |
Assess |
|
Suspicious Behavior |
Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution. |
Assess |
|
New Internet Explorer Plugin |
Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects. |
Assess |
|
Internet Explorer Setting Modification |
Many virus/malware change Internet Explorer settings, including the home page, trusted Web sites, proxy server settings, and menu extensions. |
Assess |
|
Security Policy Modification |
Modifications in Windows Security Policy can allow unwanted applications to run and change system settings. |
Assess |
|
Program Library Injection
|
Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts. |
Assess |
|
Shell Modification
|
Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications. |
Assess |
|
New Service
|
Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden. |
Assess |
|
System File Modification
|
Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior. |
Assess |
|
Firewall Policy Modification
|
The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet. |
Assess |
|
System Process Modification |
Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes. |
Assess |
|
New Startup Program
|
Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts. |
Assess |
Exceptions: Exceptions include Approved Programs and Blocked Programs. A program in Approved Programs can be started even if it violates behavior monitoring policies, while programs in the Blocked Programs can never be started.
Enter Program Full Path: Type the full path of the program. Separate multiple entries with semicolons (;). Click Approved Programs or Blocked Programs.
Approved Programs: Programs (maximum of 100) in this list can be started. Click the corresponding icon to delete an entry.
OfficeScan enables the Approved Programs List feature by default.
Blocked Programs: Programs (maximum of 100) in this list can never be started. Click the corresponding icon to delete an entry.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon
, choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
To enable Certified Safe Software Service: >>>
Networked Computers > Global Client Settings
Under Behavior Monitoring Settings, select the Enable Certified Safe Software Service option.
Certified Safe Software Service allows Behavior Monitoring to reduce the likelihood of false positive detections. It queries Trend Micro cloud servers to verify whether a program detected by either Malware Behavior Blocking or Event Monitoring is a known safe application before permitting user access.
With Certified Safe Software Service enabled, an intermittent Internet connection or the wrong proxy setting can cause programs to appear unresponsive. This occurs when Behavior Monitoring crosschecks a detection using Certified Safe Software Service but is unable to receive an immediate response from Trend Micro servers. Ensure that clients have the correct Client Proxy Settings before enabling Certified Safe Software Service.
Click Save.
To modify the content of the notification message: >>>
Notifications > Client user notifications
Click the Behavior Monitoring Policy Violation tab.
Modify the default messages in the text box provided.
Click Save.
See also: