Know more about the different Behavior Monitoring detection features in Deep Security.
Deep Security detects malicious behaviors while the Behavior Monitoring feature is enabled.
To enable the feature:
- On the management console, go to Policies > Policy.
- Navigate to Anti-Malware > Real-Time > Malware Scan Configuration.
- Click Edit and select General.
- Under Behavior Monitoring, enable Detect suspicious activity and unauthorized changes.
While the feature detects malicious behaviors, you may see "TM_MALWARE_BEHAVIOR" and "HEU_AEGIS_CRYPT" in the detection logs.
TM_MALWARE_BEHAVIOR is a behavior monitoring detection for system activities or behaviors associated with known and potential malware traits.
On the other hand, HEU_AEGIS_CRYPT detection indicates an application attempts to make changes to numerous files in a short time.
To understand the detection events, below are the details to check:
- Computer - The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
- Malware - It indicates the trigger of the detection.
- Infected File(s) - It indicates the file name that has been infected.
- Action Taken - Displays the results of the actions specified in the malware scan configuration associated with the event.
- Target - The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple".
However, some applications' behavior may trigger those detections even if the applications are trusted resources. For instance, an application may attempt to make changes to numerous files in a short time which is as per the application design. This may cause a false detection.
If you have verified that the application is a trusted application, follow KB 000152502 to know how to white-list a trusted application.
