Configuring the Adaptive Anomaly Control rules proceeds in stages:
After you enable Adaptive Anomaly Control, its rules are in the "Smart training" state. During the training, Adaptive Anomaly Control monitors detections made by the rule and sends detection events to the server.
If a rule is not triggered at all on a certain device during the training, Adaptive Anomaly Control considers the actions associated with this rule as non-typical. Kaspersky Endpoint Security Cloud will block all actions associated with that rule on that device.
If a rule is triggered during the training, Kaspersky Endpoint Security Cloud adds events to the detections report and to the Detections of Adaptive Anomaly Control rules repository of the Quarantine.
Analyze the list of detections in the Detections of Adaptive Anomaly Control rules repository. For each detection, perform one of the following actions:
You can add up to 1000 exclusions for all rules.
Each rule has its own training duration that is set by Kaspersky experts. Normally, the training lasts two weeks. The training time is counted separately for each device and only when Kaspersky Endpoint Security for Windows is working on the device. For example, if the training on a device has lasted for a week, and then the device is turned off during a month, the second training week starts only when the device is turned on again.
The training for a rule on a device ends when there are no unprocessed detections over the training duration. That is why we recommend that you process detections at least once a week.
Page top