|
|
|
|
|
|
Events
|
Description
|
|---|---|
|
Duplicated System File
|
Many malicious programs create copies of
themselves or other malicious programs using file names used by
Windows system files. This is typically done to override or replace
system files, avoid detection, or discourage users from deleting
the malicious files.
|
|
Hosts File Modification
|
The Hosts file matches domain names with
IP addresses. Many malicious programs modify the Hosts file so that
the web browser is redirected to infected, non-existent, or fake
websites.
|
|
Suspicious Behavior
|
Suspicious behavior can be a specific action
or a series of actions that is rarely carried out by legitimate
programs. Programs exhibiting suspicious behavior should be used
with caution.
|
|
New Internet Explorer Plugin
|
Spyware/grayware programs often install
unwanted Internet Explorer plugins, including toolbars and Browser
Helper Objects.
|
|
Internet Explorer Setting Modification
|
Many virus/malware change Internet Explorer
settings, including the home page, trusted websites, proxy server
settings, and menu extensions.
|
|
Security Policy Modification
|
Modifications in Windows Security Policy
can allow unwanted applications to run and change system settings.
|
|
Program Library Injection
|
Many malicious programs configure Windows
so that all applications automatically load a program library (DLL).
This allows the malicious routines in the DLL to run every time
an application starts.
|
|
Shell Modification
|
Many malicious programs modify Windows shell
settings to associate themselves to certain file types. This routine
allows malicious programs to launch automatically if users open
the associated files in Windows Explorer. Changes to Windows shell settings
can also allow malicious programs to track the programs used and
start alongside legitimate applications.
|
|
New Service
|
Windows services are processes that have
special functions and typically run continuously in the background
with full administrative access. Malicious programs sometimes install themselves
as services to stay hidden.
|
|
System File Modification
|
Certain Windows system files determine system
behavior, including startup programs and screen saver settings.
Many malicious programs modify system files to launch automatically
at startup and control system behavior.
|
|
Firewall Policy Modification
|
The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet. |
|
System Process Modification
|
Many malicious programs perform various
actions on built-in Windows processes. These actions can include
terminating or modifying running processes.
|
|
New Startup Program
|
Malicious applications usually add or modify autostart entries in the Windows registry
to
automatically launch every time the computer starts.
|
|
Action
|
Description
|
||
|---|---|---|---|
|
Assess
|
OfficeScan always
allows programs associated with an event but records this action
in the logs for assessment.
This is the default action for
all monitored system events.
|
||
|
Allow
|
OfficeScan always
allows programs associated with an event.
|
||
|
Ask when necessary
|
OfficeScan prompts
users to allow or deny programs associated with an event and add
the programs to the exception list
If the user does not respond within a certain time period, OfficeScan automatically allows the program to run. The default time period is 30 seconds.
To modify the time period, see Configuring Global Behavior Monitoring Settings.
|
||
|
Deny
|
OfficeScan always
blocks programs associated with an event and records this action
in the logs.
When a program is blocked and notifications are
enabled, OfficeScan displays a
notification on the OfficeScan client computer. For details about notifications, see Behavior Monitoring Notifications for OfficeScan
Client Users.
|
