Trend Micro Endpoint Solutions for False Positive Events caused by Behavior Monitoring Function (October 2025)

Product / Version includes:

Apex One as a Service All , Apex One All , Worry-Free Business Security Services All , Trend Vision One Endpoint Security

Last updated: 2025/10/22

Solution ID: KA-0021400

Category: Troubleshoot

Summary

Trend Micro has confirmed an issue where legitimate programs are mistakenly flagged as "false positives" by the behavior monitoring feature. A corrected version of the detection pattern file was released to resolve this issue.

Affected products are as follows:

Trend Micro™ Apex One
Trend Micro™ Apex One SaaS
Trend Vision One™ Endpoint Security – Standard Endpoint Protection
Trend Micro™ Worry-Free™ Business Security Services

What is a False Positive?

A false positive refers to the detection of a normal (legitimate) file by our product as if it were malicious.

Scope of Impact

As of now, the following issue has been confirmed:

Legitimate programs related to Windows Update are mistakenly detected and blocked by the behavior monitoring feature under the following rule IDs:

Rule IDs:

FLS.ISB.4037T
PENT5667T
PENT4924T
PENT4179T
PENT4636T
PENT4872T

Programs Detected:

C:$WINDOWS.~BT\Sources\SetupHost.exe
C:\Windows\System32\CompatTelRunner.exe

Current Status

We have identified that this issue was caused by the behavior monitoring detection pattern file.

A corrected version of the detection pattern file was released around 04:00 on October 17, 2025, and we have confirmed that the issue has been resolved.

Please ensure that the latest pattern file is applied and verify that the issue has been resolved.

Corrected Pattern File Versions:

Behavior Monitoring Detection Pattern File (32-bit): 4.511.00
Behavior Monitoring Detection Pattern File (64-bit): 4.511.64

How to Check the Affected Rule IDs

For users of Trend Micro Apex One SaaS and Trend Vision One - Standard Endpoint Protection, you can check the behavior monitoring logs from the management console.

For users of Trend Micro Apex One and Worry-Free Business Security Services, please check the log file at the following path to see if the relevant policy IDs are included:

For Trend Micro Apex One:
<Agent Installation Folder>\Misc\AEGIS_BM.log
Example: C:\Program Files (x86)\Trend Micro\Security Agent\Misc\AEGIS_BM.log
For Worry-Free Business Security Services:
<Agent Installation Folder>\Misc\AEGIS_BM.log
Example: C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Misc\AEGIS_BM.log

Inquiries Regarding Detection

If you confirm a detection related to this issue, please contact our threat support team via the Business Support Portal under the threat case category: "Request for Analysis of Suspected False Positive File"

Include the following information:

Detection log to identify the cause
Detected file
AEGIS_BM.log file

For support assistance, please contact Trend Micro Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Trend Micro Endpoint Solutions for False Positive Events caused by Behavior Monitoring Function (October 2025)

What is a False Positive?

Scope of Impact

Current Status

How to Check the Affected Rule IDs

Inquiries Regarding Detection

Trend Micro Endpoint Solutions for False Positive Events caused by Behavior Monitoring Function (October 2025)

Product / Version includes:

Summary

What is a False Positive?

Scope of Impact

Current Status

How to Check the Affected Rule IDs

Inquiries Regarding Detection