This article provides instructions on how to configure malicious and suspicious behavior monitoring.
Applies to the following Sophos product(s) and version(s)
Enterprise Console 5.0+
As part of on-access scanning, Sophos Behavior Monitoring protects Windows computers from unidentified or "zero-day" threats and suspicious behavior.
Run-time detection can intercept threats that cannot be detected before execution. Behavior monitoring uses the following run-time detection methods to intercept threats:
Suspicious behavior detection uses Sophos’s Host Intrusion Prevention System (HIPS) to dynamically analyze the behavior of all programs running on the computer to detect and block activity that appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
Suspicious behavior detection watches all system processes for signs of active malware, such as suspicious writes to the registry or file copy actions. It can be set to warn the administrator and/or block the process.
Malicious behavior detection dynamically analyses all programs running on the computer to detect and block activity that is known to be malicious.
Malicious traffic detection detects communications between endpoint computers and command and control servers involved in botnet or other malware attacks.
Buffer overflow detection is important for dealing with zero-day exploits.
It dynamically analyzes the behavior of programs running on the system in order to detect when an attempt is made to exploit a running process using buffer overflow techniques. It will catch attacks targeting security vulnerabilities in both operating system software and applications.
Note: If you use role-based administration* then before you start the procedure described below be aware that:
For more information, see Designing sub-estates and role-based administration.
To change the settings for detecting and reporting malicious behavior:
Check which anti-virus and HIPS policy is used by the group or groups of computers you want to configure.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.