Behavior Monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Through the Client Self Protection feature, Behavior Monitoring also enhances endpoint protection by keeping security-related processes always up and running, and by protecting the OfficeScan client files and registry keys.
To configure Behavior Monitoring:
- Log on to the OfficeScan management console.
- For OfficeScan 11.0/XG:
- Go to Agents > Agent Management.
- In the agent tree, select the agent to act and click Settings > Behavior Monitoring Settings.
- Scroll down and under each Event Monitoring Policy, select from the four corresponding actions that you can use:
- Assess - This is the default value that has no warning messages but generates a log when there is a violation.
- Allow - This provides no warning messages and no log.
- Ask when necessary - There is a visible pop-up countdown dialogue box that users can select to allow or block. When allowed, there will be no warning message and no log. When blocked, there will be a pop-up warning message and then a log will be generated.
- Deny - It will pop a warning message and then generate a log.
It is highly recommended to enable the Deny option since the actions being taken are already determined to be malicious in nature.
However, since there are some applications that belong to the gray area, wherein the actions being done by the application is malicious but useful to you (e.g. port scanners), you can enable the Behavior Monitoring Privileges for clients. To do this:
- Log on to the OfficeScan management console.
- For OfficeScan 11.0 / XG:
- Go to Agents > Agent Management.
- In the agent tree, select the agent to act and click Settings > Privileges and Other Settings.
- Under the Privileges tab, enable "Display the Behavior Monitoring settings on the OfficeScan agent console".
Starting with OfficeScan 10.0 Service Pack (SP) 1, a component called the Behavior Monitoring Detection Pattern was added. The updated patterns are available in the ActiveUpdate servers. This pattern is activated when Malware Behavior Blocking is enabled and it detects specific actions that are possibly malicious.
Upon detection, the user will receive an alert of a possible threat. The pattern defines the following non-configurable actions:
- Terminate
- Feedback
- Ask
- Deny
On the client machines, there will be a new tab called Behavior Monitoring, which allows users to set approved or blocked programs.
If your company has applications that may fall under the grayware category, you can add the applications to the Approved Programs List. On the other hand, if there are a lot of malicious activities in the network caused by applications like HTTP Proxy Tunnels, then you can add the applications to the Blocked Programs List.
- Behavior Monitoring does not support Windows XP nor Windows 2003 64-bit platforms.
- Behavior Monitoring supports Windows Vista 64-bit platforms with SP1 or later.
- By default, Behavior Monitoring is disabled on all versions of Windows Server 2003, Windows Server 2008, and Windows Server 2012. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in the OfficeScan Client/Agent Services of the OSCE Administrator's Guide.
