Taking manual response measures

While analyzing alert details, you may want to take manual response measures or fine-tune the Endpoint Detection and Response feature.

You can take the following response measures:

• Isolate the affected device from the network.
• Add the Indicators of Compromise (IoCs) of the detected threat to a regular scan for threats on devices (applicable only to alerts detected by EPP).
• Prevent execution of the detected object.
• Move the copy of the detected object to Quarantine and delete the object.

To isolate a device from the network:

1. In the message about the object detection and processing, point to the horizontal ellipsis, and then click Isolate device.
2. Select the required isolation duration.
3. Click the Isolate device button to isolate the device.

The device is isolated from the network.

This setting overrides the general isolation settings and is applied only to the current device. General isolation settings are not changed.

To add the IoCs of a detected threat to a regular scan for threats:

1. In the section with detailed information about a detected object, either click the Add to IoC scan button or point to the horizontal ellipsis, and then click Add to IoC scan.
2. If necessary, edit the threat name and description. By default, the threat is named "[Threat Graph] <Threat name from the EPP alert>".
3. If necessary, edit the detection criteria (the logical operator):
   • Match ANY of the following, if you want an alert to occur if at least one of the IoCs is found on a device (the OR logical operator).
   • Match ALL of the following, if you want an alert to occur only if all of the IoCs are found on a device simultaneously (the AND logical operator).
4. If necessary, edit the list of IoCs. The list of IoCs consists of two parts:
   • New IoCs

     IoCs that are taken from the alert.

   • Previously added IoCs

     IoCs that have been added to the same threat earlier (if any).

5. If necessary, remove any of the IoCs by clicking the Delete () icon next to it.
6. Click the Run scan button to save and run the IoC scan.

The IoC scan settings are changed. The scan has re-started on the devices.

To prevent execution of a detected object:

1. Do either of the following:
   • [For an alert detected by EPP] In the section with detailed information about a detected object, either click the Prevent execution button or point to the horizontal ellipsis, and then click Prevent execution.
   • [For an alert detected by IoC Scan] In the section with detailed information about a detected IoC, next to Manual response, click Actions, and then select Prevent execution.
2. Review the properties of the planned operation: the unwanted objects whose execution will be prevented and the action that will be taken upon execution or opening of these objects.
3. Click Confirm to confirm the operation.

The detected object is added to the execution prevention rules.

To move the copy of a detected object to Quarantine and delete the object:

1. Do either of the following:
   • [For an alert detected by EPP] In the section with detailed information about a detected object, either click the Move to Quarantine button or point to the horizontal ellipsis, and then click Move to Quarantine.
   • [For an alert detected by IoC Scan] In the section with detailed information about a detected IoC, next to Manual response, click Actions, and then select Move to Quarantine.
2. Review the properties of the planned operation: the file that will be moved to Quarantine and the device on which this will happen.
3. Click Move to confirm the operation.

Kaspersky Endpoint Security for Windows first creates a backup copy of the malicious object found on the device, in case the object needs to be restored later. The backup copy is moved to Quarantine. Then, Kaspersky Endpoint Security for Windows deletes the object.

Page top