Triggering of rules in Smart Training mode

This section provides information about the detections performed by the Adaptive Anomaly Control rules in Kaspersky Endpoint Security for Windows on client devices.

The rules detect anomalous behavior on client devices and may block it. If the rules work in Smart Training mode, they detect anomalous behavior and send reports about every such occurrence to Administration Server. You can view the reports about detected anomalous behavior in Operations → Repositories → Rule triggers in Smart Training state. You can confirm detections as correct or add them as exclusions, so that this type of behavior is not considered anomalous anymore.

Information about detections is stored in the event log on the Administration Server (along with other events) and in the Adaptive Anomaly Control report.

For more information about Adaptive Anomaly Control, the rules, their modes and statuses, refer to Kaspersky Endpoint Security for Windows Help.

Viewing and confirming detections performed using Adaptive Anomaly Control rules

Expand all | Collapse all

To view the list of detections performed by Adaptive Anomaly Control rules:

1. In the main menu, go to Operations → Repositories → Rule triggers in Smart Training state.

   The list displays the following information about detections performed using Adaptive Anomaly Control rules:

   • Administration group

     The name of the administration group where the device belongs.

   • Virtual Administration Server

     Virtual Administration Server that manages the device.

   • Device name

     The name of the client device where the rule was applied.

   • Name

     The name of the rule that was applied.

   • Status

     Excluding—If the Administrator processed this item and added it as an exclusion to the rules. This status remains till the next synchronization of the client device with the Administration Server; after the synchronization, the item disappears from the list.

     Confirming—If the Administrator processed this item and confirmed it. This status remains till the next synchronization of the client device with the Administration Server; after the synchronization, the item disappears from the list.

     Empty—If the Administrator did not process this item.

   • Detections count

     The number of detects within one heuristic rule, one process and one client device. This number is counted by Kaspersky Endpoint Security.

   • User name

     The name of the client device user who run the process that generated the detect.

   • Source process path

     Path to the source process, i.e. to the process that performs the action (for more information, refer to the Kaspersky Endpoint Security help).

   • Source process hash

     SHA256 hash of the source process file (for more information, refer to the Kaspersky Endpoint Security help).

   • Source object path

     Path to the object that started the process (for more information, refer to the Kaspersky Endpoint Security help).

   • Source object hash

     SHA256 hash of the source file (for more information, refer to the Kaspersky Endpoint Security help).

   • Target process path

     Path to the target process (for more information, refer to the Kaspersky Endpoint Security help).

   • Target process hash

     SHA256 hash of the target file (for more information, refer to the Kaspersky Endpoint Security help).

   • Target object path

     Path to the target object (for more information, refer to the Kaspersky Endpoint Security help).

   • Target object hash

     SHA256 hash of the target file (for more information, refer to the Kaspersky Endpoint Security help).

   • Processed

     Date when the anomaly was detected.

To view the properties of a detection:

1. In the main menu, go to Operations → Repositories → Rule triggers in Smart Training state.
2. Do one of the following:
   • In the Name column, click the link with the name of the detection you want to view.
   • In the list of detections, select the check box next to the detection you want to view, and then click the Properties button.

The properties window of the selected detection opens, displaying information about it.

You can confirm any detection from the list of detections of Adaptive Anomaly Control rules or from the properties window of a selected detection.

To confirm a detection:

• Select one or several detections in the list of detections, and then click the Confirm button.
• Open the properties window of a selected detection, and then click the Confirm button.

The status of the detection is changed to Confirming. The detection will disappear from the list of detections after the next synchronization of the client device with the Administration Server.

Your confirmation will contribute to the statistics used by the rules. For more information, refer to Kaspersky Endpoint Security for Windows Help.

Adding exclusions from the Adaptive Anomaly Control rules

The Add to Adaptive Anomaly Control exclusions wizard allows you to add exclusions from the Adaptive Anomaly Control rules for Kaspersky Endpoint Security.

To add exclusions from the Adaptive Anomaly Control rules by using the wizard:

1. Start the wizard in one of the following ways:
   • In the main menu, go to Operations → Repositories → Rule triggers in Smart Training state, select one or several detections, and then click the Exclude button.

     You can add up to 1000 exclusions at a time.

     Before adding a detection to exclusions, you can view the properties of the detection by clicking the detection name or the Properties button. In the detection properties window that opens, you can also click the Exclude button.

   • In the main menu, go to Monitoring & reporting → Event selections, click the link with the event selection you need, select the check box next to the detection you want to exclude, and then click the Exclude from Adaptive Anomaly Control button.

   The Add to Adaptive Anomaly Control exclusions wizard starts. Proceed through the wizard by using the Next button.

2. Select the policies and profiles to which you want to add exclusions.

   Inherited policies cannot be updated. If you do not have the rights to modify a policy, the policy will not be updated.

3. Click Done to close the wizard.

The status of the detection is changed to Excluding. The detection disappears from the list of detections after the next synchronization of the client device with the Administration Server. The exclusion from the Adaptive Anomaly Control rules is configured and applied.