Behavior Monitoring constantly monitors clients for unusual modifications to the operating system or on installed software. Administrators (or users) can create exception lists that allow certain programs to start while violating a monitored change, or completely block certain programs. Programs with a valid digital signature are always allowed to start.
Below are the descriptions and default values of the monitored changes:
| Monitored Change | Description | Default Value |
|---|---|---|
| Duplicated System File | Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files | Ask when necessary |
| Hosts File Modification | The hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the Web browser is redirected to infected, non-existent, or fake web sites. | Always block |
| System File Modification | Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior. | Always block |
| New Internet Explorer Plug-in | Spyware/grayware programs often install unwanted Internet Explorer plug-ins, including toolbars and Browser Helper Objects. | Ask when necessary |
| Internet Explorer Setting Modification | Many virus/malware change Internet Explorer settings, including the home page, trusted web sites, proxy server settings, and menu extensions. | Always block |
| Security Policy Modification | Modifications in Windows Security Policy can allow unwanted applications to run and change system settings. | Always block |
| Firewall Policy Modification | The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet. | Ask when necessary |
| Program Library Injection | Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts. | Ask when necessary |
| Suspicious Behavior | Suspicious behavior can be specific action or series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution. | Always allow |
| Shell Modification | Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications. | Ask when necessary |
| New Service | Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden. | Ask when necessary |
| System process modification | Many malicious programs perform various actions on built-in Windows processes. This action can include terminating or modifying running processes. | Always allow |
| New Startup Program | Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts. | Ask when necessary |