Configuring Threat Response actions
August 12, 2022
ID 221137
To configure Threat Response actions:
- In the main window of Web Console, select the Devices → Policies & profiles section.
- Click the name of the Kaspersky Endpoint Security policy.
This opens the policy properties window.
- Select the Application settings tab.
- Go to the Detection and Response → Kaspersky Sandbox section.
- Under Action on threat detection, select check boxes for the following settings:
- Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
- Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
- Create IOC scanning task. If you select this option, Kaspersky Endpoint Security automatically creates an IOC scanning task (stand-alone IOC scanning task). You can configure the task running mode, the scanning area, and the action performed on IOC detection: delete object, run the Critical Areas Scan task. To edit other settings of the IOC scanning task, go to the task properties.
If you want to disable Threat Response actions, clear check boxes for settings that you want to disable.
- To configure the actions that Kaspersky Endpoint Security performs when an IOC is detected, select check boxes for the following settings:
- If IOC is detected, move its copy to Quarantine and delete the object.
If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. If Kaspersky Endpoint Security detects an object containing the threat on any workstations in this administration group, a copy of the object is placed in Quarantine, and the object is deleted from the workstations.
- Run Critical Areas Scan on IOC detection.
If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. For details about configuring scan settings, see the Kaspersky Endpoint Security for Windows 11.7 Online Help.
If you want to disable Kaspersky Endpoint Security actions for detected IOCs, clear check boxes for settings that you want to disable.
- If IOC is detected, move its copy to Quarantine and delete the object.
Threat Response actions are configured.
