System Watcher in Kaspersky Endpoint Security 10 for Windows
This article concerns Kaspersky Endpoint Security 10 for Windows:
- Service Pack 2 Maintenance Release 4 (version 10.3.3.304)
- Service Pack 2 Maintenance Release 3 (version 10.3.3.275)
- Service Pack 2 Maintenance Release 2 (version 10.3.0.6294)
- Service Pack 2 Maintenance Release 1 (version 10.3.0.6294)
- Service Pack 2 (version 10.3.0.6294)
System Watcher is only available for workstations.
System Watcher is a component of Kaspersky Endpoint Security 10 for Windows which receives information about applications’ actions on a computer and shares this information with other components.
The System Watcher component includes the following technologies:
What is Exploit Prevention?
This technology offers protection against which are malicious programs that use exploits in popular software for malicious purposes, such as to take control of PCs or steal personal data.
Automatic Exploit Prevention:
- Controls starting of executable files of vulnerable software or web browsers.
- Monitors suspicious actions of vulnerable applications. For example, escalation of privileges for a vulnerable application, or writing other processes into the system memory.
- Monitors the information about who or what initiated the start of an application, a user or an exploit.
- Tracks the source of a malicious code. For example, the web browser or remote web address that initiated the download of the infected file.
- Prevents the use of vulnerable software for malicious purposes.
The lists of vulnerable software are updated along with Kaspersky Endpoint Security 10 for Windows anti-virus databases.
What is Rollback of malware actions
Rollback of malware actions collects the information about suspicious actions performed during the current and previous sessions. This allows you to roll back all actions performed by an application if it is subsequently recognized as malicious.
What is Protection against ransomware
When a ransomware application attempts to encrypt a file, the Kaspersky product automatically creates a backup copy of it. If the file gets encrypted, the product restores it from the backup copy.
- Backup copies are stored in the system Temp folder (temporary files storage). Make sure you have at least 10–15% of free space on a drive with the Temp folder.
- Backup copies are removed after you exit Kaspersky Endpoint Security 10 for Windows or disable System Watcher. (backup copies are not removed if the application is stopped unexpectedly). If necessary, you can remove backup copies manually by deleting the contents of the Temp folder. For instructions, see this article.
- The System Watcher component does not protect network drives.
- Kaspersky Endpoint Security 10 for Windows with System Watcher enabled does not restore files that were encrypted before the application was installed on the workstation.
- NTFS streams that refer to attributes and properties of files may not be recovered if infected by ransomware.
How to enable or disable System Watcher
You may be unable to modify certain settings locally if the application is operating under a policy that prevents them from being changed. To learn how to modify application settings that are controlled by a policy, see this article.
- Open Kaspersky Endpoint Security 10 for Windows and click Settings.
- Select Anti-Virus protection → in the left frame.
- Select or clear the Enable System Watcher checkbox.
- Click Save.
The System Watcher component will be enabled or disabled.