Views:
Configure Behavior Monitoring policies to protect endpoints against ransomware, exploit attacks, and emerging threats. Use the Event Monitoring feature to assess or block behaviors commonly associated with malware threats.
Note
Note
By default, Behavior Monitoring is disabled on all versions of Windows Server platforms.

Procedure

  1. Click the Rules tab.
  2. Select Enable Behavior Monitoring.
  3. Configure the Monitoring Level settings for Detection and Prevention.
    Important
    Important
    • Higher monitoring levels provide greater sensitivity but might generate a large number of nonessential logs and impact endpoint performance. Trend Micro recommends selecting 2 - Moderate for more relevant data with minimal impact on your endpoints.
    • The Prevention level must be the same or lower than Detection.
    • The Threats to block selection might affect the prevention actions taken for the selected prevention level.
  4. Select which Threats to block.
    • Known threats: Blocks behaviors associated with known malware threats
    • Known and potential threats: Blocks behaviors associated with known threats and takes action on behavior that is potentially malicious
  5. Select which Ransomware Protection features you want to enable to protect against ransomware threats.
    • Protect documents against unauthorized encryption or modification: Stops potential ransomware threats from encrypting or modifying the contents of documents
      • Automatically back up and restore files changed by suspicious programs: Creates backup copies of files being encrypted on endpoints to prevent any loss of data after detecting a ransomware threat
        Note
        Note
        Automatic file backup requires at least 100 MB of disk space on the agent endpoint and only backs up files that are less than 10 MB in size.
    • Block processes commonly associated with ransomware: Blocks processes associated with known ransomware threats before any encryption or modification of documents can occur
    • Enable program inspection to detect and block compromised executable files: Program inspection monitors processes and performs API hooking to determine if a program is behaving in an unexpected manner. Although this procedure increases the overall detection ratio of compromised executable files, it may result in decreased system performance.
      Note
      Note
      Program inspection provides increased security if you select Known and potential threats in the Threats to block drop-down.
  6. Under Anti-exploit Protection, enable Terminate programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs.
    Important
    Important
    Anti-exploit Protection requires that you select Enable program inspection to detect and block compromised executable files. For more information, see Anti-Exploit Protection.
    Anti-exploit Protection works in conjunction with Real-time Scan (Quarantine malware variants detected in memory) to provide enhanced protection against Fileless Attacks. For more information, see Real-time Scan: Target Tab.
  7. In the Event Monitoring section:
    1. Select Enable Event Monitoring.
    2. Click Specify detailed settings to select the types of events to monitor.
    3. Choose the system events to monitor and select an action for each of the selected events.
      For information about monitored system events and actions, see Event Monitoring.
  8. Click the Exceptions tab to configure the exception lists.
    1. When configuring a parent policy, specify how other users can configure child policies.
      • Inherit from parent: Child policies must use the settings configured in the parent policy
      • Extend from parent: Child policies can append additional settings to the settings inherited from the parent policy
        Note
        Note
        If your child policies Extend from parent, you can configure Child Policy Restrictions to prevent child policies from adding specified rules to the Rule Exceptions list.
    2. Type the full program path in the available text field.
      Note
      Note
      • Separate multiple entries with semicolons (;).
      • Use the Import and Export buttons to share the list with different policies.
      • The Approved List supports the use of wildcard characters.
        For more information, see Exception List Wildcard Support.
    3. Click Add.
    4. To remove a blocked or approved program from the list, click the trash bin icon (icon_trash_bin=GUID-66C31AA2-6B0F-4D40-9477-CFD321AE3A83=1=en-us=Low.jpg) next to the program.
      Note
      Note
      Apex One accepts a maximum combined total of 1024 approved programs and blocked programs.