Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It monitors system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.
The following table provides a list of monitored system events.
Events |
Description |
---|---|
Duplicated System File |
Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files. |
Hosts File Modification |
The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites. |
Suspicious Behavior |
Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution. |
New Internet Explorer Plugin |
Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects. |
Internet Explorer Setting Modification |
Malware programs may change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions. |
Security Policy Modification |
Modifications in Windows Security Policy can allow unwanted applications to run and change system settings. |
Program Library Injection |
Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts. |
Shell Modification |
Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications. |
New Service |
Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden. |
System File Modification |
Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior. |
Firewall Policy Modification |
The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet. |
System Process Modification |
Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes. |
New Startup Program |
Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts. |
When Event Monitoring detects a monitored system event, it performs the action configured for the event.
The following table lists possible actions that administrators can take on monitored system events.
Action |
Description |
---|---|
Assess |
The Security Agent always allows programs associated with an event to run and logs the event for assessment. This is the default action for all monitored system events. Note:
This option is not supported for the Program Library Injection (DLL injection) event on 64-bit systems. |
Allow |
The Security Agent always allows programs associated with an event to run. |
Ask when necessary |
The Security Agent prompts users to allow or deny programs associated with an event from running and adds the programs to the exception list If the user does not respond within a certain time period, the Security Agent automatically allows the program to run. The default time period is 30 seconds. To modify the time period, see Configuring Global Behavior Monitoring Settings. Note:
This option is not supported for the Program Library Injection (DLL injection) event on 64-bit systems. |
Deny |
The Security Agent always blocks programs associated with an event from running and logs the event. After blocking a program with notifications enabled, the Security Agent displays a notification on the endpoint. For details about notifications, see Behavior Monitoring Notifications for Security Agent Users. |