Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Kaspersky Endpoint Agent can perform actions in response to threats detected by Kaspersky Sandbox.

You can configure the following types of actions:

• Local – actions to be performed on each device where a threat is detected.
• Group – actions to be performed on all devices of the administration group for which the policy is configured.

Local actions:

• Quarantine and delete.

  When a threat is detected on a device, a copy of the object containing the threat is quarantined, and the object is deleted from the device.

• Notify device user.

  When a threat is detected on a device, a notification about the detected threat is displayed to the device user.

  The notification is displayed if the device is running under the user account same to the account under which the threat was detected.

  If the device is not running or is running under another user account, the notification is not displayed.

• Push Endpoint Protection Platform (EPP) scanning on critical areas.

  If a threat is detected on a device, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan settings refer to the documentation of EPP being used.

Group actions:

• Run IOC scanning on a managed group of hosts.

  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.

• Quarantine and delete when IOC is detected.

  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.

• Push Endpoint Protection Platform (EPP) scanning on critical areas when IOC is detected.

  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group’s devices where the object containing the threat was detected. For more details on configuring the scan settings refer to the documentation of EPP being used.

To configure group threat response actions, set up the permissions of Kaspersky Security Center users, whose accounts you want use for managing IOC Scan tasks.

When configuring threat response actions, keep in mind that as a result of some actions, the object containing the threat may be deleted from the workstation where it was detected.

See also Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring KSN and KMP usage in Kaspersky Endpoint Agent Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configure network isolation settings Configuring quarantine settings in Kaspersky Endpoint Agent

In this Help section Enabling and disabling Threat Response actions Adding Threat Response actions to the action list of the current policy Authentication for Threat Response group tasks on the Administration Server Device protection from legitimate applications that can be used by cybercriminals Configuring start of Autonomous IOC Scan tasks

Page top