About Adaptive Anomaly Control

The Adaptive Anomaly Control component is available only for Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security for Business (learn more about Kaspersky Endpoint Security products for business at the Kaspersky website).

The Adaptive Anomaly Control component monitors and blocks suspicious actions that are not typical of the computers in a company’s network. Adaptive Anomaly Control uses a set of rules to track uncharacteristic behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases. Updates to the sets of rules must be confirmed manually.

Adaptive Anomaly Control settings

Configuring Adaptive anomaly control consists of the following steps:

  1. Training Adaptive Anomaly Control.

    After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.

    If a rule was not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as suspicious. Kaspersky Endpoint Security will block all actions associated with that rule.

    If a rule was triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Triggering of rules in Smart Training mode repository.

  2. Analyzing the rule triggering report.

    The administrator analyzes the rule triggering report or the contents of the Triggering of rules in Smart Training mode repository. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode term is restarted.

Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:

When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and display a notification (see figure below).

KES11_AAC_Notification

Adaptive Anomaly Control notification

Adaptive Anomaly Control operating algorithm

Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on the following algorithm (see the figure below).

KES11_Adaptive_Control_Algorithm

Adaptive Anomaly Control operating algorithm

In this section:

Enabling and disabling Adaptive Anomaly Control

Actions with Adaptive Anomaly Control rules

Editing Adaptive Anomaly Control message templates

Viewing Adaptive Anomaly Control reports

Page top