You cannot create more than 1,000 exclusions for Adaptive Anomaly Control rules. It is not recommended to create more than 200 exclusions. To reduce the number of exclusions used, it is recommended to use masks in the settings of exclusions.
An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The source object is the object performing the actions. The target object is the object on which the actions are being performed. For example, you have opened a file named file.xlsx
. As a result, a library file with the DLL extension is loaded into the computer memory. This library is used by a browser (executable file named browser.exe
). In this example, file.xlsx
is the source object, Excel is the source process, browser.exe
is the target object, and Browser is the target process.
To create an exclusion for an Adaptive Anomaly Control rule:
The Adaptive Anomaly Control rule list opens.
The Adaptive Anomaly Control rule properties window opens.
The exclusion properties window opens.
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
Adaptive Anomaly Control does not support exclusions for user groups. If you select a user group, Kaspersky Endpoint Security does not apply the exclusion.
C:\Dir\File.exe
or Dir\*.exe
).C:\Dir\File.exe
or Dir\*.exe
). For example, file path document.docm
, which uses a script or macro to start the target processes.You can also specify other objects to exclude, such as a web address, macro, command in the command line, registry path, or others. Specify the object according to the following template: object://<object>
, where <object>
refers to the name of the object, for example, object://web.site.example.com
, object://VBA
, object://ipconfig
, object://HKEY_USERS
. You can also use masks, for example, object://*C:\Windows\temp\*
.
The Adaptive Anomaly Control rule is not applied to actions performed by the object, or to processes started by the object.
C:\Dir\File.exe
or Dir\*.exe
).object://<command>
, for example, object://cmdline:powershell -Command "$result = 'C:\Windows\temp\result_local_users_pwdage.txt'"
. You can also use masks, for example, object://*C:\Windows\temp\*
.The Adaptive Anomaly Control rule is not applied to actions taken on the object, or to processes started on the object.