Anti-Cryptor

The Anti-Cryptor component analyzes activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action.

Kaspersky Endpoint Security prevents external encryption of only those files that are located on media that have the NTFS file system and are not encrypted by the EFS system.

Anti-Cryptor component settings

Parameter	Description
Exclusions by name or IP address	Exclusions by name or IP address. List of computers from which attempts to encrypt shared folders will not be monitored. To apply the list of exclusions of computers from protection of shared folders against external encryption, you must enable Audit Logon in the Windows security audit policy. Audit Logon is disabled by default. For more details about a Windows security audit policy, please visit the Microsoft website. Exclusions by mask. Protection scope exclusions. Excluding a folder from the protection scope can reduce the amount of false positives if your organization uses data encryption when exchanging files using shared folders. For example, Behavior Detection can raise false positives when the user works with files with the ENC extension in a shared folder. Such activity matches a behavioral pattern that is typical for external encryption. If you have encrypted files in a shared folder to protect data, add that folder to exclusions. Use masks: The `` (asterisk) character, which takes the place of any set of characters, except the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\\.txt` will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders. Two consecutive `` characters take the place of any set of characters (including an empty set) in the file or folder name, including the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\Folder\*\.txt` will include all paths to files with the TXT extension located in folders nested within the `Folder`, except the `Folder` itself. The mask must include at least one nesting level. The mask `C:\*\.txt` is not a valid mask. The `?` (question mark) character, which takes the place of any single character, except the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\Folder\???.txt` will include paths to all files residing in the folder named `Folder` that have the TXT extension and a name consisting of three characters.
Action on threat detection	Inform. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to the list of active threats, adds an entry to the local application interface reports, and sends information about the detected malicious activity to Kaspersky Security Center. Block connection for (min) N min. If this option is selected, when Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it blocks access to file modification for the session that initiated the malicious activity and creates backup copies of the modified files. If the Remediation Engine component is enabled and the Block connection for (min) N min option is selected, modified files are restored from backup copies.
Protection scope	The protection scope is a list of paths to shared folders in which Kaspersky Endpoint Security monitors file activity. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. By default, the application automatically identifies shared folders and monitors file activity in all folders.

Parameter

Description

Exclusions by name or IP address

Exclusions by name or IP address. List of computers from which attempts to encrypt shared folders will not be monitored.

To apply the list of exclusions of computers from protection of shared folders against external encryption, you must enable Audit Logon in the Windows security audit policy. Audit Logon is disabled by default. For more details about a Windows security audit policy, please visit the Microsoft website.

Exclusions by mask. Protection scope exclusions. Excluding a folder from the protection scope can reduce the amount of false positives if your organization uses data encryption when exchanging files using shared folders. For example, Behavior Detection can raise false positives when the user works with files with the ENC extension in a shared folder. Such activity matches a behavioral pattern that is typical for external encryption. If you have encrypted files in a shared folder to protect data, add that folder to exclusions.

Use masks:

The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.

Action on threat detection

Inform. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to the list of active threats, adds an entry to the local application interface reports, and sends information about the detected malicious activity to Kaspersky Security Center.
Block connection for (min) N min. If this option is selected, when Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it blocks access to file modification for the session that initiated the malicious activity and creates backup copies of the modified files.

If the Remediation Engine component is enabled and the Block connection for (min) N min option is selected, modified files are restored from backup copies.

Protection scope

The protection scope is a list of paths to shared folders in which Kaspersky Endpoint Security monitors file activity. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask. By default, the application automatically identifies shared folders and monitors file activity in all folders.

Page top