Changing the action to take upon detection of external encryption of shared folders
By default, when Kaspersky Security detects encryption of files in shared folders, it blocks the network activity of the device attempting encryption, writes information about the detected malicious activity to a local interface report, and sends this information to Kaspersky Security Center. If rollback of malware actions is enabled in the System Watcher settings, Kaspersky Security can also restore modified files from their backup copies.
You can change the action taken by Kaspersky Security when it detects external encryption of shared folders.
To select the System Watcher action in Kaspersky Security Center:
Open Kaspersky Security Center Administration Console.
In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
In the workspace, select the Policies tab.
Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
In the policy properties window, select the System Watcher section in the list on the left.
In the right part of the window, in the General settings section, click the Settings button.
In the Settings window that opens, select the required action:
Inform. If this option is selected and Kaspersky Security detects encryption of files in shared folders, it writes information about the detected malicious activity to a local interface report and sends this information to Kaspersky Security Center, and adds information about this to the list of unprocessed objects.
Kaspersky Security does not restore modified files from their backup copies even if rollback of malware actions is enabled in the System Watcher settings.
Block connection. If this option is selected and Kaspersky Security detects encryption of files in shared folders, it blocks the network activity of the device attempting encryption, writes information about the detected malicious activity to a local interface report, and sends this information to Kaspersky Security Center. In the Block connection for N minutes field you can specify the amount of time (in minutes) that the network connection will be blocked. The default value is 60 minutes.
If rollback of malware actions is enabled in the System Watcher settings, Kaspersky Security also restores modified files from their backup copies.
This action is set by default.
If network activity of the device has been previously blocked (the Block connection action is selected), when the action is changed to Inform it remains blocked for the specified amount of time.
In the Settings window, click OK.
Click the Apply button.
To select the System Watcher action in the local interface:
In the left part of the window, in the Anti-Virus protection section, select System Watcher.
In the right part of the window, the System Watcher component’s settings are displayed.
Click the Settings button.
The Settings window opens.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
Complete steps 7–8 of the previous instructions.