Managing Standard IOC Scan tasks

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To create and configure a Standard IOC Scan task using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press Enter:

    agent.exe --scan-ioc {[--path=<path to the folder with IOC files>] | [<full path to the IOC file>]} [--process=no] [--hint=<full path to the process executable file|full path to the file>] [--registry=no] [--dnsentry=no] [--arpentry=no] [--ports=no] [–services=no] [--system=no] [--users=no] [--volumes=no] [--eventlog=no] [--datetime=<<event publication date>] [--channels=<list of channels>] [--files=no] [--network=no] [--url=no] [--drives=<all|system|critical|custom>] [--excludes=<list of exclusions>][--scope=<configurable list of folders>] [--retro]

    If the --scan-ioc command is passed only with the required parameters, Kaspersky Endpoint Agent performs scanning with the default settings.

    If the --scan-ioc command is passed with the two required parameters at the same time (--path=<path to the folder with IOC files> and <full path to the IOC file>), Kaspersky Endpoint Agent scans all the submitted IOC files.

    Command parameters for running and configuring Standard IOC Scan tasks

    Parameters

    Description

    --scan-ioc

    Required parameter.

    Starts the Standard IOC Scan tasks on the device.

    --path=<path to the folder with IOC files>

    Path to the folder with the IOC files that you want to scan.

    Required parameter, if the <full path to the IOC file> parameter is not specified.

    <full path to the IOC file>

    Full path to the IOC file with the ioc or xml extension that you want to scan.

    Required parameter, if the --path=<path to the folder with IOC files> parameter is not specified.

    Passed without the --path argument.

    --process=<no>

    Optional parameter.

    The parameter disables the analysis of process data during scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not consider the processes running on the device when scanning. If the IOC file contains IOC terms of the ProcessItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans the process data only if the ProcessItem IOC document is described in the IOC file submitted for scan.

    --hint=<full path to the process executable file|full path to the file>

    Optional parameter.

    The parameter allows you to narrow the scope of analyzed data for checking the ProcessItem and FileItem IOC documents, by specifying a particular file.

    The parameter value can be set as:

    • <full path to the executable process file> – ProcessItem
    • <full path to the file> – FileItem

      The parameter can only be passed together with the --process=yes and --files=yes arguments.

    --dnsentry=no

    Optional parameter.

    The parameter disables analysis of data on records in local DNS cache (DnsEntryItem IOC document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not scan local DNS cache. If the IOC file contains the terms of the DnsEntryItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans local DNS cache only if the DnsEntryItem IOC document is described in the IOC file submitted for scan.

    --arpentry=no

    Optional parameter.

    The parameter disables analysis of data on records in the ARP table (ArpEntryItem document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not scan the ARP table. If the IOC file contains the terms of the ArpEntryItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans the ARP table only if the ArpEntryItem IOC document is described in the IOC file submitted for scan.

    --ports=no

    Optional parameter.

    The parameter disables analysis of data on ports that are open for listening (PortItem document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not scan the table of active connections on the device. If the IOC file contains the terms of the PortItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans the table of active connections only if the PortItem IOC document is described in the IOC file submitted for scan.

    --services=no

    Optional parameter.

    The parameter disables analysis of data on services installed on the device (ServiceItem document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not scan data on services installed on the device. If the IOC file contains the terms of the ServiceItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans the data on services only if the ServiceItem IOC document is described in the IOC file submitted for scan.

    --volumes=no

    Optional parameter.

    The parameter disables analysis of volume data (VolumeItem document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not scan volume data on the device. If the IOC file contains the terms of the VolumeItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans the data on volumes only if the VolumeItem IOC document is described in the IOC file submitted for scan.

    --eventlog=no

    Optional parameter.

    The parameter disables analysis of data about Windows Event Log entries (EventLogItem document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not scan Windows Event Log entries. If the IOC file contains the terms of the EventLogItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent scans Windows Event Log entries only if the EventLogItem IOC document is described in the IOC file submitted for scan.

    --datetime=<event publication date>

    Optional parameter.

    The parameter allows you to enable or disable accounting for date and time when the event was registered in the Windows Event Log when determining the IOC scan area for the corresponding IOC document.

    During IOC scan, Kaspersky Endpoint Agent will only process the events that were registered within the time interval between the specified date and time and the task execution time.

    Kaspersky Endpoint Agent allows you to specify the event registration date as the parameter value. Scan will be performed only for the events registered in the Windows Event Log between the specified date and the time when IOC scan is performed.

    If the parameter is not passed, Kaspersky Endpoint Agent scans events with any registration date. The TaskSettings::BaseSettings::EventLogItem::datetime parameter cannot be changed.

    This parameter is used only if the EventLogItem IOC document is described in the IOC file submitted for scan.

    --channel=<list of channels>

    Optional parameter.

    This parameter allows you to pass a list of the names of channels (logs) for which IOC scan is required.

    If this parameter is passed, Kaspersky Endpoint Agent considers only the events published in the specified logs when performing the IOC Scan task.

