Know the default values of the monitored changes in Behavior Monitoring of WFBS.
The agents constantly monitor clients for unusual modifications on the operating system or installed software. You can create exception lists that allow certain programs to start while violating a monitored change, or completely block certain programs. In addition, programs with a valid digital signature are always allowed to start.
Another feature of Behavior Monitoring is to protect EXE and DLL files from being deleted or modified. Users with this privilege can protect specific folders. Also, users can select to collectively protect all Intuit QuickBooks programs.
To view the description and default value of the monitored changes, refer to the following table:
|Possible Changes Monitored|
|Monitored Change||Description||Default Value|
|Duplicated System File||Many malicious programs create copies of themselves or other malicious programs using filenames used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.||Ask when necessary.|
|Hosts file modification||The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.||Always block|
|Suspicious Behavior||Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.||Ask when necessary|
|System file modification||Certain Windows system files determine system behavior, including startup programs and screensaver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.||Always block|
|New Internet Explorer Plug-in||Spyware/grayware programs often install unwanted Internet Explorer plug-ins, including toolbars and Browser Helper Objects.||Ask when necessary|
|Internet Explorer Setting Modification||Many virus/malware change Internet Explorer settings, including the home page, trusted web sites, proxy server settings, and menu extensions.||Always block|
|Security Policy Modification||Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.||Always block|
|Firewall Policy Modification||The Windows Firewall policy determines the applications that have access to the network, open ports for communication, and IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access the network and the Internet.||Ask when necessary|
|Program Library Injection||Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in DLL to run every time an application starts.||Ask when necessary|
|Shell Modification||Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if the users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.||Ask when necessary|
|New Service||Windows services are processes that have special functions and continuously run in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.||Ask when necessary|
|System process modification||Many malicious programs perform various actions on built-in Windows processes. These actions may include terminating or modifying running processes.||Ask when necessary|
|New Startup Program||Many malicious programs configure Windows so that small applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.||Ask when necessary|