Event Monitoring

Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It monitors system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

Table 1. Monitored System Events



Duplicated System File

Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.

Hosts File Modification

The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.

Suspicious Behavior

Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.

New Internet Explorer Plugin

Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.

Internet Explorer Setting Modification

Malware programs may change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.

Security Policy Modification

Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.

Program Library Injection

Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.

Shell Modification

Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.

New Service

Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.

System File Modification

Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.

Firewall Policy Modification

The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.

System Process Modification

Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.

New Startup Program

Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

The following table provides a list of monitored system events.

When Event Monitoring detects a monitored system event, it performs the action configured for the event.

The following table lists possible actions that administrators can take on monitored system events.

Table 2. Actions on Monitored System Events



Always allow

The Security Agent always allows programs associated with an event to run.

Ask when necessary

The Security Agent prompts users to allow or deny programs associated with an event from running and adds the programs to the exception list

If the user does not respond within a certain time period, the Security Agent automatically allows the program to run. The default time period is 30 seconds.


This option is not supported for the Program Library Injection (DLL injection) event on 64-bit systems.

Always block

The Security Agent always blocks programs associated with an event from running and logs the event.

When a program is blocked and alerts are enabled, Worry-Free Services displays an alert on the Worry-Free Services computer.