Behavior Detection

for Windows, macOS, and Linux

The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components, to improve their performance. The Behavior Detection component utilizes Behavior Stream Signatures (BSS) for applications. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. The Kaspersky Endpoint Security functionality is based on behavior stream signatures and provides proactive defense for the computer.

The Behavior Detection component additionally monitors network ports for application processes that may threaten the security of the computer. The application gets information about such processes with anti-virus databases.

For optimal performance of the Behavior Detection component, we recommend enabling the Web Threat Protection component.

Behavior Detection settings

Settings	OS	Description
Trusted applications	`Windows` `macOS` `Linux`	The list of trusted applications is a list of applications whose file and network activity (including malicious activity) and access to the system registry are not monitored by Kaspersky Endpoint Security. By default, Kaspersky Endpoint Security monitors objects that are opened, executed, or saved by any application process, and controls the activity of all applications and network traffic that is generated by them. After an application is added to the list of trusted applications, Kaspersky Endpoint Security stops monitoring the application's activity. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask.
Scan exclusions	`Windows` `macOS` `Linux`	A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats. Scan exclusions make it possible for the safe use of legitimate software that can be exploited by criminals to damage a computer or user data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that can be used by intruders to damage your computer or personal data, please refer to the Kaspersky IT Encyclopedia website. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask.
Action on threat detection	`Windows` `macOS` `Linux`	Delete file or block (depends on OS). `Windows` `macOS` If this option is selected, when malicious activity is detected, Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a copy of the file in Backup. `Linux` If malicious activity is detected, Kaspersky Endpoint Security blocks the application that is carrying out the malicious activity and logs information about the detected malicious activity. Inform. `Windows` `Linux` If this option is selected, when malicious activity of an application is detected, Kaspersky Endpoint Security does not terminate this application but adds information about the malicious activity of this application to the list of active threats. `macOS` If malicious activity is detected, Kaspersky Endpoint Security prompts the user to select the action to be performed when malicious activity is detected. The available actions may vary depending on the status of the object. Block. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application.

Settings

Description

Trusted applications

Windows

macOS

Linux

The list of trusted applications is a list of applications whose file and network activity (including malicious activity) and access to the system registry are not monitored by Kaspersky Endpoint Security. By default, Kaspersky Endpoint Security monitors objects that are opened, executed, or saved by any application process, and controls the activity of all applications and network traffic that is generated by them. After an application is added to the list of trusted applications, Kaspersky Endpoint Security stops monitoring the application's activity.

Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

Scan exclusions

Windows

macOS

Linux

A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats. Scan exclusions make it possible for the safe use of legitimate software that can be exploited by criminals to damage a computer or user data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that can be used by intruders to damage your computer or personal data, please refer to the Kaspersky IT Encyclopedia website.

Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

Action on threat detection

Windows

macOS

Linux

Delete file or block (depends on OS).

Windows macOS If this option is selected, when malicious activity is detected, Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a copy of the file in Backup.

Linux If malicious activity is detected, Kaspersky Endpoint Security blocks the application that is carrying out the malicious activity and logs information about the detected malicious activity.

Inform. Windows Linux If this option is selected, when malicious activity of an application is detected, Kaspersky Endpoint Security does not terminate this application but adds information about the malicious activity of this application to the list of active threats.

macOS If malicious activity is detected, Kaspersky Endpoint Security prompts the user to select the action to be performed when malicious activity is detected. The available actions may vary depending on the status of the object.

Block. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application.

Page top