Sign In with your
Trend Micro Account
需要協助?
需要協助?

若您需要技術支援,請 按此建立案件。

Behavior Monitoring detections

    • 更新於:
    • 27 Jun 2019
    • 產品/版本:
    • Deep Security
    • OfficeScan XG
    • 作業系統:
    • N/A N/A
概要

Learn about the different Behavior Monitoring detection component features.

詳情
Public

For OfficeScan

Unauthorized File Encryption is a Behavior Monitoring feature that blocks unwanted file encryption or modification which can indicate a potential ransomware behavior.

Below is a sample detection:

unauthorized file enc

Click image to enlarge.

To enable the feature:

  1. Login to OfficeScan server web console.
  2. Go to Agents > Agent Management.
  3. In the Agent Tree, select OfficeScan Server/Domain/Computer.
  4. Go to Settings > Behavior Monitoring Settings.
  5. Select "Protect documents against unauthorized encryption or modification". Then under this option select "Automatically back up files changed by suspicious programs".

    auto back up files

 
This feature requires Unauthorized Change Prevention Service to be enabled. You may enable this under Agent > Agent Management > Settings > Additional Services Settings.

additional settings

Malware Behavior Blocking is a security feature in OSCE that does the following:

  • For known threats, it blocks behavior associated with known malware threats
  • For known and potential threats, it blocks behavior associated with known threats and takes action on potentially malicious behavior

Below is a sample detection:

Malware Behavior Blocking

Click image to enlarge.

To enable the feature:

  1. Login to OfficeScan server web console.
  2. Go to Agents > Agent Management.
  3. In the Agent Tree, select OfficeScan Server/Domain/Computer.
  4. Go to Settings > Behavior Monitoring Settings.
  5. Select "Enable Malware Behavior Blocking".

    Enable Malware Behavior Blocking

 
This feature requires Unauthorized Change Prevention Service to be enabled. You may enable this under Agent > Agent Management > Settings > Additional Services Settings.

additional settings

Compromised Executable File is a behavior monitoring detection leveraging ATSE (Advance Threat Scan Engine) heuristics for programs that exhibits abnormal behavior associated with exploit attacks.

Below is a sample detection:

Compromised Executable File Detection

Click image to enlarge.

To enable the feature:

  1. Login to OfficeScan server web console.
  2. Go to Agents > Agent Management.
  3. In the Agent Tree, select OfficeScan Server/Domain/Computer.
  4. Go to Settings > Behavior Monitoring Settings.
  5. Select "Enable program inspection to detect and block compromised executable files".

    abnormal behavior

 
This feature requires Unauthorized Change Prevention Service to be enabled. You may enable this under Agent > Agent Management > Settings > Additional Services Settings.

additional settings

Newly Encountered Program recognition is a feature designed to help prevent 0-day attacks. TrendMicro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.

Below is a sample detection:

Encountered Program Detection

Click image to enlarge.

To enable the feature:

  1. Login to OfficeScan server web console.
  2. Go to Agents > Agent Management > Settings > Additional Services Settings.
  3. In the Agent Tree, select OfficeScan Server/Domain/Computer.

    newly encountered programs

This feature requires the following to be enabled:

  • Unauthorized Change Prevention Service

    To enable the feature:

    1. Navigate to Agents > Agent Management.
    2. In the Agent Tree, select OfficeScan Server/Domain/Computer.
    3. Go to Settings > Behavior Monitoring Settings.
    4. Put a check on "Monitor newly encountered programs downloaded through web or email application channels" and click Apply to All Agents.

      Unauthorized Change Prevention Service

  • Web Reputation

    To enable the feature:

    1. In the management console, go to Agents > Agent Management > Settings > Web Reputation Settings.
    2. Select "Enable Web reputation policy on the following operating systems".

      Web Reputation

  • OfficeScan Real-time Scan

    To enable the feature:

    1. In the management console, go to Agents > Agent Management > Settings > Scan Settings > Real-time Scan Settings.
    2. Select "Enable virus/malware scan".

      Real-time Scan

For Deep Security

TM_MALWARE_BEHAVIOR is a behavior monitoring detection for system activities or behaviors associated with known and potential malware traits.

Below is a sample detection:

TM_MALWARE_BEHAVIOR

Click image to enlarge.

To enable the feature:

  1. In the management console, go to Policies > Policy > Anti-Malware > Real-Time > Malware Scan Configuration > Edit > General > Behavior Monitoring.
  2. Select "Detect suspicious activity and unauthorized changes".

    Detect suspicious activity and unauthorized changes

HEU_AEGIS_CRYPT is a behavior monitoring ransomware protection feature that blocks possible unwanted document file encryption or modification which can indicate a potential ransomware malware encryption behavior.

Below is a sample detection:

HEU_AEGIS_CRYPT

Click image to enlarge.

To enable the feature:

  1. In the management console, go to Policies > Policy > Anti-Malware > Real-Time > Malware Scan Configuration > Edit > General > Behavior Monitoring.
  2. Select "Detect suspicious activity and unauthorized changes".

    Detect suspicious activity and unauthorized changes

Premium
Internal
評價:
分類:
Configure; Remove a Malware / Virus
解決方案ID:
1121152
評定這個解決方案
本文是否幫助解決您的問題?

感謝您的意見!

請留下您的Email方便進一步的聯繫,協助我們改進文章內容:
我們不會透過以上Email寄送任何可能騷擾您的垃圾信.

本意見調查系統為自動運作,將不會回覆如銷售、技術、產品等一般問題.

若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.