Adaptive Anomaly Control

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Windows for servers.

The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a company's network. Adaptive Anomaly Control uses a set of rules to track non-typical behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases. Updates to the sets of rules must be confirmed manually.

Adaptive Anomaly Control settings

Configuring Adaptive anomaly control consists of the following steps:

  1. Training Adaptive Anomaly Control.

    After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.

    If a rule is not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as non-typical. Kaspersky Endpoint Security will block all actions associated with that rule.

    If a rule was triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Triggering of rules in Smart Training state repository.

  2. Analyzing the rule triggering report.

    The administrator analyzes the rule triggering report or the contents of the Triggering of rules in Smart Training state repository. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode term is restarted.

Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:

When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and display a notification (see figure below).

Adaptive Anomaly Control notification

Adaptive Anomaly Control operating algorithm

Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on the following algorithm (see the figure below).

Adaptive Anomaly Control operating algorithm

Adaptive Anomaly Control component settings

Parameter

Description

Report on Adaptive Anomaly Control rules state

(available only in the Kaspersky Security Center Console)

This report contains information about the status of Adaptive Anomaly Control detection rules (for example, the Disabled or Block). The report is generated for all administration groups.

Report on triggered Adaptive Anomaly Control rules

(available only in the Kaspersky Security Center Console)

This report contains information about non-typical actions detected using Adaptive Anomaly Control. The report is generated for all administration groups.

Rules

Adaptive Anomaly Control table of rules. Rules are created by Kaspersky specialists based on typical scenarios of potentially malicious activity.

Templates

Message about blocking. Template of the message that is displayed to a user when an Adaptive Anomaly Control rule that blocks a non-typical action is triggered.

Message to administrator. Template of the message that a user can be sent to the local corporate network administrator if the user considers the blocking to be a mistake. After the user requests to provide access, Kaspersky Endpoint Security sends an event to Kaspersky Security Center: Application activity blockage message to administrator. The event description contains a message to administrator with substituted variables. You can view these events in the Kaspersky Security Center console using the predefined event selection User requests. If your organization does not have Kaspersky Security Center deployed or there is no connection to the Administration Server, the application will send a message to administrator to the specified email address.

See also: Managing the application via the local interface

Enabling and disabling Adaptive Anomaly Control

Enabling and disabling an Adaptive Anomaly Control rule

Modifying the action taken when an Adaptive Anomaly Control rule is triggered

Creating an exclusion for an Adaptive Anomaly Control rule

Exporting and importing exclusions for Adaptive Anomaly Control rules

Applying updates for Adaptive Anomaly Control rules

Editing Adaptive Anomaly Control message templates

Viewing Adaptive Anomaly Control reports

Page top