Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or on installed software. Behavior Monitoring protects endpoints through Malware Behavior Blocking and Event Monitoring. Complementing these two features are a user-configured exception list and the Certified Safe Software Service.
- Behavior Monitoring does not support Windows XP or Windows 2003 64-bit platforms.
- Behavior Monitoring does support Windows Vista 64-bit platforms with SP1 or later.
- By default, Behavior Monitoring is disabled on all versions of Windows Server 2003, Windows Server 2008, and Windows Server 2012. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in OfficeScan Agent Services.
OfficeScan applies global agent settings to all agents or only to agents with certain privileges.
To configure Behavior Monitoring Settings:
- Go to Agents > Global Agent Settings.
- Go to the Behavior Monitoring Settings section.
- Configure the following settings as required:
Option Description Automatically allow program if user does not respond within __ seconds This setting only works if Event Monitoring is enabled and the action for a monitored system event is "Ask when necessary". This action prompts a user to allow or deny programs associated with the event. If the user does not respond within a certain time period, OfficeScan automatically allows the program to run. For details, see Event Monitoring. Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded)
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications. After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.
Behavior Monitoring scans the following file types for each channel:
- HTTP: Scans .exe files
- Email applications: Scans .exe, and compressed .exe files in unencrypted .zip and .rar files
- Administrators must enable Web Reputation Services on the agent to allow OfficeScan to scan HTTP traffic before this prompt can display.
- For Windows 7/Vista/XP systems, this prompt only supports ports 80, 81, and 8080.
- OfficeScan matches the file names downloaded through email applications during the execution process. If the file name has been changed, the user does not receive a prompt.
- Go to the Certified Safe Software Service Settings section and enable the Certified Safe Software Service as required.
The Certified Safe Software Service queries Trend Micro datacenters to verify the safety of a program detected by Malware Behavior Blocking, Event Monitoring, Firewall, or antivirus scans. Enable Certified Safe Software Service to reduce the likelihood of false positive detections.
Ensure that OfficeScan agents have the correct proxy settings (for details, see OfficeScan Agent Proxy Settings) before enabling Certified Safe Software Service. Incorrect proxy settings, along with an intermittent Internet connection, can result in delays or failure to receive a response from Trend Micro datacenters, causing monitored programs to appear unresponsive.
In addition, pure IPv6 OfficeScan agents cannot query directly from Trend Micro datacenters. A dual-stack proxy server that can convert IP addresses, such as DeleGate, is required to allow the OfficeScan agents to connect to the Trend Micro datacenters.
- Click Save.