Clarify trusted application behavior and alert (#2822)

jalogisch · web-flow · commit 7d5e95d4cd02 · 2025-09-17T12:40:20.000+01:00
The previous description for Trusted Applications was ambiguous. It
contained these two statements:

* `Doesn’t monitor the application for threats, nor does it generate
alerts, even if it behaves like malware, ransomware, etc.`
* `Might still generate malicious behavior alerts, if the application’s
process events indicate malicious behavior.`

For users unfamiliar with the underlying mechanics of Elastic Defend,
this created a logical conflict: How can an application that "isn't
monitored" for threats still generate a "malicious behavior alert"? This
lack of clarity made it difficult for users to understand the feature's
true behavior and configure it with confidence.

### Solution

This change rewrites the description to be technically precise and to
remove the ambiguity. The new text now clearly differentiates between
two distinct layers of protection:

1. **File-based Threat Analysis:** It clarifies that "trusting" an
application disables the direct scanning of the application's binary
file (its code and signature). This is the "blind spot" created for
performance and compatibility reasons.
2. **Behavioral Analysis:** It explains that a separate detection engine
continuously monitors system-wide *patterns of activity*. The actions of
a trusted application are still part of this monitoring, and an alert
will be generated if its behavior matches a malicious pattern (e.g.,
ransomware-like file encryption).

By explicitly defining these two concepts, the documentation now
accurately explains how a trusted application can be exempt from direct
scanning while still being subject to behavioral monitoring. This
resolves the contradiction and provides a much clearer picture for our
users.
diff --git a/solutions/security/manage-elastic-defend/optimize-elastic-defend.md b/solutions/security/manage-elastic-defend/optimize-elastic-defend.md
@@ -21,7 +21,7 @@ The following table explains the differences between several Endpoint artifacts
 
 |     |     |
 | --- | --- |
-| [Trusted application](trusted-applications.md) | **Prevents {{elastic-endpoint}} from monitoring a process.** Use to avoid conflicts with other software, usually other antivirus or endpoint security applications.<br><br> - Creates intentional blind spots in your security environment — use sparingly!<br>- Doesn’t monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.<br>- Doesn’t generate events for the application except process events for visualizations and other internal use by the {{stack}}.<br>- Might improve performance, since {{elastic-endpoint}} monitors fewer processes.<br>- Might still generate malicious behavior alerts, if the application’s process events indicate malicious behavior. To suppress alerts, create [Endpoint alert exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions).<br> |
+| [Trusted application](trusted-applications.md) | **Prevents {{elastic-endpoint}} from monitoring a process.** Use to avoid conflicts with other software, usually other antivirus or endpoint security applications.<br><br> - Creates intentional blind spots in your security environment — use sparingly!<br>- Stops direct threat analysis on the application's file, meaning its signature and code will not be scanned for known malware threats upon execution.<br>- Doesn’t generate events for the application except process events for visualizations and other internal use by the {{stack}}.<br>- Might improve performance, since {{elastic-endpoint}} monitors fewer processes.<br>- While the application file itself is not scanned, its actions are still monitored as part of the overall system activity. Our separate behavioral detection engine will still generate an alert if the trusted application performs a sequence of actions that matches a malicious pattern, such as ransomware-like file encryption. To suppress alerts, create [Endpoint alert exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions).<br> |
 | [Event filter](event-filters.md) | **Prevents event documents from being written to {{es}}.** Use to reduce storage usage in {{es}}.<br><br>Does NOT lower CPU usage for {{elastic-endpoint}}. It still monitors event data for possible threats, but without writing event data to {{es}}.<br> |
 | [Blocklist](blocklist.md) | **Prevents known malware from running.** Use to extend {{elastic-defend}}'s protection against malicious processes.<br><br>NOT intended to broadly block benign applications for non-security reasons.<br> |
 | [Endpoint alert exception](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) | **Prevents {{elastic-endpoint}} from generating alerts or stopping processes.** Use to reduce false positive alerts, and to keep {{elastic-endpoint}} from preventing processes you want to allow.<br><br>Might also improve performance: {{elastic-endpoint}} checks for exceptions *before* most other processing, and stops monitoring a process if an exception allows it.<br> |
