Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Behavior Monitoring Settings in Apex One

    • Updated:
    • 6 May 2019
    • Product/Version:
    • Apex One All.All
    • Platform:
    • N/A N/A
Summary

Apex One constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software. Administrators can create exception lists that allow certain programs to start despite violating a monitored change, or completely block certain programs. In addition, programs with a valid digital signature or have been certified are always allowed to start.

Details
Public

Behavior Monitor requires the following services:

  • Unauthorized Change Prevention Service
  • Advance Protection Service

Behavior Monitoring

 
Make sure to enable the required services for the appropriate Windows platform in Additional Service Setting area.

To enable:

  1. Open the Apex One console and log in to the Management Console.
  2. Go to Agents > Agent Management.
  3. Click on the Machine/Group that you want to configure > Settings.
  4. Go to Additional Service Settings.
  5. Under Unauthorized Change Prevention Service:
    1. Tick "Enable Windows Desktops".
    2. Tick "Enable Windows Server Platforms".
  6. Go to Advance Protection Service:
    1. Tick "Enable Windows Desktops".
    2. Tick "Enable Windows Server Platforms".
  7. Click Save.

To configure Behavior Monitoring and Ransomware Protection features:

  1. Open the Apex One console and log in to the Management Console.
  2. Go to Agents > Agent Management.
  3. Click on the Machine/Group that you want to configure > Settings.
  4. Go to Behavior Monitoring Settings:

    Behavior Monitoring

    SettingDescriptionAction
    Malware Behavior BlockingMalware Behavior Blocking provides a necessary layer of additional threat protection from programs that exhibit malicious behavior. It observes system events over a period of time. As programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.
    • Tick "Enable Malware Behavior Blocking".
       
      Under "Threats to block", it is recommended to select "Known and potential threats".
    Ransomware ProtectionRansomware is a type of malware which restricts access to files and demands payment to restore the affected files. This type of threat can affect multiple files residing on your local and connected drives, it can also affect backups such as shadow copies. Ransomware Protection prevents the unauthorized modification or encryption of files on Apex One agents by “ransomware” threats.
    1. Tick "Protect documents against unauthorized encryption or modification".
    2. Tick "Automatically backup and restore files changed by suspicious programs".
    3. Tick "Block processes commonly associated with ransomware".
       
      To reduce the chance of Apex One detecting a safe process as malicious, ensure that the agent has internet access to perform additional verification processes using Trend Micro servers.
    4. Tick "Enable program inspection to detect and block compromised executable files".
       
      Program inspection provides increased security if you select “Known and potential threats” in the "Threats to block" drop-down.
    Anti-Exploit ProtectionAnti-exploit protection works in conjunction with program inspection to monitor the behavior of programs and detect abnormal behavior that may indicate that an attacker has exploited program vulnerability. Once detected, Behavior Monitoring terminates the program processes.
    • Tick "Terminate programs that exhibit abnormal behavior associated with exploit attacks".
     
    Anti-exploit Protection requires that you select Enable program inspection to detect and block compromised executable files.
    Newly Encountered ProgramsTrend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file determine by the Smart Protection Network.
    • Tick "Monitor newly encountered programs downloaded through HTTP or email applications".
       
      It is recommended to select "Prompt user".
     
    This notification requires that Administrators enable Real-Time Scan and web Reputation.
    Event MonitoringEvent Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It monitors system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

    Behavior Monitoring

  5. Click Save.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1122593
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.