System Watcher settings

This switch enables / disables System Watcher.

If the button is green, System Watcher collects and saves data on all events that occur in the operating system (such as modification of a file, modification of registry keys, startup of drivers, or attempts to shut down the computer). This data is used to track malicious and other activity of the application (including ransomware) and to restore the condition of the operating system as it had been before the application was installed (to roll back the consequences of malware or other activity of the application). In some cases, activity of applications cannot be rolled back, for example when an application was detected by the Intrusion Prevention component.

System Watcher collects data from various sources, including other components of Kaspersky. System Watcher analyzes application activity and provides other Kaspersky components with the collected information about events.

In the Exploit Prevention section, you can configure the actions that the application performs when executable files are run by vulnerable applications.

Monitor attempts to perform unauthorized operations

With this check box, you can enable / disable Exploit Prevention.

A software code that uses a vulnerability in the system or software. Exploits are often used to install malware on the computer without user's knowledge.

If this check box is selected, Kaspersky tracks executable files run by vulnerable applications. If Kaspersky detects an attempt to run an executable file from a vulnerable application that has not been initiated by the user, the application performs the action that is selected in the On threat detection drop-down list.

On threat detection

In this drop-down list, you can select the action that System Watcher performs when an executable file is run from a monitored vulnerable application.

This list allows choosing from the following actions:

Ask user. System Watcher prompts the user for action. This option is available if the Perform recommended actions automatically check box is cleared under Settings → Security settings → Exclusions and actions on object detection.
Select action automatically. System Watcher automatically performs the action selected in Kaspersky settings and adds information on the selected action to the report. This option is available if the Perform recommended actions automatically check box is selected under Settings → Security settings → Exclusions and actions on object detection.
Allow action. System Watcher allows the executable file to be run.
Block action. System Watcher blocks the executable file.

Action on detection of malicious or other activity

In this drop-down list, you can select the action that System Watcher performs when malicious or other activity is detected based on the results of analysis of application activity.

Ask user. System Watcher prompts the user for action. This option is available if the Perform recommended actions automatically check box is cleared under Settings → Security settings → Exclusions and actions on object detection.
Select action automatically. System Watcher automatically carries out the action recommended by Kaspersky experts. This option is available if the Perform recommended actions automatically check box is selected under Settings → Security settings → Exclusions and actions on object detection.
Delete the application. System Watcher deletes the application.
Terminate the application. System Watcher terminates all processes of the application.
Terminate the application. System Watcher takes no actions on the application.

Action to perform if malicious or other activity can be rolled back

In this drop-down list, you can select the action that System Watcher performs when it is possible to roll back malicious or other activity of the application.

Ask user. If System Watcher, File Anti-Virus, or the results of a scan task confirm that it is necessary to perform a rollback, System Watcher prompts the user for action. This option is available if the Perform recommended actions automatically check box is cleared under Settings → Security settings → Exclusions and actions on object detection.
Select action automatically. If System Watcher analyzes the activity of an application and considers it to be malicious, it rolls back the application's activity and notifies the user of this event. This option is available if the Perform recommended actions automatically check box is selected under Settings → Security settings → Exclusions and actions on object detection.
Roll back. System Watcher rolls back malicious or other activity of the application.
Do not roll back. System Watcher saves information about malicious or other activity but does not roll back application's actions.

In the Protection against screen lockers section, you can configure the actions that are performed if screen locker activity is detected. Screen lockers are malicious programs that limit the user's operations on a computer, by locking the screen and the keyboard, or by blocking access to the taskbar and shortcuts. Screen lockers may attempt to extort ransom for recovery of access to the operating system. By using protection against screen lockers, you can close any screen locker by pressing a specified combination of keys.

Detect and close screen lockers

This check box enables / disables protection against screen lockers.

If this check box is selected, when activity of a screen locker is detected, you can halt it by pressing the combination of keys that is specified in the drop-down list under the check box.

Use the following key combination to close a screen locker manually

In the drop-down list, you can select a key or a combination of keys, which, when pressed, triggers screen locker protection for detecting and deleting a screen locker.

The following key combination is used by default: CTRL+ALT+SHIFT+F4.

Page top