Kaspersky Security for Virtualization 5.2 Light Agent

System Watcher

The Kaspersky Security functionality described in this section is available only if the application is installed on a virtual machine with a Windows desktop or server operating system.

The System Watcher component analyzes the behavior of applications on a protected virtual machine and provides this information to other application components to improve their performance.

The System Watcher component utilizes Behavior Stream Signatures (BSS). Behavior stream signatures contain sequences of actions taken by applications that Kaspersky Security classifies as dangerous. If application activity corresponds to a behavior stream signature, Kaspersky Security performs the specified action. Use of behavior stream signatures lets you detect brand new and unknown malicious programs based on their behavior and stop their activity, thereby providing proactive protection of the virtual machine.

Based on information received by the System Watcher component, Kaspersky Security can roll back actions that have been performed by malware in the operating system. A rollback of malware actions can be initiated by File Anti-Virus or during a virus scan.

Rolling back malware activity has no adverse effects on the operating system or the integrity of protected virtual machine data.

The System Watcher component can also protect shared folders against external encryption by monitoring operations performed from a remote device.

The System Watcher component monitors operations performed only with those files that are stored on mass storage devices with the NTFS file system and that are not encrypted with EFS file system.

This section describes how to configure System Watcher settings using the Administration Console and the Light Agent for Windows local interface. You can also configure the System Watcher settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application SettingsAnti-Virus protectionSystem Watcher).

In this Help section

Enabling and disabling System Watcher

Enabling and disabling exploit prevention

Changing the action taken when malware activity is detected

Rolling back malware actions during disinfection

Configuring protection of shared folders against external encryption

Page top
[Topic 148848]

Enabling and disabling System Watcher

By default, System Watcher component is enabled and runs in the mode that Kaspersky experts recommend. You can disable System Watcher, if necessary.

It is not recommended to disable System Watcher unnecessarily, because doing so reduces the performance of protection components that may require data from System Watcher to classify threats that they detect.

To enable or disable System Watcher in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, do one of the following:
    • To enable System Watcher component, select the System Watcher check box.
    • To disable System Watcher component, clear the System Watcher check box.
  7. Click the Apply button.

In the local interface of Light Agent for Windows, you can enable or disable a component in two ways:

To enable or disable System Watcher, on the Protection and Control tab of the main application window:

  1. On the protected virtual machine, open the main application window.
  2. Select the Protection and Control tab.
  3. Open the Manage protection section.
  4. Open the context menu of the System Watcher item and perform one of the following actions:
    • To enable System Watcher, select Enable.

      The component status icon, which is displayed on the left in the System Watcher line, changes to the icon.

    • To disable System Watcher, select Disable.

      The component status icon, which is displayed on the left in the System Watcher line, changes to the icon.

    If this menu item is unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

To enable or disable System Watcher from the application settings window:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

    If component settings are unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

  3. Do one of the following:
    • To enable System Watcher component, select the Enable System Watcher check box.
    • To disable System Watcher component, clear the Enable System Watcher check box.
  4. To save changes, click the Save button.
Page top
[Topic 65633]

Enabling and disabling exploit prevention

An exploit is a software code that exploits vulnerabilities in a system or software to perform a malicious act on a device. Exploits are often used to install malware on the device without the user’s knowledge. Most often the exploits attack browsers, as well as Adobe Flash, Java and Microsoft Office applications.

Exploit prevention includes the following methods:

  • Control of executable files launches from vulnerable applications and browsers.
  • Control of suspicious actions of vulnerable applications.
  • Application actions monitoring.
  • Tracking the source of the malicious code.
  • Prevention of software vulnerabilities exploitation.

The lists of applications with detected vulnerabilities are updated together with Kaspersky Security application databases.

Exploit Prevention is enabled by default. You can disable Exploit Prevention, if necessary.

To enable or disable Exploit Prevention in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, in the General settings section, do one of the following:
    • Select the Enable Exploit Prevention check box if you want Kaspersky Security to monitor executable files that are run by vulnerable applications.

      If Kaspersky Security detects that an executable file from a vulnerable application was run by something other than the user, it blocks this file from running.

    • Clear the Enable Exploit Prevention check box if you do not want Kaspersky Security to monitor executable files that are run by vulnerable applications.
  7. Click the Apply button.

To enable or disable Exploit Prevention in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Do one of the following:
    • Select the Enable Exploit Prevention checkbox if you want Kaspersky Security to monitor executable files that are run by vulnerable applications.

