Configuring Malware Behavior Blocking, Event Monitoring, and the Exception List

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon () to include all agents or select specific domains or agents.
  3. Click Settings > Behavior Monitoring Settings.
  4. To enable Malware Behavior Blocking:
    1. Select Enable Malware Behavior Blocking for known and potential threats and select one of the following:
      • Known threats: Blocks behaviors associated with known malware threats

      • Known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious

    2. Select which Ransomware Protection features you want to enable to protect against ransomware threats.
      • Protect documents against unauthorized encryption or modification: Stops potential ransomware threats from encrypting or modifying the contents of documents

      • Block processes commonly associated with ransomware: Blocks processes associated with known ransomware threats before any encryption or modification of documents can occur

      For details, see Ransomware Protection.

  5. Configure Event Monitoring settings.
    1. Select Enable Event Monitoring.
    2. Choose the system events to monitor and select an action for each of the selected events.

      For information about monitored system events and actions, see Event Monitoring.

  6. Configure the exception lists.
    1. Under Type the full program path, type the full path of the program to approve or block. Separate multiple entries with semicolons (;).
    2. Click Add to Approved List or Add to Blocked List.
    3. To remove a blocked or approved program from the list, click the trash bin icon () next to the program.

      OfficeScan accepts a maximum combined total of 1024 approved programs and blocked programs.

  7. If you selected domain(s) or agent(s) in the agent tree, click Save. If you clicked the root domain icon, choose from the following options:
    • Apply to All Agents: Applies settings to all existing agents and to any new agent added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings.

    • Apply to Future Domains Only: Applies settings only to agents added to future domains. This option will not apply settings to new agents added to an existing domain.