Kaspersky Anti Targeted Attack Platform 3.7.2. now has the following new features:
New event type added: AMSI scanning. The event is logged in the event database when a third-party application that supports Antimalware Scan Interface (AMSI) sends objects (such as PowerShellâ„¢ scripts) to Kaspersky Endpoint Security or Kaspersky Security for Windows Server to perform additional scanning.
The File created event is expanded: the event is logged in the event database if a third-party application creates, modifies, or deletes a file. The event type is renamed to File modified.
Event information for the Module loaded event type now includes the Next DLL in bypass path field. The field contains the path to the DLL library that must be loaded instead of the existing library.
The field is displayed if:
The source of the loaded DLL is not trusted.
A folder in the standard search path contains a library with the same name but a different hash.
Information for the Registry modified event now includes Previous registry key, Previous registry value, Previous registry value type fields. The event is logged in the event database when a registry key is created, deleted, renamed, or its value is modified.
Fields with information about the state of the registry key as of before the change are displayed in the following conditions:
The Previous registry key field is displayed when the name of the registry key is modified.
The Previous registry value field is displayed when the registry value is modified.
The Previous registry value type field is displayed when the type of the registry value is modified.
Information for the Process: console interactive input event now includes the Input type field. The field specifies the input type of commands that were passed to the console application.
Event time, file creation and modification time is now displayed in event information with millisecond precision.
The interface for working with event information was improved.
Integration with Kaspersky Endpoint Agent for Linux is now possible.
To accommodate this new feature, the design mode for searching the event database for threats is modified:
The General details group now includes the OSFamily and OSVersion criteria.
the Process started group now includes the ParentFileFullName criterion;
the System event log group now includes the LinuxEventType criterion;
Linux process group added.
New task type added: Get forensics. This task lets you get a list of files stored in the selected folder on a host and a list of processes running on the host.
New program web interface user role added: Security auditor. Users with the Security auditor role can view all functional scopes of the program but cannot edit.
Notifications about server running out of disk space added.
Implementing this capability caused the following changes in the program:
If usage for one of the hard disk partitions on the server exceeds the specified value, the Dashboard section displays a warning for users with the Senior security officer, Administrator, and Security auditor roles.
Users can configure sending of notifications about maximum server disk space usage being exceeded to an email address.
Information about user actions in the web interface can now be recorded in the activity log and the remote log.
In connection with this new capability, the Reports section of the program web interface now includes the Activity log subsection. The subsection can be viewed only by users with the Administrator and Security auditor roles.
Depending on their role, users can do the following with the activity log:
Users with the Administrator role can enable and disable the logging of user actions in the program web interface, as well as download log files.
Users with the Security auditor role can view the settings for logging of user actions in the program web interface, as well as download log files.
The program web interface is changed in the following ways:
The SIEM System section no longer includes settings for recording events in the local log. Instead of those, Activity log and Alerts options are added.
Proxy server settings are moved to the Settings section, Network settings subsection.
Certificate settings for the Central Node server and the Kaspersky Endpoint Agent program are moved to the Settings section, Certificates subsection.
Kaspersky Endpoint Agent 3.10 for Windows now has the following new features:
Composition of EDR telemetry that the application registers on the devices and sends to KATA Central Node component is extended. The updated protocol that ensures compatibility with the new Kaspersky Anti Targeted Attack Platform version is supported.
An error that occurred when applying the settings of IOC Scan tasks started from the incident card is fixed. Now such tasks are started with the default settings.
The task of collecting data for further analysis is implemented. Kaspersky Endpoint Agent executes the Get forensics on a device upon a command from KATA Central Node.