System Watcher collects data on the actions of applications on your computer and passes this information to other components for more reliable protection.
Behavior stream signatures
Behavior Stream Signatures (BSS) (also called "behavior stream signatures") contain sequences of application actions that Kaspersky Endpoint Security classifies as dangerous. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the specified action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.
By default, if application activity matches a behavior stream signature, System Watcher moves the executable file of that application to Quarantine.
Rolling back actions that have been performed by malware
When rolling back malware activity in the operating system, Kaspersky Endpoint Security takes action on the following types of malware activity:
File activity.
Kaspersky Endpoint Security deletes executable files that have been created by a malicious program and are located on any media, except for network ones.
Kaspersky Endpoint Security deletes executable files that have been created by a program into which a malicious program has penetrated.
Kaspersky Endpoint Security does not restore changed or deleted files.
Registry activity.
Kaspersky Endpoint Security deletes partitions and registry keys that have been created by malware.
Kaspersky Endpoint Security does not restore modified or deleted partitions and registry keys.
System activity.
Kaspersky Endpoint Security terminates processes that have been initiated by a malicious program.
Kaspersky Endpoint Security terminates processes into which a malicious program has penetrated.
Kaspersky Endpoint Security does not resume processes that have been halted by a malicious program.
Network activity.
Kaspersky Endpoint Security blocks the network activity of malicious programs.
Kaspersky Endpoint Security blocks network activity of processes into which a malicious program has penetrated.
Rolling back malware operations affects a strictly defined set of data. Rollback has no adverse effects on the operating system or on the integrity of your computer data.