Adaptive Anomaly Control includes a set of rules (behavior patterns). After you enable Adaptive Anomaly Control, its rules work in training mode. During the training, Adaptive Anomaly Control monitors rule triggering and sends triggering events to Kaspersky Security Center. Adaptive Anomaly Control does not block application activity on the computer, but only informs the administrator. You can also manually select the action that is performed when an Adaptive Anomaly Control rule is triggered.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Adaptive Anomaly Control.
Select the Adaptive Anomaly Control check box.
Under Adaptive Anomaly Control rule settings, look at the list of rules.
By default, all rules work in the Smart mode.
If necessary, confirm the update of the Adaptive Anomaly Control rule.
If necessary, select an action when an Adaptive Anomaly Control rule is triggered:
Block. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security blocks the activity covered by the rule and logs an entry containing information about the activity.
Inform. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security allows the activity covered by the rule and logs an entry containing information about the activity.
If necessary, disable the rules that you do not want to use.
Save your changes. To apply the policy on computers, close the padlocks .
In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → Adaptive Anomaly Control.
Turn on the Adaptive Anomaly Control toggle.
In the Rules block, click the Rules link.
The Adaptive Anomaly Control rule list opens. By default, all rules work in the Smart mode.
If necessary, confirm the update of the Adaptive Anomaly Control rule.
If necessary, select an action when an Adaptive Anomaly Control rule is triggered:
Block. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security blocks the activity covered by the rule and logs an entry containing information about the activity.
Inform. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security allows the activity covered by the rule and logs an entry containing information about the activity.
If necessary, disable the rules that you do not want to use.
Save your changes. To apply the policy on computers, close the padlocks .
In the application settings window, select Security Controls → Adaptive Anomaly Control.
Turn on the Adaptive Anomaly Control toggle.
In the Rules block, click the Edit rules link.
The Adaptive Anomaly Control rule list opens. By default, all rules work in the Smart mode.
If necessary, confirm the update of the Adaptive Anomaly Control rule.
If necessary, select an action when an Adaptive Anomaly Control rule is triggered:
Block. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security blocks the activity covered by the rule and logs an entry containing information about the activity.
Inform. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint Security allows the activity covered by the rule and logs an entry containing information about the activity.
If necessary, disable the rules that you do not want to use.
Save your changes.
Each rule has its own duration of the training mode. The duration of the training mode is set by Kaspersky experts. Normally, the training mode is active for two weeks.
If, during training, a rule never triggered, Adaptive Anomaly Control considers such behavior atypical and changes the status of the rule to Smart blocking. Subsequently, the application blocks any activity that matches this rule.
If a rule triggers during training, you need to manually configure the action that the application applies to detected activity that matches this rule. If you do not select the action when rule is triggered, Adaptive Anomaly Control continues in training mode.
.
.
button.