The Anti-Cryptor task makes it possible to detect malicious encrypting of network file resources on a protected device from remote devices on the corporate network.
While the Anti-Cryptor task runs, Kaspersky Security for Windows Server scans remote devices' calls to access files located in the shared folders of the protected device. If the application considers a remote device's actions on network file resources to be malicious encrypting, then Kaspersky Security for Windows Server adds the locally unique device's identifier (LUID) to the list of blocked hosts.
The Anti-Cryptor task can be performed in synchronous or asynchronous mode. By default, the Anti-Cryptor task runs in asynchronous mode, and file operations are processed on several parallel threads. For more detailed information about synchronous and asynchronous modes for processing file operations and about how to change the mode used to process file operations, refer to the Kaspersky Knowledge Base.
Kaspersky Security for Windows Server does not consider activity to be malicious encrypting if the detected encryption activity takes place in folders excluded from the scope of the Anti-Cryptor task.
By default, the application blocks a host's access to network file resources for 30 minutes.
The Anti-Cryptor task does not block access to network file resources until the host's activity is identified as malicious. This can take some time, during which the encryption program may conduct malicious activity.
If the Anti-Cryptor task runs in Statistics only mode, Kaspersky Security for Windows Server only logs remote devices' attempts at malicious encrypting in the task log.
Page top