bmonit

Behavior Monitoring

Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or on installed software. Behavior Monitoring protects endpoints through Malware Behavior Blocking and Event Monitoring. Complementing these two features are a user-configured exception list and the Certified Safe Software Service.

Important!

Behavior Monitoring only supports 32-bit platforms.
By default, Behavior Monitoring is disabled on 32-bit versions of Windows Server 2003 and Windows Server 2008. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in Client Services.

Malware Behavior Blocking

Malware Behavior Blocking provides a necessary layer of additional threat protection from programs that exhibit malicious behavior. It observes system events over a period of time. As programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.

When a program is blocked and notifications are enabled, OfficeScan displays a notification on the client computer. For details about notifications, see Behavior Monitoring Notifications for Client Users.

Event Monitoring

Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It monitors system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

Monitored system events include:

Monitored System Events

Events	Description
Duplicated System File	Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.
Hosts File Modification	The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.
Suspicious Behavior	Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.
New Internet Explorer Plugin	Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
Internet Explorer Setting Modification	Many virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.
Security Policy Modification	Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.
Program Library Injection	Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.
Shell Modification	Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.
New Service	Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.
System File Modification	Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.
Firewall Policy Modification	The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.
System Process Modification	Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.
New Startup Program	Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

When Event Monitoring detects a monitored system event, it performs the action configured for the event. You can choose from the following actions:

Actions on Monitored System Events

Action	Description
Assess	OfficeScan always allows programs associated with an event but records this action in the logs for assessment. This is the default action for all monitored system events.
Allow	OfficeScan always allows programs associated with an event.
Ask when necessary	OfficeScan prompts users to allow or deny programs associated with an event and add the programs to the exception list If the user does not respond within a certain time period, OfficeScan automatically allows the program to run. The default time period is 30 seconds. To modify the time period, see To modify the time period before a program is allowed to run:.
Deny	OfficeScan always blocks programs associated with an event and records this action in the logs. When a program is blocked and notifications are enabled, OfficeScan displays a notification on the client computer. For details about notifications, see Behavior Monitoring Notifications for Client Users.

Behavior Monitoring Exception List

The Behavior Monitoring exception list contains programs that are not monitored by Behavior Monitoring.

Approved Programs: Programs in this list can be run. An approved program will still be checked by other OfficeScan features (such as file-based scanning) before it is finally allowed to run.
Blocked Programs: Programs in this list can never be started. To configure this list, Event Monitoring should be enabled.

Configure the exception list from the web console. You can also grant users the privilege to configure their own exception list from the client console. For details, see Behavior Monitoring Privileges.

To configure Malware Behavior Blocking, Event Monitoring, and the exception list:

Networked Computers > Client Management

In the client tree, click the root domain icon to include all clients or select specific domains or clients.
Click Settings > Behavior Monitoring Settings.
Select Enable Malware Behavior Blocking.
Configure Event Monitoring settings.

Select Enable Event Monitoring.
Choose the system events to monitor and select an action for each of the selected events. For information about monitored system events and actions, see Event Monitoring.

Configure the exception list.

Under Enter Program Full Path, type the full path of the program to approve or block. Separate multiple entries with semicolons (;). The exception list supports wildcards and UNC paths.
Click Approve Programs or Block Programs.

OfficeScan accepts a maximum of 100 approved programs and 100 blocked programs.

To remove a blocked or approved program from the list, click the trash bin icon next to the program.

If you selected domain(s) or client(s) in the client tree, click Save. If you clicked the root domain icon, choose from the following options:

Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.

To modify the time period before a program is allowed to run:

Networked Computers > Global Client Settings
This setting only works if Event Monitoring is enabled and the action for a monitored system event is "Ask when necessary". This action prompts a user to allow or deny programs associated with the event. If the user does not respond within a certain time period, OfficeScan automatically allows the program to run.

For details, see Event Monitoring.

Go to the Behavior Monitoring Settings section.
Specify the time period in Automatically allow program if client does not respond within __ seconds.
Click Save.

Certified Safe Software Service

The Certified Safe Software Service queries Trend Micro datacenters to verify the safety of a program detected by either Malware Behavior Blocking or Event Monitoring. Enable Certified Safe Software Service to reduce the likelihood of false positive detections.

Ensure that clients have the correct Client Proxy Settings before enabling Certified Safe Software Service. Incorrect proxy settings, along with an intermittent Internet connection, can result in delays or failure to receive a response from Trend Micro datacenters, causing monitored programs to appear unresponsive.

In addition, pure IPv6 clients cannot query directly from Trend Micro datacenters. A dual-stack proxy server that can convert IP addresses, such as DeleGate, is required to allow the clients to connect to the Trend Micro datacenters.

To enable Certified Safe Software Service:

Networked Computers > Global Client Settings

Go to the Behavior Monitoring Settings section.
Select the Enable Certified Safe Software Service option.
Click Save.

See also: