Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Anti-Cryptor task (Anti_Cryptor, ID:13)

The Anti-Cryptor task allows you to protect your files in the local directories with network access by SMB/NFS protocols from remote malicious encrypting.

While the Anti-Cryptor task is running, Kaspersky Embedded Systems Security scans remote computers' calls to access files located in the shared network directories of the protected device. If the application considers a remote device actions on network file resources to be malicious encrypting, this device is added to a list of untrusted devices and loses access to the shared network directories. By default, the application blocks access of untrusted devices to network file resources for 30 minutes. The application does not consider actions to be encryption if encryption activity is detected in directories excluded from the protection scope of the Anti-Cryptor task.

For the Anti-Cryptor task to perform correctly, at least one of the services (Samba or NFS) must be installed in the operating system. The NFS service requires the rpcbind package to be installed.

The Anti-Cryptor task runs correctly with SMB1, SMB2, SMB3, NFS3, TCP/UDP, and IP/IPv6 protocols. Working with NFS2 and NFS4 protocols is not supported. It is recommended to configure your server settings so that the NFS2 and NFS4 protocols cannot be used to mount resources.

The Anti-Cryptor task does not block access to network file resources until the host's activity is identified as malicious. So, at least one file will be encrypted before the application detects malicious activity.

In this Help section

About blocking access to devices

Anti-Cryptor task settings

Viewing the list of blocked devices

Allowing blocked devices
Page top
[Topic 198336]

About blocking access to devices

When malicious encryption activity is detected, the application creates and enables a rule for the operating system firewall that blocks network traffic from a compromised device. The compromised device is added to the list of blocked devices. The application blocks access to shared network directories for all remote devices in the list of blocked devices. Information about blocked devices from a protected server is sent to Kaspersky Security Center.

Firewall rules created by the Anti-Cryptor task cannot be deleted using the iptables utility, since the application restores a set of rules every minute. Use the --allow-hosts command to unblock a device.

By default, the application removes untrusted devices from the list 30 minutes after being added to the list. Devices' access to network file resources is restored automatically after they are deleted from the list. You can change the list of blocked devices and specify the period after which the blocked devices will be automatically unblocked.

Page top
[Topic 198010]

Anti-Cryptor task settings

The table describes all available values and the default values of all the settings that you can specify for the Anti-Cryptor task.

Anti-Cryptor task settings

Setting

Description

Values

UseHostBlocker

Enables untrusted hosts blocking.

If untrusted hosts blocking is disabled, the application still scans the actions of the remote devices on network file resources for malicious encryption when the Anti-Cryptor task is running. If malicious activity is detected, the EncryptionDetected event is created, but the attacking device is not blocked.

Yes (default value): enable untrusted hosts blocking.

No: disable untrusted hosts blocking.

BlockTime

The time an untrusted device is blocked (in minutes).

If a compromised host is blocked, and you change a value for the BlockTime setting, the blocking time for this host will not change. The blocking time is not a dynamic value, and is calculated at the moment of blocking.

Integer from 1 to 4294967295.

Default value: 30.

UseExcludeMasks

Enables protection scope exclusions for objects specified by the ExcludeMasks.item_# setting.

This setting only applies if a value is specified for the ExcludeMasks.item_# setting.

Yes — Exclude objects specified by the ExcludeMasks.item_# setting from the protection scope.

No (default value) — Do not exclude objects specified by the ExcludeMasks.item_# setting from the protection scope.

ExcludeMasks.item_#

Excludes objects from the protection scope by names or masks. You can use this setting to exclude an individual file from the specified protection scope by name or exclude several files at once using masks in the shell format.

Before specifying a value for this setting, make sure that the UseExcludeMasks setting is enabled.

If you want to specify several masks, specify each mask on a new line with a new index.

The default value is not defined.

The [ScanScope.item_#] section contains the scopes protected by the application. For the Anti-Cryptor task, you need to specify at least one protection scope; you can only specify shared directories.

You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of protection scope; contains additional information about the protection scope.

Default value: All shared directories.

UseScanArea

Enables protection of the specified scope. To run the task, enable protection of at least one scope.

Yes (default value) — Protect the specified scope.

No — Do not protect the specified scope.

AreaMask.item_#

Protection scope limitation. In the protection scope, the application protects only the objects that are specified using the masks in the shell format.

You can specify several AreaMask.item_# items in any order. The application processes the scopes by index in ascending order.

Default value: * (protect all objects)

Path

Path to the directory with the objects to be protected.

<path to local directory> – Protect a local directory accessible via SMB/NFS. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

AllShared (default value) — Protect all resources accessible via SMB/NFS.

Shared:SMB — Protect resources accessible via SMB.

Shared:NFS — Protect resources accessible via NFS.

The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section are not scanned. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the protection exclusion scope, which contains additional information about the exclusion scope.

Default value: All objects.

UseScanArea

Excludes the specified scope from protection.

Yes (default value) — Exclude the specified scope from protection.

No — Do not exclude the specified scope from protection.

AreaMask.item_#

Limitation of the protection exclusion scope. In the exclusion scope, the application excludes only the objects that are specified using masks in the shell format.

You can specify several AreaMask.item_# items in any order. The application processes the scopes by index in ascending order.

Default value: * (exclude all objects).

Path

Path to the directory with objects excluded from protection.

<path to local directory> — Exclude objects in the specified directory from protection. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Mounted:NFS– Exclude the remote directories mounted on a client device using the NFS protocol from protection.

Mounted:SMB– Exclude the remote directories mounted on a client device using the Samba protocol from protection.

AllRemoteMounted– Exclude all remote directories mounted on a client device using the Samba and NFS protocols from protection.

Page top

[Topic 198011]

Viewing the list of blocked devices

You can view the list of devices blocked by the Anti-Cryptor task.

To view the list of blocked devices, execute the following command:

kess-control -[H] --get-blocked-hosts

The application will display blocked devices.

Page top
[Topic 198012]

Allowing blocked devices

You can manually unblock devices that were blocked by the Anti-Cryptor task, and restore network access to them.

To unblock devices, execute the following command:

kess-control [-H] --allow-hosts <device>

where <device> can be a list of valid IPv4/IPv6 addresses (including addresses in short form) or subnets. Also, you can specify devices as a list.

Specified devices are unblocked.

Examples:

IPv4 addresses:

dec - 192.168.0.1

dec - 192.168.0.0/24

IPv6 addresses:

hex - FEDC:BA98:7654:3210:FEDC:BA98:7654:3210

hex - FEDC:BA98:7654:3210:FEDC:BA98:7654:3210%1

hex - 2001:db8::ae21:ad12

hex - ::ffff:255.255.255.254

hex - ::

Page top

[Topic 198013]