Behavior Detection

Support

Support for business applications

Kaspersky Endpoint Security 11 for Windows

Appendices

Appendix 1. Application settings

Behavior Detection

April 25, 2024

ID 176728

Get as PDF

The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance. The Behavior Detection component utilizes Behavior Stream Signatures (BSS) for applications. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.

Behavior Detection component settings

Parameter	Description
On detecting malware activity	Delete file. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a backup copy of the file in Backup. Terminate the application. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application. Notify. If this option is selected and malicious activity of an application is detected, Kaspersky Endpoint Security does not terminate this application but adds information about the malicious activity of this application to the list of active threats.
Enable protection of shared folders against external encryption	If the toggle button is switched on, Kaspersky Endpoint Security analyzes activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action. Kaspersky Endpoint Security prevents external encryption of only those files that are located on media that have the NTFS file system and are not encrypted by the EFS system. Notify. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to modify files in shared folders to the list of active threats. Block connection for N min. If this option is selected, when Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it blocks the network activity of the computer that is attempting to modify the files and creates backup copies of modified files. If the Remediation Engine component is enabled and the Block connection for N min option is selected, modified files are restored from backup copies.
Exclusions	List of computers from which attempts to encrypt shared folders will not be monitored. To apply the list of exclusions of computers from protection of shared folders against external encryption, you must enable Audit Logon in the Windows security audit policy. Audit Logon is disabled by default. For more details about a Windows security audit policy, please visit the Microsoft website.

Parameter

Description

On detecting malware activity

Delete file. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the executable file of the malicious application and creates a backup copy of the file in Backup.
Terminate the application. If this option is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this application.
Notify. If this option is selected and malicious activity of an application is detected, Kaspersky Endpoint Security does not terminate this application but adds information about the malicious activity of this application to the list of active threats.

Enable protection of shared folders against external encryption

If the toggle button is switched on, Kaspersky Endpoint Security analyzes activity in shared folders. If this activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security performs the selected action.

Kaspersky Endpoint Security prevents external encryption of only those files that are located on media that have the NTFS file system and are not encrypted by the EFS system.

Notify. If this option is selected, on detecting an attempt to modify files in shared folders, Kaspersky Endpoint Security adds information about this attempt to modify files in shared folders to the list of active threats.
Block connection for N min. If this option is selected, when Kaspersky Endpoint Security detects an attempt to modify files in shared folders, it blocks the network activity of the computer that is attempting to modify the files and creates backup copies of modified files.

If the Remediation Engine component is enabled and the Block connection for N min option is selected, modified files are restored from backup copies.

Exclusions

List of computers from which attempts to encrypt shared folders will not be monitored.

To apply the list of exclusions of computers from protection of shared folders against external encryption, you must enable Audit Logon in the Windows security audit policy. Audit Logon is disabled by default. For more details about a Windows security audit policy, please visit the Microsoft website.

See also: Managing the application via the local interface

Enabling and disabling Behavior Detection

Selecting the action to take on detecting malware activity

Protection of shared folders against external encryption

Kaspersky Endpoint Security for Windows: Detection of advanced threats

Control systems which prevent damage from the sensitive data theft. Management from a single console. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.