Behavior Detection

The Behavior Detection component allows you to monitor for any malicious activity from applications in the operating system. When malicious activity is detected, Kaspersky Endpoint Security can terminate the process of the application that performs malicious activity.

This feature is not supported in the KESL container.

The Behavior Detection component is enabled automatically with the default settings when Kaspersky Endpoint Security starts.

You can enable, disable, and configure Behavior Detection:

• Select an action to be performed by Kaspersky Endpoint Security upon detecting malicious activity in the operating system: inform the user or block the application that performs malicious activity.
• Exclude process activity from scans.

If integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response is enabled, exclusions by process are skipped when detecting application behavior in the operating system.

By default, on the SintezM-Client operating system, the auditd service configuration is protected from modification, that is, it is in enabled 2 mode. For correct operation of the Behavior Detection component when Kaspersky Endpoint Security is integrated with Kaspersky Managed Detection and Response and Kaspersky Anti Targeted Attack Platform solutions, change the auditd mode in the configuration files to enabled 1 (no configuration blocking) and restart the operating system.