Configuring start of Autonomous IOC Scan tasks

When Kaspersky Sandbox detects a threat, Kaspersky Endpoint Agent automatically creates IOC Scan tasks for all devices (search for MD5 hashes of objects in which the threat was detected).

To configure start of Autonomous IOC Scan tasks:

  1. Open Kaspersky Security Center Administration Console.
  2. In the console tree, open the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Threat Response subsection.
  5. In the Additional group of settings click Configure.

    The IOC scanning settings window opens.

  6. In the Scanning area group of settings, select one of the following areas where Kaspersky Endpoint Agent will search for IOCs:
    • File areas, containing system drives.
    • Critical file areas.
  7. In the Scan start group of settings, select one of the following options to start IOC Scan tasks:
    • Manual start. IOC Scan tasks will be created automatically, but will not be started. You can start a single task or all tasks manually.
    • Immediately on a Kaspersky Sandbox detect. IOC Scan tasks will be automatically created and started.
    • Start within the specified period. IOC Scan tasks will be created automatically, and will be started within the specified period. For example, outside of working hours from 8:00 p.m. to 7:00 a.m.

      If you select the Start within the specified period option, specify the start and end of the period in the Period start time (hh:mm) и Period end time (hh:mm) fields.

      All IOC Scan tasks that were automatically created before the beginning of the specified period will start at any time within the specified period.

      All IOC Scan tasks that were automatically created within the specified period will start immediately after creation.

      All IOC Scan tasks that were automatically created after the end of the specified period will start during the next task execution period.

    Example:

    If you configured the tasks to run during the period from 8:00 p.m. to 7:00 a.m.:

    Tasks that were automatically created at 7 p.m. are started at any arbitrary time from 8:00 p.m. to 7:00 a.m.

    Tasks that were automatically created at 9 p.m. are started at 9 p.m.

    Tasks that were automatically created at 8:00 a.m. are started during the next task execution period, from 8:00 p.m. to 7:00 a.m.
  8. Click OK.

    The IOC scanning settings window closes.

  9. In the upper right corner of the settings group, change the switch from Policy not enforced to Under policy.
  10. Click Apply and OK.

Start of Autonomous IOC Scan tasks is configured.

See also

Enabling and disabling Threat Response actions

Adding Threat Response actions to the action list of the current policy

Authentication for Threat Response group tasks on the Administration Server

Device protection from legitimate applications that can be used by cybercriminals
Page top