Anti-Cryptor task settings

This section provides information about the settings you can specify for the Anti-Cryptor task.

All available values and default values for each setting are described.

UseHostBlocker

Enables or disables blocking of untrusted computers.

If blocking of untrusted computers is disabled, Kaspersky Endpoint Security still scans remote computers actions on network file resources for malicious encrypting when the Anti-Cryptor task is running. In case of malicious activity detection, the EncryptionDetected event is created, but an attacking computer is not blocked.

Available values:

Yes—Enable blocking of untrusted computers

No—Disable blocking of untrusted computers

Default value: Yes

BlockTime

Specifies the time to block an untrusted computer (in minutes).

If a compromised computer is blocked, and you change a value for the BlockTime setting, the blocking time for this computer will not change. The blocking time is not a dynamic value, and is calculated at the moment of blocking.

Available values:

Integer from 1 to 4294967295.

Default value: 30

UseExcludeMasks

Enables or disables the exclusion from protection scope of objects specified by the ExcludeMasks setting.

This setting works only with the ExcludeMasks setting specified.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting from the protection scope

No—Do not exclude objects specified by the ExcludeMasks setting from the protection scope

Default value: No

ExcludeMasks

Specifies a list of masks that define objects to be excluded from the protection scope.

Before specifying this parameter, make sure the UseExcludeMasks setting’s value is set to Yes.

Masks are specified in command shell format.

If you want to specify several masks, each mask must be specified on a new line with new index specified (ExcludeMasks.item_0000, ExcludeMasks.item_0001).

Default value: not defined

Section [ScanScope.item_#]

[ScanScope.item_#] sections specify scopes to be protected by Kaspersky Endpoint Security. At least one protection scope must be specified for the Anti-Cryptor task.

For the Anti-Cryptor task only shared directories can be specified.

You can define several [ScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by an item index in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the protection scope.

Default value: All shared folders

UseScanArea

Enables or disables protection of the specified scope.

Available values:

Yes—Protect a specified scope

No—Do not protect a specified scope

Default value: Yes

Path

Specifies the path to the objects to be protected.

Available values:

absolute path available via SMB/NFS (for example, Path=/tmp)

AllShared—Protect all resources shared via SMB/NFS

Shared:SMB <path>—Protect resources shared via SMB

Shared:NFS <path>—Protect resources shared via NFS

Default value: AllShared

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be protected.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes in ascending order.

Default value: * (all objects will be processed).

Section [ExcludedFromScanScope.item_#]

[ExcludedFromScanScope.item_#] sections specify the objects to be excluded from all [ScanScope.item_#] sections.

All objects that match the rules of any [ExcludedFromScanScope.item_#] section will not be scanned. A [ExcludedFromScanScope.item_#] section format is similar to the format of a [ScanScope.item_#] section.

You can define several [ExcludedFromScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by an item index in ascending order

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the scope to be excluded from scanning.

Default value: All objects

UseScanArea

Specifies whether the specifies scope will be excluded from the protection.

Available values:

Yes—Exclude a specified scope from the protection

No—Do not exclude the specified scope from the protection

Default value: Yes

Path

Specifies the path to the objects to be excluded from the protection.

You can specify only an absolute path to a local directory (for example, /root/tmp/123) that will not be protected by the Anti-Cryptor.

You can use masks to specify the path.

You can use the * (asterisk) character to form a file or directory name mask. One * character takes the place of any set of characters (including an empty set) to the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

Two consecutive * characters take the place of any set of characters (including an empty set) in the file or directory name, including the / character. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

Default value: not defined

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be excluded from the protection.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes in ascending order.

Default value: * (all objects will be processed).