System Watcher - Kaspersky Lab

Anti-Virus 2012 

System Watcher

Kaspersky Anti-Virus 2012 

Table of Contents 

System Watcher ........................................................................................................................... 2 

Enabling/disabling System Watcher .......................................................................................... 2 

Using patterns of dangerous behavior (BSS) ............................................................................ 2 

Rolling back actions performed by malware .............................................................................. 4 

1 | 5


System Watcher 

System Watcher in Kaspersky Anti-Virus 2012 collects data about applications actions on your 

computer and provides information to other components for improved protection. 

In Kaspersky Anti-Virus 2012 you can configure the System Watcher settings to perform a 

specified action when the application’s activity matches with the pattern of dangerous activity. 

System Watcher also allows you to roll back actions performed by malicious programs. 

Enabling/disabling System Watcher 

By default, System Watcher is enabled, running in a mode that depends on the current mode of 

Kaspersky Anti-Virus 2012 – automatic or interactive. 

You are advised to avoid disabling the component, except for emergency cases, since this 

inevitably impacts efficiency of Proactive Defense and other protection components operation 

that may request the data collected by System Watcher in order to identify the potential threat 

detected. 

To disable System Watcher, perform the following actions: 

1. Open the application settings window. 

2. In the left part of the window under Protection Center select System Watcher. 

3. In the right part of the window 

► Uncheck the Enable System Watcher box, if you want to disable the component. 

► Check the Enable System Watcher box, if you want to enable the component. 

4. Click the Apply button. 

Using patterns of dangerous behavior (BSS) 

Patterns of dangerous activity (BSS – Behavior Stream Signatures) contain sequences of 

actions typical of applications classified as dangerous. In addition to exact matching between 

applications' activities and patterns of dangerous activity, System Watcher also detects actions 

that partly match patterns of dangerous activity, being considered suspicious based on the 

2 | 5


heuristic analysis. If suspicious activity is detected, System Watcher prompts the user for action 

regardless of the operation mode. 

Upon detection of a new virus or new modification of already known malware the application does 

not update the entire System Watcher component, but simply adds a new template to the 

database of heuristics and updates it together with the Kaspersky Lab databases. 

To select the action that the component should perform if an application's activity matches a 

pattern of dangerous activity, perform the following actions: 



3. In the right part of the component settings in the Heuristic Analysis section check the Use 

updatable patterns of dangerous activity (BSS) box. 

4. In the On detecting malware activity section perform the following actions: 

► Select the Select action automatically variant (if the automatic protection mode is 

enabled). In this case System Watcher will automatically apply an action recommended 

by Kaspersky Lab specialists. 

► Select the Prompt for action variant (if the interactive protection mode is enabled). In 

this case System Watcher will notify you of any suspicious activity detected in the 

system and will prompt for action: allow or block activity. 

► Choose the Select action variant: 

► Move file to Quarantine (malicious application will be moved to Quarantine). 

► Terminate the malicious application (all processes of the malicious application will 

be terminated). 

► Ignore (System Watcher takes no actions on the application). 

5. Click the Apply button. 

3 | 5


Rolling back actions performed by malware 

You can use the product feature for rolling back the actions performed by malware in the system. 

To enable a roll-back, System Watcher should log the history of program activity. 

By default, KAV 2012 rolls back relevant operations automatically when the protection 

components detect malicious activity (rolling back actions after malicious activity is detected in the 

system can be initiated either by the System Watcher component based on patterns of 

dangerous activity, or by Proactive Defense, and during virus scan task run or File Anti-Virus 

operation). 

When running in interactive mode, System Watcher prompts the user for action. You can specify 

the operation which should be performed whenever malicious activity is detected. The procedure 

of rolling back malware operations affects a strictly defined set of data. It causes no negative 

consequences for the operating system or data integrity on your computer. 

To configure rollback of malware operations, perform the following actions: 



3. In the right part of the component settings in the Rollback of malware action s section 

specify actions that System Watcher should perform if it has a possibility to roll back 

changes made by a malicious program: 

► Select the Select action automatically variant (if the automatic protection mode is 

enabled). In this case System Watcher will automatically apply an action recommended 

by Kaspersky Lab specialists. 

► Select the Prompt for action variant (if the interactive protection mode is enabled). In 

this case System Watcher will notify you that rollback is necessary and will prompt for 

action: perform or cancel rollback. 

► Select action 

If you choose the Select action variant, select an action from the drop-down list: 

► Roll back 

► Do not roll back 

4 | 5


Pay attention, you can limit the amount of data stored for rollback by clicking the corresponding 

box in the Limit data to be stored for rollback section. 

5 | 5

System Watcher - Kaspersky Lab

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?