To configure policy settings in Simple Mode user interface:

1. Log on to the WFBS-SVC console.
2. Navigate to the Security Agents page.
3. Select a desktop or server group to configure.

4. Click Configure Policy.

   

   The Configure Policy screen appears.

   

To configure policy settings in Advanced Mode user interface:

1. Log on to the WFBS-SVC console.
2. Navigate to the Policies page.

3. Under Policy Management, click Add or click the policy you want to configure.

   

   The Configure Policy screen appears.

   

Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, software, files and folders. The settings can be enabled or disabled only per group.

To configure:

1. Go to the Configure Policy screen.
2. Click on the Windows logo.
3. Click Behavior Monitoring.

4. Update the following as required:

   • Enable Behavior Monitoring

   • Malware Behavior Blocking

     Necessary layer of additional threat protection from programs that exhibit malicious behavior is given upon using this. It observes system events over a period of time. As programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.

     • Enable malware Behavior Blocking for known and potential threats

       Malware Behavior Monitoring provides the following threat-level scanning options:

       • Block known threats: Blocks behaviors associated with known malware threats
       • Block known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious

   • Ransomware Protection

     • Enable document protection against unauthorized encryption or modification: Protects documents from unauthorized changes. Enabling this option stops processes that rename, modify and delete files, and then quarantines the programs that are running these processes.

       • Enable automatic back up and restore: Automatically backing up files before suspicious program attempt any modification enables easier file restoration when unauthorized encryption occurs. Enabling this feature however requires an additional storage space of 100 MB.
     • Enable blocking of processes commonly associated with ransomware: Protects endpoints from ransomware attacks by blocking processes commonly associated with hijacking attempts.

     • Enable program inspection to detect and block compromised executable files: Protects endpoints from ransomware attacks by increasing the overall detection ratio for compromised executable files and programs that are behaving in an unexpected manner.

       

     • Anti-Exploit Protection

       • Enable termination of programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs.

     • Enable Intuit QuickBooks Protection

       Protects all Intuit QuickBooks files and folders from unauthorized changes by other programs. Enabling this feature will not affect changes made from within Intuit QuickBooks programs, but will only prevent changes to the files from other unauthorized applications.

       The following products are supported:

       • QuickBooks Simple Start
       • QuickBooks Pro
       • QuickBooks Premier
       • QuickBooks Online

     • Event Monitoring

       For a more generic approach to protecting against unauthorized software and malware attacks, Event monitoring oversees system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

       

       The following table provides a list of monitored system events.

       Table 1. Monitored System Events

       Events	Description
       Duplicated System File	Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.
       Hosts File Modification	The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.
       Suspicious Behavior	Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.
       New Internet Explorer Plugin	Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
       Internet Explorer Setting Modification	Many virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.
       Security Policy Modification	Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.
       Program Library Injection	Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.
       Shell Modification	Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.
       New Service	Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.
       System File Modification	Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.
       Firewall Policy Modification	The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.
       System Process Modification	Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.
       New Startup Program	Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

       When Event Monitoring detects a monitored system event, it performs the action configured for the event.

       The following table lists possible actions that administrators can take on monitored system events.

       Table 2. Actions on Monitored System Events

       Action	Description
       Always allow	Worry-Free Business Security Services always allows programs associated with an event.
       Ask when necessary	Worry-Free Business Security Services prompts users to allow or deny programs associated with an event and add the programs to the exception list. If the user does not respond within a certain time period, Worry-Free Business Security Services automatically allows the program to run. The default time period is 30 seconds.   This option is not supported for Program Library Injections on 64-bit systems.
       Always block	Worry-Free Business Security Services always blocks programs associated with an event and records this action in the logs. When a program is blocked and alerts are enabled, Worry-Free Business Security Services displays an alert on the Worry-Free Business Security Services computer.

     • Exceptions

       Approved Program List and a Blocked Program List can be found under Scan Exclusions > Behavior Monitoring. Programs in the Approved Programs List can be started even if they violate a monitored change, while programs in the Blocked Program List can never be started.

       

     • Security Agent Alerts

       Enable Security Agent alerts for Behavior Monitoring by going to Privileges and Other Settings > Alerts and checking Behavior Monitoring under Threat Protection.

       

   • Click Save.

Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, other software, files and folders.

When enabled, Worry-Free Business Security temporarily blocks a newly-encountered program downloaded through HTTP or email applications and prompts users to select an action ("Block once" or "Allow once"). If users do not select an action within the specified time period, the program is automatically blocked.

1. Go to Policies > Global Security Agent Settings > Security Settings > Behavior Monitoring.
2. Select any of the following as required:
   • Enable warning messages for low-risk changes or other monitored actions: Agents warn users of low-risk changes or monitored actions.

   • Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded): After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.

     

3. Click Save.
4. Users will be prompted with the following message:

   Newly Encountered Program Detected

   

Web Reputation enhances protection against malicious websites. Web Reputation leverages Trend Micro's extensive web security database to check the reputation of URLs that Clients are attempting to access or URLs embedded in email messages that are contacting websites.

To configure:

1. Go to the Configure Policy screen.
2. Click on the Windows logo.
3. Click Web Reputation.
4. Update the following as required:
   • Enable Web Reputation.
   • Security Level

     • High: Blocks the following pages:

       • Dangerous: Verified to be fraudulent or known sources of threats
       • Highly suspicious: Suspected to be fraudulent or possible sources of threats
       • Suspicious: Associated with spam or possibly compromised

     • Medium: Blocks the following pages:

       • Dangerous: Verified to be fraudulent or known sources of threats
       • Highly suspicious: Suspected to be fraudulent or possible sources of threats

     • Low: Blocks the following pages:

       • Dangerous: Verified to be fraudulent or known sources of threats

   • Untested URLs

     • Block websites that have not been tested by Trend Micro: While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages

5. Enable Browser Exploit Prevention > Block websites containing malicious script to protect against browser exploits containing malicious script.

    

   To modify Approved/Blocked URLs, go to the Approved Blocked URLs screen under Exception Lists or refer to Configuring the Approved/Blocked URL Lists.

    

6. Click Save.

   

Trend Micro Predictive Machine Learning uses advanced machine learning technology to detect emerging unknown security risks found in low-prevalence suspicious processes or files originating from removable storage, web, or email channels.

To configure:

1. Go to the Configure Policy screen.
2. Click on the Windows logo.
3. Click Predictive Machine Learning.
4. Select Enable Predictive Machine Learning.

5. Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.

   Detection Type	Actions
   File	Quarantine: Select to automatically quarantine files that exhibit malware-related features based on the Predictive Machine Learning analysis. Log only: Select to scan unknown files and log the Predictive Machine Learning analysis for further in-house investigation of the threat
   Process	Terminate: Select to automatically terminate processes that exhibit malware-related behaviors based on the Predictive Machine Learning analysis. Log only: Select to scan unknown processes and log the Predictive Machine Learning analysis for further in-house investigation of the threat.

6. Click Save.

Refer to the KB article: Downloading and Using the Trend Micro Ransomware File Decryptor.