      If Kaspersky Security detects that an executable file from a vulnerable application was run by something other than the user, it blocks this file from running.

    • Clear the Enable Exploit Prevention check box if you do not want Kaspersky Security to monitor executable files that are run by vulnerable applications.
  4. To save changes, click the Save button.
Page top
[Topic 149735]

Changing the action taken when malware activity is detected

When Kaspersky Security detects the malicious activity of an application, it takes the action defined in the settings of the System Watcher component. By default, when Kaspersky Security detects malware activity, it terminates the malicious program and removes the executable file of the program.

To change the action of System Watcher in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, in the Proactive Defense section, in the On detecting malware activity drop-down list, select the required action:
    • Select action automatically. If this item is selected and Kaspersky Security detects the malicious activity of a program, it performs the default actions set by Kaspersky experts: terminates the malicious program and deletes the executable file of this program.

      This action is set by default.

    • Terminate the malicious program and delete the executable file. If this item is selected and Kaspersky Security detects the malicious activity of a program, it terminates this program and deletes its executable file.
    • Terminate the malicious program. If this item is selected and Kaspersky Security detects the malicious activity of a program, it terminates this program.
    • Skip. If this item is selected and Kaspersky Security detects the malicious activity of a program, it does not take any action on the executable file of this program.
  7. Click the Apply button.

To change the action of System Watcher in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. In the Proactive Defense section, in the On detecting malware activity drop-down list, select the relevant action:
    • Select action automatically. If this item is selected, on detecting malicious activity Kaspersky Security performs the default actions specified by Kaspersky specialists: Kaspersky Security terminates the malicious program and deletes the executable file of this program.

      This action is set by default.

    • Terminate the malicious program and delete the executable file. If this item is selected and Kaspersky Security detects the malicious activity of a program, it terminates this program and deletes its executable file.
    • Terminate the malicious program. If this item is selected, on detecting malicious activity Kaspersky Security terminates this application.
    • Skip. If this item is selected, on detecting malicious activity Kaspersky Security does not take any action on the executable file of this application.
  4. To save changes, click the Save button.
Page top
[Topic 65634]

Rolling back malware actions during disinfection

To enable or disable the rollback of malware actions in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, in the Rollback of malware actions section, do one of the following:
    • If you want Kaspersky Security to roll back actions that were performed by malware in the operating system, select the Roll back malware actions during disinfection check box.
    • If you want Kaspersky Security to ignore actions that were performed by malware in the operating system, clear the Roll back malware actions during disinfection check box.
  7. Click the Apply button.

To enable or disable the rollback of malware actions in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. In the Rollback of malware actions section, do one of the following:
    • If you want Kaspersky Security to roll back actions that were performed by malware in the operating system, select the Roll back malware actions during disinfection check box.
    • If you want Kaspersky Security to ignore actions that were performed by malware in the operating system, clear the Roll back malware actions during disinfection check box.
  4. To save changes, click the Save button.
Page top
[Topic 65637]

Configuring protection of shared folders against external encryption

Protection of shared folders against external encryption provides for analysis of activity in shared folders. Kaspersky Security monitors the following operations performed from a remote device:

  • Deletion of a file
  • Modification of file contents
  • Modification of file size
  • Movement of a file

Kaspersky Security monitors operations performed only with those files that are stored on mass storage devices with the NTFS file system and that are not encrypted with the EFS file system.

When Kaspersky Security detects an attempt to modify files in shared folders, it creates backup copies of the files being modified and analyzes the detected activity. If the activity in shared folders matches a behavior stream signature that is typical for external encryption, Kaspersky Security performs the selected action. By default, when Kaspersky Security detects external encryption of shared folders, it blocks the network activity of the device attempting encryption, writes information about the detected malicious activity to a local interface report, and sends this information to Kaspersky Security Center.

If rollback of malware actions is enabled in the System Watcher settings, when Kaspersky Security detects external encryption of files in shared folders it can also restore the modified files from backup copies. Information about this is also written to a local interface report and is sent to Kaspersky Security Center.

You can configure the protection of shared folders against external encryption as follows:

In this section:

Enabling and disabling protection of shared folders against external encryption

Changing the action to take upon detection of external encryption of shared folders

Configuring exclusions from protection against external encryption

Page top
[Topic 175624]

Enabling and disabling protection of shared folders against external encryption

By default, protection of shared folders against external encryption is enabled.

After Kaspersky Security is installed, the protection of shared folders against external encryption will be limited until the virtual machine is restarted.

