Configuring a trusted connection on the Kaspersky Endpoint Security side

You can configure a trusted connection on the Kaspersky Endpoint Security side using Kaspersky Security Center Web Console or the command line (available for Kaspersky Endpoint Security 11.7).

To configure a trusted connection on the Kaspersky Endpoint Security side using Kaspersky Security Center Web Console:

1. In the main window of Web Console, select the Devices → Policies & profiles section.
2. Click the name of the Kaspersky Endpoint Security policy.

   This opens the policy properties window.

3. Select the Application settings tab.
4. Go to the Detection and Response → Kaspersky Sandbox section.
5. Click Server connection settings.

   This opens the Kaspersky Sandbox server connection settings window.

6. Under Server TLS certificate, click Add and select the TLS certificate file.

   Kaspersky Endpoint Security can have only one TLS certificate of a Kaspersky Sandbox server. If you already have added a TLS certificate, that certificate becomes inactive. Only the latest added certificate is used.

7. Perform additional configuration of the connection to Kaspersky Sandbox servers:
   • Timeout. Timeout of the connection with the Kaspersky Sandbox server. When the specified timeout elapses, Kaspersky Endpoint Security sends the request to the next server. You can set a longer Kaspersky Sandbox connection timeout if you have a slow or unstable connection. The recommended request timeout value is 0.5 seconds or less.
   • Kaspersky Sandbox request queue. Size of the request queue folder. When an object is accessed on the computer (executable file launched or document opened, for example in DOCX or PDF format), Kaspersky Endpoint Security can also send the object to be scanned by Kaspersky Sandbox. If there are multiple requests, Kaspersky Endpoint Security creates a request queue. By default, the size of the request queue folder is limited to 100 MB. After the maximum size is reached, Kaspersky Sandbox stops adding new requests to the queue and sends the corresponding event to Kaspersky Security Center. You can configure the size of the request queue folder depending on your server configuration.
8. Save your changes.

As a result, Kaspersky Endpoint Security verifies the TLS certificate. If the certificate passes the verification, Kaspersky Endpoint Security sends the certificate file to the computer at the time of the next synchronization with Kaspersky Security Center. If you have added two TLS certificates, Kaspersky Sandbox uses the latest certificate to establish the trusted connection.

To configure a trusted connection on the Kaspersky Endpoint Security side using the command line:

1. On the computer with an installed Kaspersky Endpoint Security application, run the 'cmd' command line interpreter as the administrator.
2. Go to the Kaspersky Endpoint Security installation folder that contains the avp.com file.
3. Run the following commands:

   avp.com stop sandbox [/login=<user name> /password=<password>]

   avp.com start sandbox

   avp.com sandbox /set [--tls=yes|no] [--servers=<server address>:<port>] [--timeout=<timeout of the connection with the Kaspersky Sandbox server (ms)>] [--pinned-certificate=<path to the TLS certificate>][/login=<user name> /password=<password>]

   avp.com sandbox /show

   As a result, you will receive the following response:

   sandbox.timeout=<timeout of the connection with the Kaspersky Sandbox server (ms)>

   sandbox.tls=<trusted connection usage status>

   sandbox.servers=<list of Kaspersky Sandbox servers>

   For the login and password arguments, you must specify credentials of a user that has the necessary permissions.