Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enabling ransomware protection for Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 22 Aug 2017
    • Product/Version:
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services 6.0
    • Worry-Free Business Security Services 6.1
    • Worry-Free Business Security Services 6.2
    • Platform:
    • N/A N/A
Summary

Enabling Behavior Monitoring including warning messages, Web Reputation Services and Predictive Machine Learning add more layer of protection to Worry-free Business Security Services (WFBS-SVC) users.

Details
Public

Prompting users add another security layer before a program can be executed. This feature works when Behavior Monitoring and Web Reputation Services are enabled.

Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, software, files and folders. The settings can be enabled or disabled only per group.

To configure:

  1. Go to Devices.
  2. Select a desktop or server group.
  3. Click Configure Policy.
  4. Choose Windows.
  5. Click Behavior Monitoring.
  6. Update the following as required:

    • Enable Behavior Monitoring
    • Malware Behavior Blocking

      Necessary layer of additional threat protection from programs that exhibit malicious behavior is given upon using this. It observes system events over a period of time. As programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.

      • Enable malware Behavior Blocking for known and potential threats

        Malware Behavior Monitoring provides the following threat-level scanning options:

        • Known threats: Blocks behaviors associated with known malware threats
        • Known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious
      • Enable Intuit QuickBooks Protection

        Protects all Intuit QuickBooks files and folders from unauthorized changes by other programs. Enabling this feature will not affect changes made from within Intuit QuickBooks programs, but will only prevent changes to the files from other unauthorized applications.

        The following products are supported:

        • QuickBooks Simple Start
        • QuickBooks Pro
        • QuickBooks Premier
        • QuickBooks Online
    • Ransomware Protection

      • Enable document protection against unauthorized encryption or modification: Protects documents from unauthorized changes. Enabling this option stops processes that rename, modify and delete files, and then quarantines the programs that are running these processes.
      • Enable blocking of processes commonly associated with ransomware: Protects endpoints from ransomware attacks by blocking processes commonly associated with hijacking attempts.
      • Enable program inspection to detect and block compromised executable files: Protects endpoints from ransomware attacks by increasing the overall detection ratio for compromised executable files and programs that are behaving in an unexpected manner.

        Behavior monitoring

        Click image to enlarge

    • Event Monitoring

      For a more generic approach to protecting against unauthorized software and malware attacks, Event monitoring oversees system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

      Behavior Monitoring

      Click image to enlarge

      The following table provides a list of monitored system events.

      Table 1. Monitored System Events

      EventsDescription
      Duplicated System FileMany malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.
      Hosts File ModificationThe Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.
      Suspicious BehaviorSuspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.
      New Internet Explorer PluginSpyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
      Internet Explorer Setting ModificationMany virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.
      Security Policy ModificationModifications in Windows Security Policy can allow unwanted applications to run and change system settings.
      Program Library InjectionMany malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.
      Shell ModificationMany malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.
      New ServiceWindows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.
      System File ModificationCertain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.
      Firewall Policy ModificationThe Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.
      System Process ModificationMany malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.
      New Startup ProgramMalicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

      When Event Monitoring detects a monitored system event, it performs the action configured for the event.

      The following table lists possible actions that administrators can take on monitored system events.

      Table 2. Actions on Monitored System Events

      ActionDescription
      Always allowWorry-Free Business Security Services always allows programs associated with an event.
      Ask when necessary

      Worry-Free Business Security Services prompts users to allow or deny programs associated with an event and add the programs to the exception list.

      If the user does not respond within a certain time period, Worry-Free Business Security Services automatically allows the program to run. The default time period is 30 seconds.

       
      This option is not supported for Program Library Injections on 64-bit systems.
      Always block

      Worry-Free Business Security Services always blocks programs associated with an event and records this action in the logs.

      When a program is blocked and alerts are enabled, Worry-Free Business Security Services displays an alert on the Worry-Free Business Security Services computer.

    • Exceptions

      Approved Program List and a Blocked Program List are included here. Programs in the Approved Programs List can be started even if they violate a monitored change, while programs in the Blocked Program List can never be started

    • Security Agent Alerts

      Tick the checkbox next to Display alerts on devices with Behavior Monitoring violations.

  7. Click Save.

Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, other software, files and folders.

When enabled, Worry-Free Business Security temporarily blocks a newly-encountered program downloaded through HTTP or email applications and prompts users to select an action ("Block once" or "Allow once"). If users do not select an action within the specified time period, the program is automatically blocked.

 
This feature is currently available only for Windows devices.
  1. Go to Administration > Global Settings > Security Settings > Behavior Monitoring.
  2. Select any of the following as required:
    • Enable warning messages for low-risk changes or other monitored actions: Agents warn users of low-risk changes or monitored actions.
    • Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded): After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.

       

      Behavior Monitoring

      Click image to enlarge.

  3. Click Save.
  4. Users will be prompted with the following message:

    Newly Encountered Program Detected

    Security Agent message

    Click image to enlarge

Web Reputation enhances protection against malicious websites. Web Reputation leverages Trend Micro's extensive web security database to check the reputation of URLs that Clients are attempting to access or URLs embedded in email messages that are contacting websites.

To configure:

  1. Go to Devices.
  2. Select a desktop or server group.
  3. Click Configure Policy.
  4. Choose Windows.
  5. Click  Web Reputation.
  6. Update the following as required:
    • Enable Web Reputation.
    • Security Level
      • High: Blocks the following pages:
        • Dangerous: Verified to be fraudulent or known sources of threats
        • Highly suspicious: Suspected to be fraudulent or possible sources of threats
        • Suspicious: Associated with spam or possibly compromised
        • Untested: While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages
      • Medium: Blocks the following pages:
        • Dangerous: Verified to be fraudulent or known sources of threats
        • Highly suspicious: Suspected to be fraudulent or possible sources of threats
      • Low: Blocks the following pages:
        • Dangerous: Verified to be fraudulent or known sources of threats
  7. Click Modify Global Approved URLs to edit the list of approved websites. 
    This also adjusts your settings on the Global Settings screen. See Configuring Global Settings.
  8. Enable Browser Exploit Prevention > Block pages containing malicious script to protect against browser exploits containing malicious script.
  9. Click Save.

    Enable Web reputation

    Click image to enlarge

Trend Micro Predictive Machine Learning uses advanced machine learning technology to detect emerging unknown security risks found in low-prevalence suspicious processes or files originating from removable storage, web, or email channels.

To configure:

  1. Go to Devices.
  2. Select a desktop or server group.
  3. Click Configure Policy.
  4. Choose Windows.
  5. Click Predictive Machine Learning.
  6. Select Enable Predictive Machine Learning
    .
  7. Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.

    Detection TypeActions
    File
    • Quarantine: Select to automatically quarantine files that exhibit malware-related features based on the Predictive Machine Learning analysis.
    • Log only: Select to scan unknown files and log the Predictive Machine Learning analysis for further in-house investigation of the threat
    Process
    • Terminate: Select to automatically terminate processes that exhibit malware-related behaviors based on the Predictive Machine Learning analysis.
    • Log only: Select to scan unknown processes and log the Predictive Machine Learning analysis for further in-house investigation of the threat.
  8. Click Save.

Enable Predictive Machine Learning

Click image to enlarge

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
1112168
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.