In interactive protection mode you can view data about an incident collected by the System Watcher component. These data are then saved to a report showing history of dangerous activity. This report with the program actions helps to make a decision and to select the required action in the notification window.

When the component detects potentially dangerous software, a link to the System Watcher report is displayed at the top of the notification window with a request for action.

Exploit prevention

A new functionality of preventing and blocking actions of exploit-programs has been included into the System Watcher component.

Heuristic analysis

Use of the updatable heuristics technology (set of templates of dangerous applications behavior updated on a regular basis) allows adding new patterns to the existing heuristic databases and, therefore, do not update the whole module. New signatures are added during anti-virus databases update. Heuristic analysis use allows blocking malicious actions of an application according to signatures of heuristic database.

In Kaspersky Internet Security you can configure the System Watcher settings to apply a selected action when the application’s activity matches a dangerous behavior template.

System Watcher uses heuristic analysis to detect actions which partially match to patterns of dangerous activity. If such actions are detected the application will ask a user to select an action to be performed with a suspicious program

Depending on the selected protection mode you can set the following actions:

• Select action automatically (if automatic protection mode is enabled). In this case System Watcher will automatically apply an action recommended by Kaspersky Lab specialists. 
• Prompt for action (if interactive protection mode is enabled). In this case System Watcher will inform you of a detected suspicious activity and will prompt for action: allow or block the activity.
• Select action:
  • Delete.
  • Terminate the malware (all malware processes will be terminated).
  • Ignore (no actions will be applied to the malware).

Rolling back malware actions

On the basis of the information collected, the System Watcher component allows you to roll back malware actions. In Kaspersky Internet Security 2013, information about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious. Rolling back actions after malicious activity is detected in the system can be initiated either by the System Watcher component on the basis of patterns of dangerous behavior, or by Proactive Defense, or by running a virus scan task, or during the operations of File Anti-Virus.

Application Control module

Kaspersky Internet Security includes the Applications Activity module with which you can view information about installed and running applications (such as information about an application's status and the level of trust attributed to it by Kaspersky Internet Security).

By default, the System Watcher component is enabled and runs in the mode designed by Kaspersky Lab specialists, but you can disable it if necessary. To enable/disable System Watcher:

1. Open the main application window.
2. In the right upper corner of the window, click Settings.

3. In the Settings window, go to the Protection Center tab and select the System Watcher component.
4. In the right part of the window, uncheck/check the Enable System Watcher box.
5. In the Settings window, click ОK.

6. Close the main application window.