About Adaptive Anomaly Control
March 5, 2024
ID 230902
Kaspersky Endpoint Security Cloud monitors and blocks actions that are not typical of the Windows devices in a company's network.
This feature is available only if you activated Kaspersky Endpoint Security Cloud under a Kaspersky Endpoint Security Cloud Pro license.
Adaptive Anomaly Control uses a set of rules to track uncharacteristic behavior (for example, the Start of Microsoft PowerShell from office application rule). Rules are created by Kaspersky specialists, based on typical scenarios of malicious activity. You can configure how Adaptive Anomaly Control handles each rule and, for example, allow the execution of PowerShell scripts that automate certain workflow tasks. Kaspersky Endpoint Security Cloud updates the set of rules along with the application databases.
Each Adaptive Anomaly Control rule can be in one of the following modes:
- Notify
The detections made by this rule are only added to the Event log. No other actions are made.
- Block
The feature blocks all actions that are associated with the rule.
- Smart
First, you train the rule by selecting whether the detections made by it are actually uncharacteristic behavior or false positives. After the training period ends, the feature allows or blocks further actions according to the training results.
You can enable and configure Adaptive Anomaly Control. After the feature detects some uncharacteristic behavior, you can process the list of detections and either confirm them or add to exclusions, depending on whether a detection is actually anomalous behavior or not.
Kaspersky Endpoint Security Cloud also provides you with two reports related to the feature.