To enable or disable protection of shared folders against external encryption in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, in the General settings section, do one of the following:
    • Select the Enable protection of shared folders against external encryption check box if you want Kaspersky Security to monitor operations performed from a remote device on files in shared folders.
    • Clear the Enable protection of shared folders against external encryption check box if you do not want Kaspersky Security to monitor operations performed from a remote device on files in shared folders.
  7. Click the Apply button.

To enable or disable protection of shared folders against external encryption in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Do one of the following:
    • Select the Enable protection of shared folders against external encryption check box if you want Kaspersky Security to monitor operations performed from a remote device on files in shared folders.
    • Clear the Enable protection of shared folders against external encryption check box if you do not want Kaspersky Security to monitor operations performed from a remote device on files in shared folders.
  4. To save changes, click the Save button.
Page top
[Topic 175625]

Changing the action to take upon detection of external encryption of shared folders

By default, when Kaspersky Security detects encryption of files in shared folders, it blocks the network activity of the device attempting encryption, writes information about the detected malicious activity to a local interface report, and sends this information to Kaspersky Security Center. If rollback of malware actions is enabled in the System Watcher settings, Kaspersky Security can also restore modified files from their backup copies.

You can change the action taken by Kaspersky Security when it detects external encryption of shared folders.

To select the System Watcher action in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, in the General settings section, click the Settings button.
  7. In the Settings window that opens, select the required action:
    • Inform. If this option is selected and Kaspersky Security detects encryption of files in shared folders, it writes information about the detected malicious activity to a local interface report and sends this information to Kaspersky Security Center, and adds information about this to the list of unprocessed objects.

      Kaspersky Security does not restore modified files from their backup copies even if rollback of malware actions is enabled in the System Watcher settings.

    • Block connection. If this option is selected and Kaspersky Security detects encryption of files in shared folders, it blocks the network activity of the device attempting encryption, writes information about the detected malicious activity to a local interface report, and sends this information to Kaspersky Security Center. In the Block connection for N minutes field you can specify the amount of time (in minutes) that the network connection will be blocked. The default value is 60 minutes.

      If rollback of malware actions is enabled in the System Watcher settings, Kaspersky Security also restores modified files from their backup copies.

      This action is set by default.

    If network activity of the device has been previously blocked (the Block connection action is selected), when the action is changed to Inform it remains blocked for the specified amount of time.

  8. In the Settings window, click OK.
  9. Click the Apply button.

To select the System Watcher action in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

  3. Click the Settings button.

    The Settings window opens.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  4. Complete steps 7–8 of the previous instructions.
  5. To save changes, click the Save button.
Page top
[Topic 175826]

Configuring exclusions from protection against external encryption

To enable exclusions from protection of shared folders against external encryption, you must enable auditing of successful attempts to log in to the system (select the Success check box for the "Audit Logon" setting) in the Windows security policy. For details, please visit the Microsoft website.

You can exclude remote device from protection of shared folders against external encryption by adding the name or IP address of the remote device to the exclusion list. The application will not monitor network activity from this device in relation to shared folders.

If you added the address of a remote device that accessed shared folders before Kaspersky Security was started to the list of exclusions from shared folder protection, the exclusion will not be applied for this device. You need to restart this device after starting Kaspersky Security to disregard the network activity from this device during protection of shared folders against external encryption.

You can also exclude an individual folder from protection of shared folders against external encryption. To do so, you need to configure a folder exclusion to be used by the System Watcher component. Exclusions are configured in the General protection settings section.

To use Kaspersky Security Center to exclude a remote device from protection of shared folders against external encryption:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the System Watcher section in the list on the left.
  6. In the right part of the window, in the General settings section, click the Settings button.
  7. In the Settings window that opens, click the Exclusions button.
  8. In the Exclusions window that opens, do one of the following:
    • If you want to add an IP address or device name to the list of exclusions, click the Add button.
    • If you want to edit an IP address or device name, select it in the list of exclusions and click the Edit button.
  9. In the Computer window that opens, enter the IP address or the name of the device whose attempts to modify files in shared folders will not be monitored.
  10. In the Computer window, click OK.
  11. Click OK in the Exclusions window.
  12. Click the Apply button.

To use the local interface to exclude a remote device from protection of shared folders against external encryption:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Anti-Virus protection section, select System Watcher.

    In the right part of the window, the System Watcher component’s settings are displayed.

  3. Click the Settings button.

    The Settings window opens.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  4. Complete steps 7–11 of the previous instructions.
  5. To save changes, click the Save button.
Page top
[Topic 175626]