System Watcher in Kaspersky Endpoint Security 10 for Windows Workstations



Kaspersky Endpoint Security 10 for Windows (for workstations)


System Watcher in Kaspersky Endpoint Security 10 for Windows Workstations

Back to "Settings and Features"
2016 Jun 08 ID: 11938

The System Watcher component in Kaspersky Endpoint Security 10 for Windows Workstations collects data about applications' activity and shares it with other components for more efficient protection.

Proactive defense

System Watcher analyzes applications' activity. If an application is identified as malware, one of the following actions will be performed (depending on the selected protection mode):

  • Select action automatically (automatic protection mode). In this case, System Watcher automatically performs actions recommended by Kaspersky Lab engineers.
  • Move to Quarantine (the malicious program will be moved to Quarantine). 
  • Terminate the malware (all processes of the malware will be terminated).
  • Ignore (no action will be taken).

Rollback of malware actions

Based on the collected information, Kaspersky Endpoint Security 10 for Windows can roll back actions performed by malware. Rollback can be initiated by Proactive defense, File Anti-Virus, or during a virus scan. 

Please note. Rollback of malware actions only affects a very limited set of data. It does not cause negative impact on the operating system and does not damage user files.

Protection against exploits

System Watcher features the technology for protection against exploits. For more information about it, see the article on the protection against exploits technology.

Protection against cryptoviruses

The System Watcher component features the technology of blocking the actions of cryptoviruses.

When an untrusted process attempts to encrypt a file, Kaspersky Endpoint Security 10 automatically creates a backup copy of the file before it is affected. Backup copies are saved to the system Temp folder and will be used for recovering the original file in case any cryptovirus activity is detected.

Protection against cryptoviruses has the following features:

  • The backup copy is not created and no notification on backup failure is sent if there is not enough space on the system disk where the Temp folder is located.
  • Backup copies are removed when Kaspersky Endpoint Security 10 for Windows is closed or System Watcher is disabled.
  • Backup copies are not removed if Kaspersky Endpoint Security 10 for Windows terminates unexpectedly. If necessary, you can clean backup copies manually by deleting the contents of the system Temp folder.
  • If Kaspersky Endpoint Security 10 for Windows or the operating system is terminated unexpectedly, Kaspersky Endpoint Security 10 for Windows will be able to save further backup copies in case of a cryptovirus infection.
  • System Watcher does not protect network drives.
  • Kaspersky Endpoint Security 10 for Windows with System Watcher enabled does not decrypt files that had been affected before the product was installed.
  • NTFS streams that refer to attributes and properties of files may not be recovered if affected by cryptoviruses.
Was this information helpful?
Yes No


Have you found what you were looking for?

Please let us know how we can make this website more comfortable for you

Send feedback Send feedback

Thank you!

Thank you for submitting your feedback.
We will review your feedback shortly.