Creating an exclusion for an Adaptive Anomaly Control rule

You cannot create more than 1,000 exclusions for Adaptive Anomaly Control rules. It is not recommended to create more than 200 exclusions. To reduce the number of exclusions used, it is recommended to use masks in the settings of exclusions.

An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The source object is the object performing the actions. The target object is the object on which the actions are being performed. For example, you have opened a file named file.xlsx. As a result, a library file with the DLL extension is loaded into the computer memory. This library is used by a browser (executable file named browser.exe). In this example, file.xlsx is the source object, Excel is the source process, browser.exe is the target object, and Browser is the target process.

To create an exclusion for an Adaptive Anomaly Control rule:

  1. In the main application window, click the button icon_settings.
  2. In the application settings window, select Security ControlsAdaptive Anomaly Control.
  3. In the Rules block, click the Edit rules button.

    The Adaptive Anomaly Control rule list opens.

  4. Select a rule in the table.
  5. Click the Edit button.

    The Adaptive Anomaly Control rule properties window opens.

  6. In the Exclusions block, click the Add button.

    The exclusion properties window opens.

  7. Select the user for which you want to configure an exclusion.
  8. Adaptive Anomaly Control does not support exclusions for user groups. If you select a user group, Kaspersky Endpoint Security does not apply the exclusion.

  9. In the Description field, enter a description of the exclusion.
  10. Define the settings of the source object or source process started by the object:
    • Source process. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe).
    • Source process hash. File hash code.
    • Source object. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe). For example, file path document.docm, which uses a script or macro to start the target processes.

      You can also specify other objects to exclude, such as a web address, macro, command in the command line, registry path, or others. Specify the object according to the following template: object://<object>, where <object> refers to the name of the object, for example, object://web.site.example.com, object://VBA, object://ipconfig, object://HKEY_USERS. You can also use masks, for example, object://*C:\Windows\temp\*.

    • Source object hash. File hash code.

    The Adaptive Anomaly Control rule is not applied to actions performed by the object, or to processes started by the object.

  11. Specify the settings of the target object or target processes started on the object.
    • Target process. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe).
    • Target process hash. File hash code.
    • Target object. The command to start the target process. Specify the command using the following pattern object://<command>, for example, object://cmdline:powershell -Command "$result = 'C:\Windows\temp\result_local_users_pwdage txt'". You can also use masks, for example, object://*C:\Windows\temp\*.
    • Target object hash. File hash code.

    The Adaptive Anomaly Control rule is not applied to actions taken on the object, or to processes started on the object.

  12. Save your changes.
Page top