Detect suspicious behavior

If you use role-based administration:

  • You must have the Policy setting - anti-virus and HIPS right to perform this task.
  • You cannot edit a policy if it is applied outside your active sub-estate.

For more information, see Managing roles and sub-estates.

Suspicious behavior detection watches all system processes for signs of active malware, such as suspicious writes to the registry or file copy actions. It can be set to warn the administrator and/or block the process.

By default, suspicious behavior is detected and reported, but not blocked.

To change the settings for detecting and reporting suspicious behavior:

  1. Check which anti-virus and HIPS policy is used by the group or groups of computers you want to configure.

    See Check which policies a group uses.

  2. In the Policies pane, double-click Anti-virus and HIPS.
  3. Double-click the policy you want to change.
    The Anti-Virus and HIPS policy dialog box is displayed.
  4. In the On-access scanning panel, make sure the Enable behavior monitoring check box is selected.
  5. Beside Enable behavior monitoring, click Configure.
  6. In the Configure Behavior Monitoring dialog box, make sure the Detect malicious behavior check box is selected.
    • To alert the administrator and block suspicious processes, select the Detect suspicious behavior check box and clear the Alert only, do not block suspicious behavior check box.
    • To alert the administrator, but not block suspicious processes, select both the Detect suspicious behavior check box and the Alert only, do not block suspicious behavior check box.

For the strongest protection, we advise you to enable suspicious file detection. See Configure on-access scanning.