Behavior Monitoring Components



Behavior Monitoring Detection Pattern 32/64-bit

This pattern contains the rules for detecting suspicious threat behavior.

Behavior Monitoring Core Driver 32/64-bit

This kernel mode driver monitors system events and passes them to the Behavior Monitoring Core Service for policy enforcement.

Behavior Monitoring Core Service 32/64-bit

This user mode service has the following functions:

  • Provides rootkit detection

  • Regulates access to external devices

  • Protects files, registry keys, and services

Behavior Monitoring Configuration Pattern

The Behavior Monitoring Driver uses this pattern to identify normal system events and exclude them from policy enforcement.

Digital Signature Pattern

This pattern contains a list of valid digital signatures that are used by the Behavior Monitoring Core Service to determine whether a program responsible for a system event is safe.

Policy Enforcement Pattern

The Behavior Monitoring Core Service checks system events against the policies in this pattern.

Memory Scan Trigger Pattern (32/64-bit)

Behavior Monitoring uses the Memory Scan Trigger Pattern to identify possible threats after detecting the following operations:

  • File write action

  • Registry write action

  • New process creation

After identifying one of these operations, Behavior Monitoring calls Real-time Scan's Memory Inspection Pattern to check for security risks.

For details about the Real-time Scan operations, see Memory Inspection Pattern.

Damage Recovery Pattern

The Damage Recovery Pattern contains policies that are used for monitoring suspicious threat behavior.

Program Inspection Monitoring Pattern

The Program Inspection Monitoring Pattern monitors and stores inspection points that are used for Behavior Monitoring.