Protection against file-encrypting malware in Kaspersky Endpoint Security for Windows
Show applications and versions that this article concerns
- Kaspersky Endpoint Security 12.6 for Windows (version 12.6.0.438)
- Kaspersky Endpoint Security 12.5 for Windows (version 12.5.0.539)
- Kaspersky Endpoint Security 12.4 for Windows (version 12.4.0.467)
- Kaspersky Endpoint Security 12.3 for Windows (version 12.3.0.493)
- Kaspersky Endpoint Security 12.2 for Windows (version 12.2.0.462)
- Kaspersky Endpoint Security 12.1 for Windows (version 12.1.0.506)
- Kaspersky Endpoint Security 12 for Windows (version 12.0.0.465)
- Kaspersky Endpoint Security 11.11 for Windows (version 11.11.0.452)
- Kaspersky Endpoint Security 11.10 for Windows (version 11.10.0.399)
- Kaspersky Endpoint Security 11.9 for Windows (version 11.9.0.351)
- Kaspersky Endpoint Security 11.8 for Windows (version 11.8.0.384)
- Kaspersky Endpoint Security 11.7 for Windows (version 11.7.0.669)
To reduce the risk of being infected by file-encrypting malware, we recommend that you enable the following protection components:
- Behavior Detection
- Remediation Engine
- Automatic Exploit Prevention
- Host Intrusion Prevention
- Kaspersky Security Network
The instructions in this article cannot be used to protect objects located in network storages. Such files will not be protected regardless of their format in which the file location is specified (a network drive or a UNC path). To protect files located in network storages, use special solutions. For example, Kaspersky Security for Windows Server.
How to configure protection against file-encrypting malware locally in Kaspersky Endpoint Security for Windows version 11.7.0 and above
Make sure that the following components are enabled in the application settings: Behavior Detection, Remediation Engine, and Exploit Prevention.
- Open Kaspersky Endpoint Security for Windows.
- Enable the Host Intrusion Prevention component.
- Go to Settings → the Host Intrusion Prevention component and click Manage resources.
- Select Personal data and click Add → Category.
- Type the name of the new category, e.g. Protected file types. Click Add.
- Select Protected file types and create subcategories. For example, Documents or Images. To do this, repeat steps 4—5.
- Select the category for the protected file type. E.g., for files with .DOC or .DOCX extension, select the Documents category and click Add → File or folder.
- Enter the name and specify the mask in the *.<extension> format in the Path field.
- Add other file types. To do this, repeat steps 7—8.
- Set the rules for the High restricted and Low restricted categories. To do this:
- Select the created Protected file types category.
- For the High restricted and Low restricted folders, set the Write, Create, and Delete permissions to Deny and click Log events.
- Make sure that necessary application are in the trusted group and click Save.
Before installing patches for Kaspersky solutions, temporarily restore the initial settings. If your browser is in a group with high or low restrictions, you will not be able to download protected files.
How to configure protection against file-encrypting malware locally in Kaspersky Endpoint Security for Windows versions 11.5.0—11.6.0
Make sure that the following components are enabled in the application settings: Behavior Detection, Remediation Engine, and Exploit Prevention.
- Open Kaspersky Endpoint Security for Windows.
- Enable the Host Intrusion Prevention component.
- Go to Settings → the Host Intrusion Prevention component and click Manage resources.
- Select Personal data and click Add → Category.
- Type the name of the new category, for example, Protected file types. Click Add.
- Select Protected file types and create subcategories. For example, Documents and Images. To do this, repeat steps 4—5.
- Select the category for the protected file type. E.g., for files with .DOC or .DOCX extension, select the Documents category and click Add → File or folder.
- Enter the name and specify the mask in the *.<extension> format in the Path field.
- Add other file types. To do this, repeat steps 7—8.
- Set the rules for the High restricted and Low restricted categories. To do this:
- Select the created Protected file types category.
- For the High restricted and Low restricted folders, set the Write, Create, and Delete permissions to Deny and click Log events.
- Make sure that necessary application are in the trusted group and click Save.
Before installing patches for Kaspersky solutions, temporarily restore the initial settings. If your browser is in a group with high or low restrictions, you will not be able to download protected files.
How to remotely set up protection against file-encrypting malware
Make sure that the following components are enabled in the settings: Behavior Detection, Remediation Engine and Exploit Prevention.
- Open Kaspersky Security Center.
- Go to Managed devices → Policies and open the policy properties of Kaspersky Endpoint Security for Windows.
- Go to Advanced Threats Protection → Host Intrusion Prevention → Settings.
- Select Personal data and click Add → Category.
- Type the name for the category, e.g. Protected file types and click OK.
- Select Protected file types and create subcategories. For example, Documents or Images. To do this, repeat steps 4—5.
- Select the category for the protected file type. For example, for files with .DOC or .DOCX extension, select the Documents category and click Add → File or folder.
- Fill out the Name filed, click Browse and enter the mask for the file in the *.<extension> format. Click OK → OK.
- Add other file types. To do this, repeat steps 7—8.
- Set the rules for the High restricted and Low restricted categories. To do this, select the Protected file types category and set the Write, Create, and Delete rights to Deny and click Log events.
- Make sure that the applications are in the trusted group. Click OK → Apply.
- Go to Event configuration → Info. Open the properties for Host Intrusion Prevention was triggered.
- Select the check box for On Administration Server for (days). If necessary, adjust settings to receive the notifications to your email. Click OK.
The Host Intrusion Prevention component has been set up for protection against file-encrypting malware. If a malicious file is run on a client device, Kaspersky Security Center will register that event. To track the events, go to Administration Server → Events.
If the Administration Server registers too many events, the oldest will be overwritten.
Before installing patches for Kaspersky solutions, temporarily restore the initial settings. If your browser is in a group with high or low restrictions, you will not be able to download protected files.
To use all the features of Kaspersky Security Center Remote Diagnostic Utility, restore the initial settings or disable the Host Intrusion Prevention component.
Types of files which can be encrypted by malware
| File type | Extension |
|---|---|
|
Documents |
DOC, DOCX, PDF |
|
XLS, XLSX |
|
|
PPT, PPTX, RTF |
|
|
ODT, ODP, ODS |
|
|
DJVU |
|
|
Images |
JPG, JPEG, BMP |
|
GIF, PNG, PSD |
|
|
CDR, DWG, MAX |
|
|
3DS |
|
|
Archives |
RAR, ZIP, 7Z |
|
TAR, GZ |
|
|
Multimedia |
AVI, MP3, WAV |
|
MKV, FLAC, MP4 |
|
|
MOV, WMV |
|
|
Databases |
MDB, 1CD, SQLITE |
|
SQL |
|
|
Other |
KWM, ISO, TORRENT |
|
PHP, C, CPP |
|
|
PAS, CER, KEY |
|
|
PST, LNK |
The file types listed above are the most commonly encrypted. Nevertheless, other file formats of user data and backup files can also be encrypted by malware.
What to do if malware is detected on the device
- If you have found a malicious file that may cause infection and encryption of files, follow these instructions.
- If your device has already been infected by malware, follow these instructions.