    The name of the log is specified as a string, in accordance with the name of the log (channel) specified in the properties of this log (the Full Name parameter) or in the properties of the event (the <Channel></Channel> parameter in the xml-scheme of the event).

    By default (including the case if the parameter is not passed), IOC scan is performed for the Application, System, and Security channels.

    Several values separated by space can be passed to the parameter.

    This parameter is used only if the EventLogItem IOC document is described in the IOC submitted for scan.

    --system=no

    Optional parameter.

    The parameter disables analysis of environment data (SystemInfoItem IOC document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not analyze environment data. If the IOC file contains the terms of the SystemInfoItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent analyzes environment data only if the SystemInfoItem IOC document is described in the IOC file submitted for scan.

    --users=no

    Optional parameter.

    The parameter disables analysis of user data (UserItem IOC document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not analyze data on the users created in the system. If the IOC file contains the terms of the UserItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent analyzes data on the users created in the system only if the UserItem IOC document is described in the IOC file submitted for scan.

    --files=no

    Optional parameter.

    The parameter disables analysis of data on files (FileItem IOC document) during IOC scan.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not analyze data on files. If the IOC file contains the terms of the FileItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent analyzes data on files only if the FileItem IOC document is described in the IOC file submitted for scan.

    --network=no

    Optional parameter.

    The parameter enables threat lookup based on the Network IOC document during IOC Scan.

    If the <no> value is set for the parameter, Kaspersky Endpoint Agent does not perform threat lookup based on the Network IOC document. If the IOC file contains the terms of the Network IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent enables threat lookup based on the Network IOC document only if the Network IOC document is described in the IOC file submitted for scan.

    --url=no

    Optional parameter.

    The parameter enables threat lookup based on the UrlHistoryItem IOC document during IOC Scan.

    If the <no> value is set for the parameter, Kaspersky Endpoint Agent does not perform threat lookup based on the UrlHistoryItem IOC document. If the IOC file contains the terms of the UrlHistoryItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent enables threat lookup based on the UrlHistoryItem IOC document only if the UrlHistoryItem IOC document is described in the IOC file submitted for scan.

    --drives=<all|system|critical|custom>

    Optional parameter.

    The parameter allows you to specify the IOC scan scope when analyzing data for the FileItem IOC document.

    The parameter can have one of the following values:

    • <all> – the application scans all available file areas.
    • <system> – the application scans only the files that are located in the folders where the operating system is installed.
    • <critical> – the application scans only temporary files that are located in user and system folders.
    • <custom> – the application scans only the files that are located in the areas specified by the user.

      If the parameter is not passed, critical areas are scanned.

    --excludes=<list of exclusions>

    Optional parameter.

    The parameter allows you to specify exclusion scopes when analyzing data for the FileItem IOC document. Several values separated by space can be passed by the parameter.

    If the parameter is not passed, all folders are scanned, with no exclusions.

    --scope=<configurable list of folders>

    Optional parameter.

    The parameter becomes required if the --drives=custom parameter is passed.

    The parameter allows you to specify a list of scan areas. Several values separated by space can be passed by the parameter.

    --retro

    Optional parameter.

    The parameter is used to start the task in the Retrospective IOC scan mode.

    In addition to this parameter, you can specify the time interval within which the application performs a retrospective IOC scan using the following parameters:

    • --start-time=<interval start date and time>
    • --end-time=<interval end date and time>

      Example:

      agent.exe --scan-ioc --path=<path to the folder with IOC files> --retro --start-time=2021-05-21T10:30:00Z --end-time=2021-05-24T10:30:00Z

      If the time interval is not specified, the interval that starts one day before the task was started and ends at the moment the task was launched is used.

Return codes of the --scan-ioc command:

If the command execution completed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the following data on the task execution results in the command line:

Data displayed by the application in the command line when IOC is detected

Uuid

IOC file identifier from the header of the IOC file structure (<ioc id=""> tag)

Name

IOC file description from the header of the IOC file structure (<description></description> tag)

Matched Indicator Items

The list of identifiers of all triggered indicators.

Matched objects

Data on each IOC document where a match was detected.

Date

Creation date of the file where indicators of compromise were detected.

Created

Only for FileItem. Creation time of the object where indicators of compromise were detected.

Pid

Identifier of the process for which indicators of compromise were detected.

Upid

Unique identifier of the process for which indicators of compromise were detected.

ParentPid

Identifier of the parent object that contains the process for which indicators of compromise were detected.

Username

Name of the user who made changes to the object being scanned.

StartTime

The start time of the process for which indicators of compromise were detected.

See also

Managing Kaspersky Endpoint Agent activation

Managing Kaspersky Endpoint Agent authentication

Configuring tracing

Configuring creation of dump files

Viewing information about quarantine settings and quarantined objects

Actions on quarantined objects

Managing integration settings with KATA Central Node component

Running Kaspersky Endpoint Agent database and module update

Starting, stopping and viewing the current application status

Protecting the application with password

Protecting application services with PPL technology

Managing self-defense settings

Managing event filtering

Managing network isolation

Managing YARA scan

About IOC Scan tasks in Kaspersky Endpoint Agent

Page top