Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

Blocking malicious activities using Behavior Monitoring in OfficeScan (OSCE)

    • 更新於:
    • 13 Mar 2020
    • 產品/版本:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan 11.0
    • OfficeScan XG
    • OfficeScan XG.All
    • 作業系統:
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server Core
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit

Behavior Monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Through the Client Self Protection feature, Behavior Monitoring also enhances endpoint protection by keeping security-related processes always up and running, and by protecting the OfficeScan client files and registry keys.


To configure Behavior Monitoring:

  1. Log on to the OfficeScan management console.
  2. For OfficeScan 11.0/XG:
    1. Go to Agents > Agent Management.
    2. In the agent tree, select the agent to act and click Settings > Behavior Monitoring Settings.

    Agent Management

  3. Scroll down and under each Event Monitoring Policy, select from the four corresponding actions that you can use:
    • Assess - This is the default value that has no warning messages but generates a log when there is a violation.
    • Allow - This provides no warning messages and no log.
    • Ask when necessary - There is a visible pop-up countdown dialogue box that users can select to allow or block. When allowed, there will be no warning message and no log. When blocked, there will be a pop-up warning message and then a log will be generated.
    • Deny - It will pop a warning message and then generate a log.

    Behavior Monitoring Settings

It is highly recommended to enable the Deny option since the actions being taken are already determined to be malicious in nature.

However, since there are some applications that belong to the gray area, wherein the actions being done by the application is malicious but useful to you (e.g. port scanners), you can enable the Behavior Monitoring Privileges for clients. To do this:

  1. Log on to the OfficeScan management console.
  2. For OfficeScan 11.0 / XG:
    1. Go to Agents > Agent Management.
    2. In the agent tree, select the agent to act and click Settings > Privileges and Other Settings.

    Agent Management 2

  3. Under the Privileges tab, enable "Display the Behavior Monitoring settings on the OfficeScan agent console".

    Privileges and Other Settings

Starting with OfficeScan 10.0 Service Pack (SP) 1, a component called the Behavior Monitoring Detection Pattern was added. The updated patterns are available in the ActiveUpdate servers. This pattern is activated when Malware Behavior Blocking is enabled and it detects specific actions that are possibly malicious.

Upon detection, the user will receive an alert of a possible threat. The pattern defines the following non-configurable actions:

  • Terminate
  • Feedback
  • Ask
  • Deny

On the client machines, there will be a new tab called Behavior Monitoring, which allows users to set approved or blocked programs.

If your company has applications that may fall under the grayware category, you can add the applications to the Approved Programs List. On the other hand, if there are a lot of malicious activities in the network caused by applications like HTTP Proxy Tunnels, then you can add the applications to the Blocked Programs List.

  • Behavior Monitoring does not support Windows XP nor Windows 2003 64-bit platforms.
  • Behavior Monitoring supports Windows Vista 64-bit platforms with SP1 or later.
  • By default, Behavior Monitoring is disabled on all versions of Windows Server 2003, Windows Server 2008, and Windows Server 2012. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in the OfficeScan Client/Agent Services of the OSCE Administrator's Guide.




若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.