Configuring Behavior Monitoring Rules and Exceptions

Procedure

1. In the Malware Behavior Blocking section:
   1. Select Enable Malware Behavior Blocking and specify the types of threats to block:
      • Known threats: Blocks behaviors associated with known malware threats
      • Known and potential threats: Blocks behaviors associated with known threats and takes action on behavior that is potentially malicious
   2. Select which Ransomware Protection features you want to enable to protect against ransomware threats.
      • Protect documents against unauthorized encryption or modification: Stops potential ransomware threats from encrypting or modifying the contents of documents
        • Automatically back up and restore files changed by suspicious programs: Creates backup copies of files being encrypted on endpoints to prevent any loss of data after detecting a ransomware threat

          Note Automatic file backup requires at least 100 MB of disk space on the agent endpoint and only backs up files that are less than 10 MB in size.

      • Block processes commonly associated with ransomware: Blocks processes associated with known ransomware threats before any encryption or modification of documents can occur
      • Enable program inspection to detect and block compromised executable files: Program inspection monitors processes and performs API hooking to determine if a program is behaving in an unexpected manner. Although this procedure increases the overall detection ratio of compromised executable files, it may result in decreased system performance.

        Tip Program inspection provides increased security if you select Known and potential threats in the Threats to block drop-down.

      For details, see Ransomware Protection.
   3. Under Anti-exploit Protection, enable Terminate programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs.

      Note Anti-exploit Protection requires that you select Enable program inspection to detect and block compromised executable files. For details, see Anti-Exploit Protection.

      Important Anti-exploit Protection works in conjunction with Real-time Scan (Quarantine malware variants detected in memory) to provide enhanced protection against Fileless Attacks. For more information, see Real-time Scan: Target Tab.

2. In the Newly Encountered Programs section, enable Monitor newly encountered programs downloaded through web or email application channels and select whether to Prompt user before executing the downloaded program or to have Apex One log the detections only.
3. In the Event Monitoring section:
   1. Select Enable Event Monitoring.
   2. Click Specify detailed settings to select the types of events to monitor.
   3. Choose the system events to monitor and select an action for each of the selected events.
      For information about monitored system events and actions, see Event Monitoring.
4. Click the Exceptions tab to configure the exception lists.
   1. When configuring a parent policy, specify how other users can configure child policies.
      • Inherit from parent: Child policies must use the settings configured in the parent policy
      • Extend from parent: Child policies can append additional settings to the settings inherited from the parent policy

        Note If your child policies Extend from parent, you can also configure Child Policy Restrictions. Restrictions prevent the child policy from adding specific objects to the list.

   2. Type the full program path in the available text field.

      Note Separate multiple entries with semicolons (;). Use the Import and Export buttons to share the list with different policies. The Approved List supports the use of wildcard characters. For more information, see Exception List Wildcard Support.

   3. Click Add.
   4. To remove a blocked or approved program from the list, click the trash bin icon () next to the program.

      Note Apex One accepts a maximum combined total of 1024 approved programs and blocked programs.