Behavior Detection

The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance.

The Behavior Detection component utilizes Behavior Stream Signatures (BSS) for applications. BSS contain sequences of actions taken by applications that Kaspersky Endpoint Security classifies as dangerous. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.

Behavior Detection component settings

Parameter

Description

On detecting malware activity
  • Delete file. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a backup copy of the file in Backup.
  • Terminate the program. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application.
  • Inform. If this option is selected and malware activity of an application is detected, Kaspersky Endpoint Security adds information about the malware activity of the application to the list of active threats.

Protection of shared folders against external encryption
  • If the toggle button is switched on, Kaspersky Endpoint Security analyzes activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action.

On detection of external encryption of shared folders
  • Block connection. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security blocks network activity originating from the computer attempting to modify files and creates backup copies of modified files.

If the Remediation Engine component is enabled and the Block connection option is selected, Kaspersky Endpoint Security restores modified files from backup copies.

  • Inform. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to modify files in shared folders to the list of active threats.

Kaspersky Endpoint Security prevents external encryption of only those files that are located on media that have the NTFS file system and are not encrypted by the EFS system.

Block connection for N minutes

The time for which Kaspersky Endpoint Security blocks the network activity of the remote computer performing encryption of shared folders.

The default value is 60 minutes.

Exclusions

List of computers from which attempts to encrypt shared folders will not be monitored.

The Audit Logon policy must be enabled to enable the list of computers excluded from protection of shared folders against external encryption. By default, the Audit Logon policy is disabled (for detailed information about enabling the Audit Logon policy, please visit the Microsoft website).

See also: Managing the application via the local interface

Enabling and disabling Behavior Detection

Choose action in the event malicious activity is detected in a program

Configuring protection of shared folders against external encryption
Page top