Event Monitoring

Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It monitors system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

The following table provides a list of monitored system events.

Table 1. Monitored System Events



Duplicated System File

Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.

Hosts File Modification

The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.

Suspicious Behavior

Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.

New Internet Explorer Plugin

Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.

Internet Explorer Setting Modification

Many virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.

Security Policy Modification

Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.

Program Library Injection

Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.

Shell Modification

Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.

New Service

Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.

System File Modification

Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.

Firewall Policy Modification

The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.

System Process Modification

Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.

New Startup Program

Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

When Event Monitoring detects a monitored system event, it performs the action configured for the event.

The following table lists possible actions that administrators can take on monitored system events.

Table 2. Actions on Monitored System Events




The OfficeScan agent always allows programs associated with an event to run and logs the event for assessment.

This is the default action for all monitored system events.


This option is not supported for Program Library Injections on 64-bit systems.


The OfficeScan agent always allows programs associated with an event to run.

Ask when necessary

The OfficeScan agent prompts users to allow or deny programs associated with an event from running and adds the programs to the exception list

If the user does not respond within a certain time period, the OfficeScan agent automatically allows the program to run. The default time period is 30 seconds.

To modify the time period, see Configuring Global Behavior Monitoring Settings.


This option is not supported for Program Library Injections on 64-bit systems.


The OfficeScan agent always blocks programs associated with an event from running and logs the event.

After blocking a program with notifications enabled, the OfficeScan agent displays a notification on the endpoint.

For details about notifications, see Behavior Monitoring Notifications for OfficeScan Agent Users.