Managing response actions in Kaspersky Industrial CyberSecurity for Networks

Expand all | Collapse all

If joint operation with EPP applications is configured in Kaspersky Industrial CyberSecurity for Networks, you can manually trigger the following response actions on devices:

• Isolate device from the network

  After enabling network isolation of a device, Kaspersky Endpoint Agent terminates all active TCP/IP network connections on the device and blocks all new ones, except for the following connections:

  • Connections excluded from network isolation in Kaspersky Endpoint Agent.
  • Connections initiated by services of the EPP application compatible with Kaspersky Endpoint Agent.
  • Connections initiated by Kaspersky Endpoint Agent services.
  • Connections initiated by Kaspersky Security Center Network Agent.

  Device network isolation remains active until network isolation is disabled in Kaspersky Industrial CyberSecurity for Networks. If network isolation is not manually disabled, it will be disabled automatically 9999 hours after it is enabled.

• Prevent run

  You can configure rules to block the launch of executable files and scripts, as well as the opening of office format files on selected devices. For example, you can block the launch of applications that you consider unsafe on a selected device running Kaspersky Endpoint Agent. The application identifies files by their file path or checksum using the MD5 and SHA256 hashing algorithms.

  In the event of launch blocking, the user is notified about the triggered launch blocking rule. If the device user does not close the pop-up notification, it will close automatically 60 seconds after it appears.

• Move to quarantine

  Quarantine is a designated local storage on a device running Kaspersky Endpoint Agent that stores files potentially infected with viruses or that were incurable at the time of detection. Quarantined files are stored encrypted and do not create a threat to the device security.

  By default, the local quarantine storage is located in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<version>\Quarantine folder. By default, objects restored from quarantine are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<version>\Restore folder.

  Kaspersky Security Center generates a common list of quarantined objects on devices running Kaspersky Endpoint Agent. Device Network Agents transmit information on quarantined files to the Administration Server.

  Kaspersky Security Center does not copy quarantined files to the Administration Server. All objects are located on protected devices running Kaspersky Endpoint Agent. Objects are restored from quarantine on protected devices.

Response actions allow preventing or minimizing the consequences of detected threats from devices in an industrial network.

The capability to trigger response actions is available for devices with Kaspersky Endpoint Agent installed. When a response action is triggered, Kaspersky Industrial CyberSecurity for Networks transmits the information about it to Kaspersky Endpoint Agent installed on the device. Kaspersky Endpoint Agent executes the received command and sends a completion notification to Kaspersky Industrial CyberSecurity for Networks.

Once the triggered response action is completed and the threat from the device is eliminated, you can trigger the corresponding reverse action. For the listed response actions, the following reverse actions are available:

• Disable network isolation.
• Disable run prevention.
• Restore from quarantine.

Kaspersky Industrial CyberSecurity for Networks registers triggered response actions and the corresponding reverse actions. The registered actions are displayed in the Events section on the Response actions tab.

You can trigger response actions by selecting the relevant events, devices or previous response actions that were registered and completed. The actions available to you depend on the selected object. For example, if you selected a device with Kaspersky Endpoint Agent installed, you only can manage the network isolation for this device. Other response actions (Prevent run and Move to quarantine) are available when selecting the event associated with this device and if a threat development chain is built for the event in Kaspersky Endpoint Agent.

Only the users with the Administrator role can trigger response actions and corresponding reverse actions.