About Adaptive Anomaly Control
The Adaptive Anomaly Control component is available only for Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security for Business (learn more about Kaspersky Endpoint Security products for business at the Kaspersky website).
The Adaptive Anomaly Control component monitors and blocks suspicious actions that are not typical of the computers in a company’s network. Adaptive Anomaly Control uses a set of rules to track uncharacteristic behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases. Updates to the sets of rules must be confirmed manually.
Adaptive Anomaly Control settings
Configuring Adaptive anomaly control consists of the following steps:
- Training Adaptive Anomaly Control.
After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.
If a rule was not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as suspicious. Kaspersky Endpoint Security will block all actions associated with that rule.
If a rule was triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Triggering of rules in Smart Training mode repository.
- Analyzing the rule triggering report.
The administrator analyzes the rule triggering report or the contents of the Triggering of rules in Smart Training mode repository. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode time limit is then reset.
Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:
- Adaptive Anomaly Control automatically starts to block the actions associated with the rules that were never triggered in training mode.
- Kaspersky Endpoint Security adds new rules or removes obsolete ones.
- The administrator configures the operation of the Adaptive Anomaly Control after reviewing the rule triggering report and the contents of the Triggering of rules in Smart Training mode repository. It is recommended to check the rule triggering report and the contents of the Triggering of rules in Smart Training mode repository.
When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and display a notification (see figure below).
Adaptive Anomaly Control notification
Adaptive Anomaly Control operating algorithm
Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on the following algorithm (see the figure below).
Adaptive Anomaly Control operating algorithm