Protection against remote malicious encryption

Anti-Cryptor component allows you to protect your files in local directories with network access by SMB/NFS protocols from remote malicious encryption.

To use the component, a license that includes the corresponding function is required.

This feature is not supported in the KESL container.

If Anti-Cryptor is enabled, Kaspersky Endpoint Security scans the actions of remote devices with file resources located in shared network directories of the protected device for the presence of malicious encryption. If an application considers the actions of a remote device accessing shared network resources to be malicious encryption, the application creates and enables a rule for the firewall of the operating system that blocks network traffic from the compromised device. The compromised device is added to the list of untrusted devices, and access to shared network directories is blocked for all untrusted devices. The application creates an Encryption detected event that contains information about the compromised device.

By default, the application blocks access of untrusted devices to network file resources for 30 minutes. When the blocking time expires, the application deletes the compromised device from the list of untrusted devices, and the device's access to network file resources is automatically restored.

Firewall rules created by the Anti-Cryptor component cannot be deleted using the iptables utility, since the application restores a set of rules every minute.

Protection against remote malicious encryption is disabled by default.

You can enable or disable protection against malicious encryption (Anti-Cryptor), and also configure the protection settings:

• Select the action that the application will perform when encryption is detected: notify the user or block the device performing the malicious encryption.

  If the Inform action is selected, the application still scans remote devices' actions on network file shares to check for malicious encryption when Anti-Cryptor is enabled. If malicious activity is detected, the Encryption detected event is created, but the compromised device is not blocked.

• Set the duration for blocking an untrusted device.
• Specify the files and directories that the application protects against malicious encryption.
• Specify the files and directories that are excluded from protection against malicious encryption.

  The application does not consider actions to be encryption if encryption activity is detected in directories excluded from protection against encryption (Anti-Cryptor).

You can use the commands for administering blocked devices in the command line to view the list of blocked devices and manually unblock these devices. Kaspersky Security Center does not provide tools for monitoring and managing blocked devices, except for the Encryption detected events.

For the Anti-Cryptor component to operate correctly, at least one of the services (Samba or NFS) must be installed in the operating system. The NFS service requires the rpcbind package to be installed.

The Anti-Cryptor component runs correctly with SMB1, SMB2, SMB3, NFS3, TCP/UDP, and IP/IPv6 protocols. Working with NFS2 and NFS4 protocols is not supported. It is recommended to configure your server settings so that the NFS2 and NFS4 protocols cannot be used to mount resources.

Kaspersky Endpoint Security does not block access to network file resources until the device's activity is identified as malicious. So, at least one file will be encrypted before the application detects malicious activity.