Configuring Behavior Monitoring

Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, other software, or files and folders.

  1. Go to the Configure Policy screen by performing one of the following:
    • Classic Mode: Go to SECURITY AGENTS and select a group. Click > Configure Policy.

    • Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.

  2. Click Windows.
  3. Go to Behavior Monitoring.
  4. Under Behavior Monitoring, enable the feature and configure the required settings.
  5. In the Malware Behavior Blocking section, enable the feature and specify the types of threats to block.
    • Block known and potential threats: Blocks behaviors associated with known threats and takes action on behavior that is potentially malicious

    • Block known threats: Blocks behaviors associated with known malware threats

  6. In the Ransomware Protection section, select the features you want to enable to protect against ransomware threats.
    • Protect documents against unauthorized encryption or modification: Stops potential ransomware threats from encrypting or modifying the contents of documents

      • Automatically back up and restore files changed by suspicious programs: Creates backup copies of files being encrypted on endpoints to prevent any loss of data after detecting a ransomware threat


        Automatic file backup requires at least 100 MB of disk space on the agent endpoint and only backs up files that are less than 10 MB in size.

    • Block processes commonly associated with ransomware: Blocks processes associated with known ransomware threats before any encryption or modification of documents can occur

    • Enable program inspection to detect and block compromised executable files: Program inspection monitors processes and performs API hooking to determine if a program is behaving in an unexpected manner. Although this procedure increases the overall detection ratio of compromised executable files, it may result in decreased system performance.

  7. Under Anti-exploit Protection, enable Terminate programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs.
  8. Under Intuit QuickBooks Protection, enable Prevent unauthorized changes to QuickBooks files and folders to protect all Intuit QuickBooks files and folders from unauthorized changes by other programs. This feature does not affect changes made from within Intuit QuickBooks programs.

    The following products are supported:

    • QuickBooks Simple Start

    • QuickBooks Pro

    • QuickBooks Premier

    • QuickBooks Online


    All Intuit executable files have a digital signature and updates to these files will not be blocked. If other programs try to change the Intuit binary file, the Agent displays a message with the name of the program that is attempting to update the binary files. Other programs can be allowed to update Intuit files. To do this, add the required program to the Behavior Monitoring Exception List on the Agent. Remember to remove the program from the exception list after the update.

  9. In the Event Monitoring section:
    1. Enable Event Monitoring.
    2. Click to expand a list of system events under Specify monitored system events.
    3. Choose the system events to monitor and select an action for each of the selected events.

      For information about monitored system events and actions, see Event Monitoring.

  10. Click Save.