Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Preventing Behavior Monitoring false detections in OfficeScan

    • Updated:
    • 23 Nov 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Server R2
    • Windows 2008 Server R2
    • Windows 2012
    • Windows 2016
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
Summary

Behavior Monitoring may falsely detect applications if they exhibit malicious behavior. The following detection name may appear on the Behavior Monitoring logs:

  • Malware Behavior Blocking
  • Unauthorized File Encryption
  • Rapid Proliferation

This article provides different steps on how to prevent the issue.

Details
Public

Choose among these options:

The following files are required to be submitted:

  • The file detected by Behavior Monitoring
  • Behavior Monitoring Logs containing the detection

You may refer to User Guide: New Requests (see section, “Files that require immediate action”) for steps on how to submit a case to Technical Support.

Once the file has been verified to be normal, it will be whitelisted to prevent false detection.

 
The OfficeScan Agent requires Internet connection and the following service so that it can query the Trend Micro servers in the cloud containing the whitelist:
  1. Go to Agents > Global Agent Settings.
  2. Go to the ‘System’ tab.
  3. Put a check on ‘Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans’ and click Save.

‘Enable

  1. Go to Agents > Agent Management.
  2. In the Agent Tree, select the OfficeScan Server/Domain/Computer.
  3. Go to Settings > Behavior Monitoring Settings > Exceptions tab.
  4. Add the full path of the file and click Add to Approved List.
  5. Click Save.

Behavior Monitoring Settings

Wildcard exclusions are available for the following versions:

  • OfficeScan 11.0 Service Pack 1 (SP1) Hot Fix Build 6315 and later builds
  • OfficeScan XG Patch 1 and later builds
  • OfficeScan XG Service Pack 1 (SP1) and later builds

For further reference about the use of wildcards in the exception lists, you may refer to Exception List Wildcard Support.

The Trusted Programs List excludes programs and all child processes called by the program from Real-time Scan and Behavior Monitoring scanning.

  1. Go to Agents > Agent Management.
  2. In the Agent Tree, select the OfficeScan Server/Domain/Computer.
  3. Go to Settings > Trusted Program List.
  4. Add the full path of the file and click Add to Trusted Program List.
  5. Click Save.

Trusted

 
For security reasons, the Trusted Program feature will not take effect on the following:
  • Programs under the Windows system folder
  • Programs with no valid digital signature

This option is available for software developers only.

Software developers can apply for the Trend Micro GRID program where they can submit the application before public release. You may refer to The GRID: Goodware Resource and Information Database for more information.

Premium
Internal
Rating:
Category:
Troubleshoot; Remove a Malware / Virus
Solution Id:
1115668
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.