The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance. The Behavior Detection component uses applications' Behavior Stream Signatures (BSS). If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected response action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.
By default, Behavior Detection is enabled and runs in the mode recommended by Kaspersky experts. You can disable Behavior Detection if necessary.
If this option is selected, when detecting malicious activity the Kaspersky Endpoint Security application deletes the executable file of the malicious application and creates a backup copy of the file in Backup.
If this option is selected, then when malware activity is detected, the Kaspersky Endpoint Security application displays a notification window with information about the malicious object and prompts the user to choose the action to be taken by the Kaspersky Endpoint Security application. The available actions may vary depending on the status of the object.
If Behavior Detection and Protection of shared folders against external encryption are enabled, select one of the following actions to be performed upon detection of external encryption:
If this option is selected, on detecting an attempt to modify files in shared folders, the Kaspersky Endpoint Security application adds information about this attempt to the list of active threats, adds an entry to local application reports, and sends information about the detected malicious activity to Kaspersky Security Center.
If this option is selected, when the Kaspersky Endpoint Security application detects an attempt to modify files in shared folders, it blocks access to file modification (read only) for the session that initiated the malicious activity and creates backup copies of the modified files.
If this option is selected, when detecting malicious activity the Kaspersky Endpoint Security application deletes the executable file of the malicious application and creates a backup copy of the file in Backup.
If this option is selected, then when malware activity is detected, the Kaspersky Endpoint Security application displays a notification window with information about the malicious object and prompts the user to choose the action to be taken by the Kaspersky Endpoint Security application. The available actions may vary depending on the status of the object.
As a result, if Behavior Detection is enabled, Kaspersky Endpoint Security uses behavior stream signatures to analyze applications' activity in the operating system.
Important: We do not recommend to disable Behavior Detection unless absolutely necessary because doing so will reduce the effectiveness of protection components. To detect threats, the protection components may request data collected by the Behavior Detection component.