Triggering of rules in Smart Training mode

This section provides information about the detections performed by the Adaptive Anomaly Control rules in Kaspersky Endpoint Security for Windows on client devices.

The rules detect anomalous behavior on client devices and may block it. If the rules work in Smart Training mode, they detect anomalous behavior and send reports about every such occurrence to Kaspersky Security Center Administration Server. This information is stored as a list in the Triggering of rules in Smart Training state subfolder of the Repositories folder. You can confirm detections as correct or add them as exclusions, so that this type of behavior is not considered anomalous anymore.

Information about detections is stored in the event log on the Administration Server (along with other events) and in the Adaptive Anomaly Control report.

For more information about Adaptive Anomaly Control, the rules, their modes and statuses, refer to Kaspersky Endpoint Security for Windows Help.

Viewing the list of detections performed using Adaptive Anomaly Control rules

Expand all | Collapse all

To view the list of detections performed by Adaptive Anomaly Control rules:

1. In the console tree, select the node of the Administration Server that you require.
2. Select the Triggering of rules in Smart Training state subfolder (by default, this is a subfolder of Advanced → Repositories).

   The list displays the following information about detections performed using Adaptive Anomaly Control rules:

   • Administration group

     The name of the administration group where the device belongs.

   • Device name

     The name of the client device where the rule was applied.

   • Name

     The name of the rule that was applied.

   • Status

     Excluding—If the Administrator processed this item and added it as an exclusion to the rules. This status remains till the next synchronization of the client device with the Administration Server; after the synchronization, the item disappears from the list.

     Confirming—If the Administrator processed this item and confirmed it. This status remains till the next synchronization of the client device with the Administration Server; after the synchronization, the item disappears from the list.

     Empty—If the Administrator did not process this item.

   • Total times rules were triggered

     The number of detects within one heuristic rule, one process and one client device. This number is counted by Kaspersky Endpoint Security.

   • User name

     The name of the client device user who run the process that generated the detect.

   • Source process path

     Path to the source process, i.e. to the process that performs the action (for more information, refer to the Kaspersky Endpoint Security help).

   • Source process hash

     SHA-256 hash of the source process file (for more information, refer to the Kaspersky Endpoint Security help).

   • Source object path

     Path to the object that started the process (for more information, refer to the Kaspersky Endpoint Security help).

   • Source object hash

     SHA-256 hash of the source file (for more information, refer to the Kaspersky Endpoint Security help).

   • Target process path

     Path to the target process (for more information, refer to the Kaspersky Endpoint Security help).

   • Target process hash

     SHA-256 hash of the target file (for more information, refer to the Kaspersky Endpoint Security help).

   • Target object path

     Path to the target object (for more information, refer to the Kaspersky Endpoint Security help).

   • Target object hash

     SHA-256 hash of the target file (for more information, refer to the Kaspersky Endpoint Security help).

   • Processed

     Date when the anomaly was detected.

To view properties of each information element:

1. In the console tree, select the node of the Administration Server that you require.
2. Select the Triggering of rules in Smart Training state subfolder (by default, this is a subfolder of Advanced → Repositories).
3. In the Triggering of rules in Smart Training state workspace, select the object that you want.
4. Do one of the following:
   • Click the Properties link in the information box that appears on the right side of the screen.
   • Right-click and in the context menu select Properties.

The properties window of the object opens, displaying information about the selected element.

You can confirm or add to exclusions any element in the list of detections of Adaptive Anomaly Control rules.

To confirm an element,

Select an element (or several elements) in the list of detections and click the Confirm button.

The status of the element(s) will be changed to Confirming.

Your confirmation will contribute to the statistics used by the rules (for more information, refer to Kaspersky Endpoint Security 11 for Windows Help).

To add an element as an exclusion,

Right-click an element (or several elements) in the list of detections and select Add to exclusions in the context menu.

The Add Exclusion Wizard starts. Follow the Wizard instructions.

If you reject or confirm an element, it will be excluded from the list of detections after the next synchronization of the client device with the Administration Server, and will no longer appear in the list.

Adding exclusions from the Adaptive Anomaly Control rules

The Add Exclusion Wizard allows you to add exclusions from the Adaptive Anomaly Control rules for Kaspersky Endpoint Security.

You can start the Wizard through one of the three procedures below.

To start the Add Exclusion Wizard through the Adaptive Anomaly Control node:

1. In the console tree, select the node of the required Administration Server.
2. Select Triggering of rules in Smart Training state (by default, this is a subfolder of Advanced → Repositories).
3. In the workspace, right-click an element (or several elements) in the list of detections and select Add to exclusions.

   You can add up to 1000 exclusions at a time. If you select more elements and try to add them to exclusions, an error message is displayed.

The Add Exclusion Wizard starts.

You can start the Add Exclusion Wizard from other nodes in the console tree:

• Events tab of the main window of the Administration Server (then the User requests option or Recent events option).
• Report on Adaptive Anomaly Control rules state, Detections count column.

Step 1. Selecting the application

This step can be skipped if you have only one Kaspersky Endpoint Security for Windows version and do not have other applications that support the Adaptive Anomaly Control rules.

The Add Exclusion Wizard shows the list of Kaspersky applications whose management plug-ins allow you to add exclusions to the policies for these applications. Select an application from this list and click Next to proceed to selecting the policy to which the exclusion will be added.

Step 2. Selecting the policy (policies)

The Wizard shows the list of policies (with policy profiles) for Kaspersky Endpoint Security.

Select all the policies and profiles to which you want to add exclusions and click Next.

Step 3. Processing of the policy (policies)

The Wizard displays a progress bar as the policies are processed. You can interrupt the processing of policies by clicking Cancel.

Inherited policies cannot be updated. If you do not have the rights to modify a policy, this policy will not be updated either.

When all the policies are processed (or if you interrupt the processing), a report appears. It shows which policies were updated successfully (green icon) and which policies were not updated (red icon).

This is the last step of the Wizard. Click Finish to close the Wizard.