Configure how Behavior Monitoring is applied to the policy.
 |
ImportantBy default, Behavior Monitoring is disabled on all
versions of Windows Server platforms.
|
Before configuring Behavior Monitoring, you must enable the feature. Once enabled,
configure the following settings.
Monitoring Level
Monitoring level is the degree of vigilance and strictness applied when detecting
and responding to potential threats. Raising the level increases the sensitivity of
the sensor, which increases the number of detections and alerts. Higher levels allow
for more strict monitoring to help with situations like on-going threat investigations,
but might generate a large number of nonessential logs and impact endpoint performance.
Trend Micro recommends setting your monitoring level to 2 - Moderate to balance more
relevant data with minimal impact on your endpoints. Some components used by higher
monitoring levels are not available on all platforms.
Malware Behavior Blocking
Malware Behavior Blocking provides a necessary layer of
additional threat protection from programs that exhibit malicious behavior. It
observes system events over a period of time. As programs execute different
combinations or sequences of actions, Malware Behavior Blocking detects known
malicious behavior and blocks the associated programs. Use this feature to ensure
a
higher level of protection against new, unknown, and emerging threats.
Malware Behavior Monitoring provides the following
threat-level scanning options:
-
Known threats: Blocks behaviors associated with known malware threats
-
Known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious
After blocking a program with notifications enabled, the Trend Vision One Endpoint Security agent
displays a notification on the endpoint.
Ransomware Protection
Ransomware Protection prevents the unauthorized modification
or encryption of files on agents by
ransomwarethreats. Ransomware is a type of malware which restricts access to files and demands payment to restore the affected files.
Apex One provides
the following methods to protect your environment from ransomware threats.
 |
NoteTo reduce the chance of the Trend Vision One Endpoint Security agent detecting a
safe process as malicious, ensure that the agent has Internet access to perform additional
verification processes using Trend Micro
servers.
|
|
Option
|
Description
|
||||
|
Protect documents against unauthorized encryption or
modification
|
You can configure Behavior Monitoring to detect a specific
sequence of events that may indicate a ransomware attack. After Behavior Monitoring
matches all
of the following criteria, the Trend Vision One Endpoint Security agent terminates and attempts to quarantine malicious programs:
Additionally enable Automatically back up files changed by
suspicious programs to create copies of files being encrypted on
endpoints. After the encryption process completes and Apex One detects a
ransomware threat, Apex One prompts end users to restore the affected files without
suffering any loss of data.
|
||||
|
Block processes commonly associated with ransomware
|
Ransomware commonly distributes executable files in specific locations on endpoints
before attempting to hijack files. Blocking the processes started from these
locations can help prevent the ransomware from being able to hijack files.
|
||||
|
Enable program inspection to detect and block compromised
executable files
|
Program inspection monitors processes and performs API hooking to
determine if a program is behaving in an unexpected manner. Although this procedure
increases the overall detection ratio of compromised executable files, it may result
in decreased system performance.
|
Anti-Exploit Protection
Anti-exploit protection works in conjunction with program inspection to monitor the
behavior of programs and detect abnormal behavior that may indicate that an attacker
has
exploited a program vulnerability. Once detected, Behavior Monitoring terminates the
program
processes.
|
ImportantAnti-exploit Protection requires that you select Enable program
inspection to detect and block compromised executable files.
|
Newly Encountered Program Protection
Behavior Monitoring works in conjunction with Web Reputation Services and
Real-time Scan to verify the prevalence of files downloaded through web channels,
email
applications, or Microsoft Office macro scripts. After detecting a "newly encountered"
file,
administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly
encountered based on the number of file detections or historical age of the file as
determined
by the Smart Protection Network.
Behavior Monitoring scans the following file types for each channel:
-
Web (HTTP/HTTPS): Scans
.exefiles. -
Email applications: Scans
.exe, and compressed.exefiles in unencrypted.zipand.rarfiles.
|
Note
|
Event Monitoring
Event Monitoring provides a more generic approach to
protecting against unauthorized software and malware attacks. It monitors system areas
for
certain events, allowing administrators to regulate programs that trigger such events.
Use Event
Monitoring if you have specific system protection requirements that are above and
beyond what is
provided by Malware Behavior Blocking.
The following table provides a list of monitored system
events.
Monitored System Events
|
Events
|
Description
|
|
Duplicated System File
|
Many malicious programs create copies of themselves or other
malicious programs using file names used by Windows system files. This is typically
done to
override or replace system files, avoid detection, or discourage users from deleting
the
malicious files.
|
|
Hosts File Modification
|
The Hosts file matches domain names with IP addresses. Many
malicious programs modify the Hosts file so that the web browser is redirected to
infected,
non-existent, or fake websites.
|
|
Suspicious Behavior
|
Suspicious behavior can be a specific action or a series of
actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious
behavior should be used with caution.
|
|
New Internet Explorer Plugin
|
Spyware/grayware programs often install unwanted Internet
Explorer plugins, including toolbars and Browser Helper Objects.
|
|
Internet Explorer Setting Modification
|
Malware programs may change Internet Explorer settings,
including the home page, trusted websites, proxy server settings, and menu extensions.
|
|
Security Policy Modification
|
Modifications in Windows Security Policy can allow unwanted
applications to run and change system settings.
|
|
Program Library Injection
|
Many malicious programs configure Windows so that all applications
automatically load a program library (DLL). This allows the malicious routines in
the DLL to
run every time an application starts.
|
|
Shell Modification
|
Many malicious programs modify Windows shell settings to
associate themselves to certain file types. This routine allows malicious programs
to launch
automatically if users open the associated files in Windows Explorer. Changes to Windows
shell settings can also allow malicious programs to track the programs used and start
alongside legitimate applications.
|
|
New Service
|
Windows services are processes that have special functions and
typically run continuously in the background with full administrative access. Malicious
programs sometimes install themselves as services to stay hidden.
|
|
System File Modification
|
Certain Windows system files determine system behavior,
including startup programs and screen saver settings. Many malicious programs modify
system
files to launch automatically at startup and control system behavior.
|
|
Firewall Policy Modification
|
The Windows Firewall policy determines the applications that have
access to the network, the ports that are open for communication, and the IP addresses
that
can communicate with the computer. Many malicious programs modify the policy to allow
themselves to access to the network and the Internet.
|
|
System Process Modification
|
Many malicious programs perform various actions on built-in
Windows processes. These actions can include terminating or modifying running processes.
|
|
New Startup Program
|
Malicious applications usually add or modify autostart entries in the
Windows registry to automatically launch every time the computer starts.
|
When
Event Monitoring detects a monitored system event, it performs the action configured
for the
event.
The following table lists possible actions that
administrators can take on monitored system events.
Actions on Monitored System Events
|
Action
|
Description
|
||
|
Assess
|
The Trend Vision One Endpoint Security agent always allows programs associated with an event to run
and logs the event for assessment.
This is the default action for all monitored system
events.
|
||
|
Allow
|
The Trend Vision One Endpoint Security agent always allows programs associated with an event to
run.
|
||
|
Ask when necessary
|
The Trend Vision One Endpoint Security agent prompts users to allow or deny programs associated with
an event from running and adds the programs to the exception list
If the user does not respond within a certain time period, the
Trend Vision One Endpoint Security agent
automatically allows the program to run. The default time period is 30 seconds.
|
||
|
Deny
|
The Trend Vision One Endpoint Security agent always blocks programs associated with an event from
running and logs the event.
After blocking a program with notifications enabled, the Trend Vision One Endpoint Security agent
displays a notification on the endpoint.
|