Anti-Cryptor

for Windows, macOS, and Linux

Windows For Windows devices, the component monitors operations only for files that are at the NTFS file system level and are not encrypted by the EFS system.

Linux For Linux devices, the component analyzes files in local directories with network access over SMB/NFS.

macOS For macOS devices, the component monitors SMB shares.

The Anti-Cryptor component protects from remote encryption by analyzing activity in network shares. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action.

Linux Before enabling the component on Linux devices, make sure to read and understand the information about Anti-Cryptor.

Anti-Cryptor settings

Settings	OS	Description
Scan exclusions	`Windows` `Linux`	A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats. Scan exclusions make it possible for the safe use of legitimate software that can be exploited by criminals to damage a computer or user data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that can be used by intruders to damage your computer or personal data, please refer to the Kaspersky IT Encyclopedia website. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask.
Exclusions by name or IP address	`Windows` `Linux`	List of computers from which attempts to encrypt shared folders will not be monitored.
Action on threat detection	`Windows` `macOS` `Linux`	Inform. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to the list of active threats, and adds an entry to the report. Block connection for (min). `Windows` If this option is selected, when Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it blocks access to file modification for the session that initiated the malicious activity and creates backup copies of the modified files. `macOS` `Linux` When Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it blocks network traffic from the device that is engaged in malicious activity. The application creates an Encryption detected event that contains information about the compromised device.
Protection scope	`Windows` `Linux`	The protection scope is a list of paths to shared folders in which Kaspersky Endpoint Security monitors file activity. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. By default, the application automatically identifies shared folders and monitors file activity in all folders. `Windows` `Linux` You can select the protection scope: All shared network folders on the protected device. The application will monitor file activity in all shared folders. Only specified shared folders. The application will monitor encryption attempts only in the specified shared folders. `macOS` By default, Kaspersky Endpoint Security protects all shared folders for macOS device.

Page top