Defining IoC scan settings

When configuring regular scans for threats on devices, you can define the following scan settings: schedule, scope, and automatic response actions.

To define settings of an IoC scan:

1. Open Kaspersky Endpoint Security Cloud Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click the IoC scan button.
4. On the tile of the required scan, point to the vertical ellipsis, and then click Define scan settings.

   The Scan settings window opens.

5. In the Schedule list, select the required value:
   • Not specified (by default)

     The IoC scan never runs.

   • Every day

     Specify the time when the IoC scan must run.

   • Every week

     Specify the day of week and the time when the IoC scan must run.

   Custom scan will run at the specified time in the UTC±00:00 time zone. Proactive scan and Reactive scan will run at the specified time in the time zone of the device operating system. If a protected device is offline at the scheduled time, the task will run as soon as the device goes online.

6. Under Scan scope, click the Modify link to specify the list of devices on which the IoC scan must run.

   Select the check boxes next to the devices to be included and clear the check boxes next to the devices to be excluded. Click Save to save the changes.

   This setting is available only for Custom scan. For other scans (Proactive scan and Reactive scan), the scope is all of your users' devices running Windows. It cannot be modified.

   All new devices that are added in the future will be automatically included in the scan scope. So, if you want to exclude them from the scope of the custom scan, you must do it manually.

7. Under Response actions, select the response actions to be taken if the specified threats are detected:
   • Alert only

     The event of detecting a threat is added to the Event log. No other actions are taken.

   • Alert and response

     The event of detecting a threat is added to the Event log. Additionally, the selected response actions are taken:

     • Run scan of critical areas

       Kaspersky Endpoint Security for Windows scans the kernel memory, running processes, and disk boot sectors of an affected device.

     • Move copy to Quarantine and delete object

       Kaspersky Endpoint Security for Windows first creates a backup copy of the malicious object found on the device, in case the object needs to be restored later. The backup copy is moved to Quarantine. Then, Kaspersky Endpoint Security for Windows deletes the object.

     • Isolate device from the network

       Kaspersky Endpoint Security for Windows isolates the device from the network, to prevent the threat from spreading or prevent a breach of sensitive information. To configure the isolation duration, click Settings, and then select the required value.

       The isolation duration is common for all three IoC scans. If you change the value in the settings of one scan, it will be propagated to other scans.
       As an alternative, you can configure the isolation duration by selecting the Security management → Endpoint Detection and Response section, and then clicking Response settings → Network isolation.

8. Click Save to save the changes.

The settings of the selected IoC scan are defined.

Page top