About the Anti-Cryptor task
August 3, 2023
The Anti-Cryptor task makes it possible to detect malicious encrypting of network file resources on a protected device from remote devices on the corporate network.
While the Anti-Cryptor task runs, Kaspersky Industrial CyberSecurity for Nodes scans remote devices' calls to access files located in the shared folders of the protected device. If the application considers a remote device's actions on network file resources to be malicious encrypting, then Kaspersky Industrial CyberSecurity for Nodes adds the locally unique device's identifier (LUID) to the list of blocked hosts.
The Anti-Cryptor task can be performed in synchronous or asynchronous mode. By default, the Anti-Cryptor task runs in asynchronous mode. The processing of file operations is distributed over several parallel threads. For more detailed information about synchronous and asynchronous modes for processing file operations and about how to change the mode used to process file operations, refer to the Kaspersky Knowledge Base.
Kaspersky Industrial CyberSecurity for Nodes does not consider activity to be malicious encrypting if the detected encryption activity takes place in folders excluded from the scope of the Anti-Cryptor task.
By default, the application blocks a host's access to network file resources for 30 minutes.
The Anti-Cryptor task does not block access to network file resources until the host's activity is identified as malicious. This can take some time, during which the encryption program may conduct malicious activity.
If the Anti-Cryptor task runs in Statistics only mode, Kaspersky Industrial CyberSecurity for Nodes only logs remote devices' attempts at malicious encrypting in the task log.