Adaptive Anomaly Control

for Windows

The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a company's network. Adaptive Anomaly Control uses a set of rules to track non-typical behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases.

Configuring Adaptive anomaly control consists of the following steps:

Training Adaptive Anomaly Control.
After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to the server. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.

If a rule is not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as non-typical. Kaspersky Endpoint Security will block all actions associated with that rule.

If the rule is triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Adaptive Anomaly Control detection storage.
Analyzing the rule triggering report.
The administrator analyzes the rule triggering report or the contents of the Adaptive Anomaly Control detection storage. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode term is restarted.

Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:

Adaptive Anomaly Control automatically starts to block the actions associated with the rules that were never triggered in training mode.
Kaspersky Endpoint Security adds new rules or removes obsolete ones.

The administrator configures Adaptive Anomaly Control after analyzing the rule triggering report and the contents of the Adaptive Anomaly Control detection storage. We recommend looking at the rule triggering report and the contents of the Adaptive Anomaly Control detection storage.

Adaptive Anomaly Control settings for Pro View

Parameter	OS	Description
View report → Rules state	`Windows`	This report contains information about the status of Adaptive Anomaly Control detection rules (for example, the Disabled or Block). The report is generated for all administration groups.
View report → Detections	`Windows`	This report contains information about non-typical actions detected using Adaptive Anomaly Control. The report is generated for all administration groups.
Rules	`Windows`	Adaptive Anomaly Control table of rules. Rules are created by Kaspersky specialists based on typical scenarios of potentially malicious activity. Adaptive Anomaly Control rules work in one of the following modes: Inform. The application allows the activity covered by the rule and logs a corresponding entry. Block. The application blocks the activity covered by the rule and logs a corresponding entry. Smart. The rule works in Smart training state for a period of time defined by Kaspersky experts. In this mode, when the rule is triggered, the application allows the activity covered by the rule and logs an entry in the Adaptive Anomaly Control detection storage. Upon completion of the training, further actions are either allowed or blocked depending on the training results. You can define exclusions for Adaptive Anomaly Control rules. An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The source object is the object performing the actions. The target object is the object on which the actions are being performed. For example, you have opened a file named `file.xlsx`. As a result, a library file with the DLL extension is loaded into the computer memory. This library is used by a browser (executable file named `browser.exe`). In this example, `file.xlsx` is the source object, Excel is the source process, `browser.exe` is the target object, and Browser is the target process.

Parameter

Description

View report → Rules state

Windows

This report contains information about the status of Adaptive Anomaly Control detection rules (for example, the Disabled or Block). The report is generated for all administration groups.

View report → Detections

Windows

This report contains information about non-typical actions detected using Adaptive Anomaly Control. The report is generated for all administration groups.

Rules

Windows

Adaptive Anomaly Control table of rules. Rules are created by Kaspersky specialists based on typical scenarios of potentially malicious activity.

Adaptive Anomaly Control rules work in one of the following modes:

Inform.
The application allows the activity covered by the rule and logs a corresponding entry.
Block.
The application blocks the activity covered by the rule and logs a corresponding entry.
Smart.
The rule works in Smart training state for a period of time defined by Kaspersky experts. In this mode, when the rule is triggered, the application allows the activity covered by the rule and logs an entry in the Adaptive Anomaly Control detection storage. Upon completion of the training, further actions are either allowed or blocked depending on the training results.

You can define exclusions for Adaptive Anomaly Control rules. An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The source object is the object performing the actions. The target object is the object on which the actions are being performed. For example, you have opened a file named file.xlsx. As a result, a library file with the DLL extension is loaded into the computer memory. This library is used by a browser (executable file named browser.exe). In this example, file.xlsx is the source object, Excel is the source process, browser.exe is the target object, and Browser is the target process.

Page top