Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Blocking malicious activities using Behavior Monitoring in OfficeScan (OSCE)

    • Updated:
    • 17 Oct 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server Core
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

Behavior Monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Through the Client Self Protection feature, Behavior Monitoring also enhances endpoint protection by keeping security-related processes always up and running, and by protecting the OfficeScan client files and registry keys.

Details
Public

To configure Behavior Monitoring:

  1. Log on to the OfficeScan management console.
  2. Do any of the following:
    • For OfficeScan 10.x: Go to Networked Computers > Client Management > Settings > Behavior Monitoring Settings.
    • For OfficeScan 11.0 / XG: Go to Agents > Agent Management > Settings > Behavior Monitoring Settings.
  3. Under each Event Monitoring Policy, select from the four corresponding actions that you can use:
    • Assess - This is the default value that has no warning messages but generates a log when there is a violation.
    • Allow - Provides no warning messages and no log.
    • Ask when necessary - There is a visible pop-up countdown dialogue box that users can select to allow or block. When allowed, there will be no warning message and no log. When blocked, there will be a pop-up warning message and then a log will be generated.
    • Deny - It will pop a warning message and then generate a log.

It is highly recommended to enable the Deny option since the actions being taken are already determined to be malicious in nature.

However, since there are some applications that belong to the gray area, wherein the actions being done by the application is malicious but useful to you (for example, port scanners), you can enable the Behavior Monitoring Privileges for clients. To do this:

  1. Log on to the OfficeScan management console.
  2. Do any of the following:
    • For OfficeScan 10.x: Go to Networked Computers > Client Management > Settings > Privileges and Other Settings.
    • For OfficeScan 11.0 / XG: Go to Agents > Agent Management > Settings > Privileges and Other Settings.
  3. Under the Privileges tab, enable Display the Behavior Monitoring settings on the OfficeScan agent console.

Starting with OfficeScan 10.0 Service Pack (SP) 1, a component called the Behavior Monitoring Detection Pattern was added. The updated patterns are available in the ActiveUpdate servers. This pattern is activated when Malware Behavior Blocking is enabled and it detects specific actions that are possibly malicious.

Upon detection, the user will receive an alert of a possible threat. The pattern defines the following non-configurable actions:

  • Terminate
  • Feedback
  • Ask
  • Deny

On the client machines, there will be a new tab called Behavior Monitoring, which allows users to set approved or blocked programs.

If your company has applications that may fall under the grayware category, you can add the applications to the Approved Programs List. On the other hand, if there are a lot of malicious activities in the network caused by applications like HTTP Proxy Tunnels, then you can add the applications to the Blocked Programs List.

 
  • Behavior Monitoring does not support Windows XP nor Windows 2003 64-bit platforms.
  • Behavior Monitoring supports Windows Vista 64-bit platforms with SP1 or later.
  • By default, Behavior Monitoring is disabled on all versions of Windows Server 2003, Windows Server 2008, and Windows Server 2012. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in the OfficeScan Client/Agent Services of the OSCE Administrator's Guide.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1054950
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.