Deep Security detects malicious behaviors while the Behavior Monitoring feature is enabled.
To enable the feature:
- On the management console, go to Policies > Policy.
- Navigate to Anti-Malware > Real-Time > Malware Scan Configuration.
- Click Edit and select General.
- Under Behavior Monitoring, enable Detect suspicious activity and unauthorized changes.
Click the image to enlarge.
While the feature detects malicious behaviors, you may see "TM_MALWARE_BEHAVIOR" and "HEU_AEGIS_CRYPT" in the detection logs.
TM_MALWARE_BEHAVIOR is a behavior monitoring detection for system activities or behaviors associated with known and potential malware traits.
Click the image to enlarge.
On the other hand, HEU_AEGIS_CRYPT detection indicates an application attempts to make changes to numerous files in a short time.
Click the image to enlarge.
To understand the detection events, below are the details to check:
- Computer - The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
- Malware - It indicates the trigger of the detection.
- Infected File(s) - It indicates the file name that has been infected.
- Action Taken - Displays the results of the actions specified in the malware scan configuration associated with the event.
- Target - The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple".
Click the image to enlarge.
However, some applications' behavior may trigger those detections even if the applications are trusted resources. For instance, an application may attempt to make changes to numerous files in a short time which is as per the application design. This may cause a false detection.
If you have verified that the application is a trusted application, follow KB 000195719 to know how to white-list a trusted application.