When a malicious encryption activity is detected, Kaspersky Endpoint Security creates and enables a rule for the operating system firewall, that blocks a network traffic from a compromised host. A compromised host is added to the list of untrusted hosts. Kaspersky Endpoint Security blocks access to shared network directories for all remote hosts in the list of untrusted hosts. Information about blocked hosts from a protected server is sent to the Kaspersky Security Center.
Firewall rules created by the Anti-Cryptor cannot be deleted by using the iptables utility: Kaspersky Endpoint Security restores the set of rules once per minute. Use the --allow-hosts
option to unblock a host.
By default Kaspersky Endpoint Security removes untrusted computers from the list in 30 minutes since they were added to the list. Computers' access to network file resources is restored automatically after they are deleted from the list of untrusted hosts. You can modify the list of blocked hosts and specify the time after which blocked computers are automatically unblocked.
Page top