The operating system that is part of the Central Node and Sandbox components has been upgraded to CentOS 7.7.
KEDR improvements:
Now you can increase the event storage duration in Kaspersky Anti Targeted Attack Platform with consideration of free space available in the Threat Hunting Storage.
The list of supported OpenIOC indicators of compromise has been significantly extended.
Kaspersky Endpoint Agent program is now compatible with Kaspersky Security for Windows Server (KSWS) and Kaspersky Security for Virtualization 5.1 Light Agent (KSV LA 5.1).
Now you can search events by their results of processing in Kaspersky Endpoint Security (the ThreatStatus criterion) and by the reasons why Kaspersky Endpoint Security did not process the events (the UntreatedReason criterion).
Now you can display the event search results as a list and group them by host or by event type.
The object quarantining feature has been improved. Objects quarantined on computers with Kaspersky Endpoint Agent program are stored in a designated directory on those same computers. The Central Node server displays the metadata of quarantined objects and lets you obtain a copy of the objects on the Central Node server.
IOA alerts have been renamed to TAA alerts.
KATA improvements:
Now you can save traffic data of the Sensor component. As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters the data and keeps only the information relevant to IDS alerts and PCAP files (in which the source or destination IP address matches an IP address from the alert, or traffic data belongs to the time period within 15 minutes from the alert.)
Now you can upload user-defined IDS rules in Suricata or Snort format; the application uses the rules to scan events and create alerts.
Now you can exclude IDS rules defined by Kaspersky from object scanning.
The information display for alerts generated by the Intrusion Detection System (IDS) technology has been changed. The fragment of the network packet that the alert was based on is displayed in the HEX editor matrix format; a description of the triggered IDS rule is also displayed.
Unsupported scenarios:
Starting from version 3.7 the server part of the Kaspersky Anti Targeted Attack Platform solution does not support integration with Kaspersky Security Center.
Starting from version 3.7 Kaspersky Anti Targeted Attack Platform does not support obtaining an IP address over DHCP. When upgrading the system, the user must manually enter the IP address of the Central Node server.
Kaspersky Endpoint Agent 3.8 improvements:
Search for indicators of compromise (OpenIOC) by means of group user tasks. The list of supported terms of the OpenIOC standard is significantly extended compared to the previous version. The full list of supported terms of the OpenIOC standard is provided in Kaspersky Anti Targeted Attack Platform Guide.
Network isolation of a compromised device by command from Kaspersky Anti Targeted Attack Platform.
Capability to activate Kaspersky Endpoint Agent to enable integration with Kaspersky Anti Targeted Attack Platform is implemented.
Integration with Kaspersky Anti Targeted Attack Platform (KEDR):
Transmitting telemetry data from the protected devices to Kaspersky Anti Targeted Attack Platform for subsequent retrospective analysis.
Applying filter settings for telemetry from the protected devices.
Applying the settings of protection against complex threats: list of rules for preventing execution of scripts and launch of executable files, lists of rules prohibiting opening of documents, the rules of network isolation of devices.
Execution of the following tasks received from Kaspersky Anti Targeted Attack Platform: Delete file, Get file, Quarantine file, Restore file from Quarantine, Run program, and Terminate process.