Event Monitoring

Duplicated System File

Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.

Hosts File Modification

The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.

Suspicious Behavior

Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.

New Internet Explorer Plugin

Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.

Internet Explorer Setting Modification

Malware programs may change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.

Security Policy Modification

Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.

Program Library Injection

Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.

Shell Modification

Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.

New Service

Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.

System File Modification

Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.

Firewall Policy Modification

The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.

System Process Modification

Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.

New Startup Program

Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

Assess

The Security Agent always allows programs associated with an event to run and logs the event for assessment.

This is the default action for all monitored system events.

Allow

The Security Agent always allows programs associated with an event to run.

Ask when necessary

The Security Agent prompts users to allow or deny programs associated with an event from running and adds the programs to the exception list

If the user does not respond within a certain time period, the Security Agent automatically allows the program to run. The default time period is 30 seconds.

To modify the time period, see Configuring Global Behavior Monitoring Settings.

Deny

The Security Agent always blocks programs associated with an event from running and logs the event.

After blocking a program with notifications enabled, the Security Agent displays a notification on the endpoint.

For details about notifications, see Behavior Monitoring Notifications for Security Agent Users.