Configuring Behavior Monitoring

  1. Navigate to Security Settings.
  2. Select a desktop or server group.
  3. Click Configure Settings.
  4. Click Behavior Monitoring.
  5. Update the following as required:
    • Enable Behavior Monitoring


      To allow users to customize their own Behavior Monitoring settings, go to Security Settings > {group} > Configure > Agent Privileges > Behavior Monitoring and select Allow users to modify Behavior Monitoring settings.

    • Enable Malware Behavior Blocking for known and potential threats: Malware behavior blocking is accomplished using a set of internal rules defined in pattern files. These rules identify known and suspicious threat behavior that is common amongst malware. Examples of suspicious behavior includes sudden and unexplainable new running services, changes to the firewall, or system file modifications.

      • Known threats: Blocks behavior associated with known threats

      • Known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious

    • Prompt users before executing newly encountered programs downloaded through HTTP (server platforms excluded): Behavior Monitoring works in conjunction with Web Reputation to verify the prevalence of files downloaded through HTTP channels or email applications. After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.


      For HTTP channels, executable (.exe) files are scanned. For email applications (only Outlook and Windows Live Mail), executable (.exe) files in non-password protected archived (zip/rar) files are scanned.

    • Enable Intuit QuickBooks Protection: Protects all Intuit QuickBooks files and folders from unauthorized changes by other programs. Enabling this feature will not affect changes made from within Intuit QuickBooks programs, but will only prevent changes to the files from other unauthorized applications.

      The following products are supported:

      • QuickBooks Simple Start

      • QuickBooks Pro

      • QuickBooks Premier

      • QuickBooks Online


      All Intuit executable files have a digital signature and updates to these files will not be blocked. If other programs try to change the Intuit binary file, the Agent displays a message with the name of the program that is attempting to update the binary files. Other programs can be allowed to update Intuit files. To do this, add the required program to the Behavior Monitoring Exception List on the Agent. Remember to remove the program from the exception list after the update.

    • Under Ransomware Protection, update the following as required:


      Ransomware Protection prevents the unauthorized modification or encryption of files on computers by "ransomware" threats. Ransomware is a type of malware which restricts access to files and demands payment to restore the affected files.

      • Enable document protection against unauthorized encryption or modification: Protects documents from unauthorized changes.

        • Auto backup files changed by suspicious programs: Automatically backs up files modified by suspicious programs if document protection is enabled.

      • Enable program inspection to detect and block compromised executable files: Increases detection by monitoring processes for ransomware-like behavior.

      • Enable blocking of processes commonly associated with ransomware: Protects endpoints from ransomware attacks by blocking processes commonly associated with hijacking attempts.


      To reduce the chance of WFBS detecting a safe process as malicious, ensure that the computer has Internet access to perform additional verification processes using Trend Micro servers.

    • Exceptions: Exceptions include an Approved Program List and a Blocked Program List. Programs in the Approved Programs List can be started even if they violate a monitored change, while programs in the Blocked Program List can never be started.

      • Enter Program Full Path: Type the full Windows or UNC path of the program. Separate multiple entries with semicolons. Click Add to Approved List or Add to Blocked List. Use environment variables to specify paths, if required.

        Environment Variable

        Points to the...


        Windows folder


        root folder


        Windows temporary folder


        Program Files folder

      • Approved Program List: Programs (maximum of 100) in this list can be started. Click the corresponding icon to delete an entry

      • Blocked Program List: Programs (maximum of 100) in this list can never be started. Click the corresponding icon to delete an entry

  6. Click Save.