Blocking malicious activities using Behavior Monitoring in OfficeScan (OSCE)

  • Updated:
    • 21 Apr 2016
  • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
  • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Standard Server Edition
    • Windows 2008 Enterprise Server
    • Windows 2008 Standard Server Edition
    • Windows 7 32-bit
    • Windows Vista 32-bit
    • Windows XP Professional
Summary

Behavior Monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Through the Client Self Protection feature, Behavior Monitoring also enhances endpoint protection by keeping security-related processes always up and running, and by protecting the OfficeScan client files and registry keys.

Details
Public

To configure the Behavior Monitoring:

  1. Log on to the OfficeScan management console.
  2. Do any of the following:
    • For OfficeScan 10.x: Go to Networked Computers > Client Management > Settings > Behavior Monitoring Settings.
    • For OfficeScan 11.0: Go to Agents > Agent Management > Settings > Behavior Monitoring Settings.
  3. Under each Event Monitoring Policy, select from the four corresponding actions that you can use:
    • Assess - This is the default value that has no warning messages but generates a log when there is a violation.
    • Allow - Provides no warning messages and no log.
    • Ask when necessary - There is a visible pop-up countdown dialogue box that users can select to allow or block. When allowed, there will be no warning message and no log. When blocked, there will be a pop-up warning message and then a log will be generated.
    • Deny - It will pop a warning message and then generate a log.

It is highly recommended to enable the Deny option since the actions being taken are already determined to be malicious in nature.

However, since there are some applications that belong to the gray area, wherein the actions being done by the application is malicious but useful to you (for example, port scanners), you can enable the Behavior Monitoring Privileges for clients. To do this:

  1. Log on to the OfficeScan management console.
  2. Do any of the following:
    • For OfficeScan 10.x: Go to Networked Computers > Client Management > Settings > Privileges and Other Settings.
    • For OfficeScan 11.0: Go to Agents > Agent Management > Settings > Privileges and Other Settings.
  3. Under Privileges tab, tick the following check box:

    Display the Behavior Monitoring on the client console

In OfficeScan 10 with SP1, there is a new component called Behavior Monitoring Detection pattern. The updated patterns are available in the ActiveUpdate servers. This pattern is activated when Malware Behavior Blocking is enabled and it detects specific actions that are possibly malicious.

Upon detection, the user will receive an alert of a possible threat. The pattern defines the following non-configurable actions:

  • Terminate
  • Feedback
  • Ask
  • Deny

On the client machines, there will be a new tab called Behavior Monitoring, which allows users to set approved or blocked programs.

If your company has a lot of remote offices or applications that may fall on the grayware category, then you can add the application to the Approved Programs List. On the other hand, if there are a lot of malicious activities in the networked caused by applications like HTTP Proxy Tunnels, then you can place it on the Blocked Programs List.

Note: By default Behavior Monitoring is disabled on Windows Server platform(s) and currently only supports x86 environments.

Premium
Internal
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.