Configuring Behavior Monitoring

  1. Go to Devices.
  2. Select a desktop or server group.
  3. Click Configure Policy.

    The Configure Policy: <group name> screen appears.

  4. Click Behavior Monitoring.
  5. Update the following as required:
    • Enable Behavior Monitoring


      To allow users to customize their own Behavior Monitoring settings, go to Devices > {group} > Configure Policy > Agent Privileges > Behavior Monitoring and select Allow users to modify Behavior Monitoring settings.

    • Enable Malware Behavior Blocking for known and potential threats: Malware behavior blocking is accomplished using a set of internal rules defined in pattern files. These rules identify known and suspicious threat behavior that is common amongst malware. Examples of suspicious behavior includes sudden and unexplainable new running services, changes to the firewall, or system file modifications.

      Malware Behavior Monitoring provides the following threat-level scanning options:

      • Known threats: Blocks behavior associated with known threats

      • Known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious

    • Prompt users before executing newly encountered programs downloaded through HTTP (server platforms excluded): Behavior Monitoring works in conjunction with Web Reputation to verify the prevalence of files downloaded through HTTP channels or email applications. After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.


      For HTTP channels, executable (.exe) files are scanned. For email applications (only Outlook and Windows Live Mail), executable (.exe) files in non-password protected archived (zip/rar) files are scanned.

    • Enable Intuit QuickBooks Protection: Protects all Intuit QuickBooks files and folders from unauthorized changes by other programs. Enabling this feature will not affect changes made from within Intuit QuickBooks programs, but will only prevent changes to the files from other unauthorized applications.

      The following products are supported:

      • QuickBooks Simple Start

      • QuickBooks Pro

      • QuickBooks Premier

      • QuickBooks Online


      All Intuit executable files have a digital signature and updates to these files will not be blocked. If other programs try to change the Intuit binary file, the Agent displays a message with the name of the program that is attempting to update the binary files. Other programs can be allowed to update Intuit files. To do this, add the required program to the Behavior Monitoring Exception List on the Agent. Remember to remove the program from the exception list after the update.

    • Ransomware Protection: Prevents the unauthorized modification or encryption of files on computers by "ransomware" threats. Ransomware is a type of malware which restricts access to files and demands payment to restore the affected files.

      • Enable document protection against unauthorized encryption or modification: Protects documents from unauthorized changes.

        • Automatically back up files changed by suspicious programs: Automatically backs up files modified by suspicious programs if document protection is enabled.

      • Enable blocking of processes commonly associated with ransomware: Protects endpoints from ransomware attacks by blocking processes commonly associated with hijacking attempts.

      • Enable program inspection to detect and block compromised executable files: Increases detection by monitoring processes for ransomware-like behavior.

      • Terminate programs that exhibit abnormal behavior associated with exploit attacks: Anti-exploit protection works in conjunction with program inspection to monitor the behavior of programs and detect abnormal behavior that may indicate that an attacker has exploited a program vulnerability. Once detected, Behavior Monitoring terminates the program processes.


        Anti-exploit Protection requires that you select Enable program inspection to detect and block compromised executable files.


      To reduce the chance of Worry-Free Business Security detecting a safe process as malicious, ensure that the computer has Internet access to perform additional verification processes using Trend Micro servers.

    • Exceptions: Exceptions include an Approved Program List and a Blocked Program List. Programs in the Approved Programs List can be started even if they violate a monitored change, while programs in the Blocked Program List can never be started.

      • Enter Program Full Path: Type the full Windows or UNC path of the program. Separate multiple entries with semicolons. Click Add to Approved List or Add to Blocked List. Use environment variables to specify paths, if required.

      • Approved Program List: Programs in this list can be started. Click the corresponding icon to delete an entry.

        The Approved Program List supports wildcards and environment variables.

        For a list of supported environment variables, see Supported Environment Variables.

      • Blocked Program List: Programs in this list can never be started. Click the corresponding icon to delete an entry.

        The Blocked Program List only supports wildcards.

  6. Click Save.