Processing Adaptive Anomaly Control detections

During the training of Adaptive Anomaly Control rules in the Smart mode, events about detections are added to the Detections of Adaptive Anomaly Control rules repository of the Quarantine. When processing the list of detections, you can either confirm them or add to exclusions, depending on whether a detection is actually anomalous behavior or not.

We recommend that you process detections at least once a week. Otherwise, the training of the rules may never complete and the rules may not start blocking malicious activity on devices.

To process Adaptive Anomaly Control detections:

  1. Open Kaspersky Endpoint Security Cloud Management Console.
  2. Select the Quarantine section.

    The Quarantine section contains a list of objects belonging to the following categories: Quarantine and backup, Unprocessed files, and Detections of Adaptive Anomaly Control rules.

  3. In the File category drop-down list, select Detections of Adaptive Anomaly Control rules.

    The page displays all active detections that have not been processed.

    From the displayed table, you can proceed to the following:

  4. Click the link in the Detected object column, to view detailed information about a detection.

    The Detection details window opens.

  5. Analyze the detection details.
  6. Do either of the following:
    • If the detection is not anomalous, add it to exclusions. As a result, this detection and all detections of the same object on other devices are removed from the list. Later, this object will not be detected again on any of your users' devices.

      You can add up to 1000 exclusions for all rules.

    • If the detection is actually anomalous, confirm it. As a result, the detection is removed from the list. Later, if this object is detected again on the same or any other device, it will re-appear in the list of detections.
  7. If necessary, process another detection.

The detections are processed.

Page top