Adaptive Anomaly Control

The Adaptive Anomaly Control component is available only for Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security for Business (learn more about Kaspersky Endpoint Security products for business at the Kaspersky website).

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Windows for servers.

The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a company’s network. Adaptive Anomaly Control uses a set of rules to track uncharacteristic behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security updates the set of rules along with the application databases. Updates to the sets of rules must be confirmed manually.

Adaptive Anomaly Control settings

Configuring Adaptive anomaly control consists of the following steps:

  1. Training Adaptive Anomaly Control.

    After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.

    If a rule is not triggered at all during the training, Adaptive Anomaly Control will consider the actions associated with this rule as non-typical. Kaspersky Endpoint Security will block all actions associated with that rule.

    If a rule was triggered during training, Kaspersky Endpoint Security logs events in the rule triggering report and the Triggering of rules in Smart Training mode repository.

  2. Analyzing the rule triggering report.

    The administrator analyzes the rule triggering report or the contents of the Triggering of rules in Smart Training mode repository. Then the administrator can select the behavior of Adaptive Anomaly Control when the rule is triggered: either block or allow. The administrator can also continue to monitor how the rule works and extend the duration of the training mode. If the administrator does not take any action, the application will also continue to work in training mode. The training mode term is restarted.

Adaptive Anomaly Control is configured in real time. Adaptive Anomaly Control is configured via the following channels:

When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and display a notification (see figure below).

Adaptive Anomaly Control notification

Adaptive Anomaly Control operating algorithm

Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on the following algorithm (see the figure below).

Adaptive Anomaly Control operating algorithm

Adaptive Anomaly Control component settings

Parameter

Description

Rule status report

(available only in the Kaspersky Security Center Console)

This report contains information about the status of Adaptive Anomaly Control detection rules (for example, the Off or Block). The report is generated for all administration groups.

Rule triggering report

(available only in the Kaspersky Security Center Console)

This report contains information about non-typical actions detected using Adaptive Anomaly Control. The report is generated for all administration groups.

Rules

Adaptive Anomaly Control table of rules. Rules are created by Kaspersky specialists based on typical scenarios of potentially malicious activity.

Templates

  • Message about blocking. Template of the message that is displayed to a user when an Adaptive Anomaly Control rule that blocks a non-typical action is triggered.
  • Message to administrator. Template of the message that a user can be sent to the local corporate network administrator if the user considers the blocking to be a mistake.

See also: Managing the application via the local interface

Enabling and disabling Adaptive Anomaly Control

Enabling and disabling an Adaptive Anomaly Control rule

Modifying the action taken when an Adaptive Anomaly Control rule is triggered

Creating an exclusion for an Adaptive Anomaly Control rule

Exporting and importing exclusions for Adaptive Anomaly Control rules

Applying updates for Adaptive Anomaly Control rules

Editing Adaptive Anomaly Control message templates

Viewing Adaptive Anomaly Control reports

Page top