Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding Behavior Monitoring Detection in Deep Security

    • Updated:
    • 4 Nov 2019
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 11.0
    • Deep Security 12.0
    • Platform:
    • N/A
Summary

Know more about the different Behavior Monitoring detection features in Deep Security.

Details
Public

Deep Security detects malicious behaviors while the Behavior Monitoring feature is enabled.

To enable the feature:

  1. On the management console, go to Policies > Policy.
  2. Navigate to Anti-Malware > Real-Time > Malware Scan Configuration.
  3. Click Edit and select General.
  4. Under Behavior Monitoring, enable Detect suspicious activity and unauthorized changes.

    Detect suspicious activity and unauthorized changes

While the feature detects malicious behaviors, you may see "TM_MALWARE_BEHAVIOR" and "HEU_AEGIS_CRYPT" in the detection logs.

TM_MALWARE_BEHAVIOR is a behavior monitoring detection for system activities or behaviors associated with known and potential malware traits.

On the other hand, HEU_AEGIS_CRYPT detection indicates an application attempts to make changes to numerous files in a short time.

To understand the detection events, below are the details to check:

  • Computer - The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
  • Malware - It indicates the trigger of the detection.
  • Infected File(s) - It indicates the file name that has been infected.
  • Action Taken - Displays the results of the actions specified in the malware scan configuration associated with the event.
  • Target - The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple".

However, some applications' behavior may trigger those detections even if the applications are trusted resources. For instance, an application may attempt to make changes to numerous files in a short time which is as per the application design. This may cause a false detection.

If you have verified that the application is a trusted application, follow KB 000152502 to know how to white-list a trusted application.

Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
000152508
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.