Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.
Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
To create and configure a Standard IOC Scan task using the command line interface:
cd
command, navigate to the folder where the Agent.exe file is located.For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\"
and press ENTER.
agent.exe --scan-ioc {[--path=<
path to the folder with IOC files>] | [<
full path to the IOC file
>]} [--process=no] [--hint=<full path to the process executable file
|
full path to the file>] [--registry=no] [--dnsentry=no] [--arpentry=no] [--ports=no] [–services=no] [--system=no] [--users=no] [--volumes=no] [--eventlog=no] [--datetime=<
<event publication date
>] [--channels=<list of channels
>] [--files=no] [--network=no] [--url=no] [--drives=<all|system|critical|custom>] [--excludes=<
list of exclusions>][--scope=<
configurable list of folders
>] [--retro]
If the --scan-ioc
command is passed only with the required parameters, Kaspersky Endpoint Agent performs scanning with the default settings.
If the --scan-ioc
command is passed with the two required parameters at the same time (--path=<path to the folder with IOC files>
and
<full path to the IOC file>
), Kaspersky Endpoint Agent scans all the submitted IOC files.
Command parameters for running and configuring Standard IOC Scan tasks
Parameters |
Description |
|
Required parameter. Starts the Standard IOC Scan tasks on the device. |
|
Path to the folder with the IOC files that you want to scan. Required parameter, if the |
|
Full path to the IOC file with the ioc or xml extension that you want to scan. Required parameter, if the Passed without the |
|
Optional parameter. The parameter disables the analysis of process data during scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans the process data only if the ProcessItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter allows you to narrow the scope of analyzed data for checking the ProcessItem and FileItem IOC documents, by specifying a particular file. The parameter value can be set as:
|
|
Optional parameter. The parameter disables analysis of data on records in local DNS cache (DnsEntryItem IOC document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans local DNS cache only if the DnsEntryItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of data on records in the ARP table (ArpEntryItem document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans the ARP table only if the ArpEntryItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of data on ports that are open for listening (PortItem document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans the table of active connections only if the PortItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of data on services installed on the device (ServiceItem document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans the data on services only if the ServiceItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of volume data (VolumeItem document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans the data on volumes only if the VolumeItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of data about Windows Event Log entries (EventLogItem document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent scans Windows Event Log entries only if the EventLogItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter allows you to enable or disable accounting for date and time when the event was registered in the Windows Event Log when determining the IOC scan area for the corresponding IOC document. During IOC scan, Kaspersky Endpoint Agent will only process the events that were registered within the time interval between the specified date and time and the task execution time. Kaspersky Endpoint Agent allows you to specify the event registration date as the parameter value. Scan will be performed only for the events registered in the Windows Event Log between the specified date and the time when IOC scan is performed. If the parameter is not passed, Kaspersky Endpoint Agent scans events with any registration date. The TaskSettings::BaseSettings::EventLogItem::datetime parameter cannot be changed. This parameter is used only if the EventLogItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. This parameter allows you to pass a list of the names of channels (logs) for which IOC scan is required. If this parameter is passed, Kaspersky Endpoint Agent considers only the events published in the specified logs when performing the IOC Scan task. The name of the log is specified as a string, in accordance with the name of the log (channel) specified in the properties of this log (the Full Name parameter) or in the properties of the event (the <Channel></Channel> parameter in the xml-scheme of the event). By default (including the case if the parameter is not passed), IOC scan is performed for the Application, System, and Security channels. Several values separated by space can be passed to the parameter. This parameter is used only if the EventLogItem IOC document is described in the IOC submitted for scan. |
|
Optional parameter. The parameter disables analysis of environment data (SystemInfoItem IOC document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent analyzes environment data only if the SystemInfoItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of user data (UserItem IOC document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent analyzes data on the users created in the system only if the UserItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter disables analysis of data on files (FileItem IOC document) during IOC scan. If the parameter is passed with the If the parameter is not passed, Kaspersky Endpoint Agent analyzes data on files only if the FileItem IOC document is described in the IOC file submitted for scan. |
--network=no |
Optional parameter. The parameter enables threat lookup based on the Network IOC document during IOC Scan. If the <no> value is set for the parameter, Kaspersky Endpoint Agent does not perform threat lookup based on the Network IOC document. If the IOC file contains the terms of the Network IOC document, they are ignored (defined as no match). If the parameter is not passed, Kaspersky Endpoint Agent enables threat lookup based on the Network IOC document only if the Network IOC document is described in the IOC file submitted for scan. |
--url=no |
Optional parameter. The parameter enables threat lookup based on the UrlHistoryItem IOC document during IOC Scan. If the <no> value is set for the parameter, Kaspersky Endpoint Agent does not perform threat lookup based on the UrlHistoryItem IOC document. If the IOC file contains the terms of the UrlHistoryItem IOC document, they are ignored (defined as no match). If the parameter is not passed, Kaspersky Endpoint Agent enables threat lookup based on the UrlHistoryItem IOC document only if the UrlHistoryItem IOC document is described in the IOC file submitted for scan. |
|
Optional parameter. The parameter allows you to specify the IOC scan scope when analyzing data for the FileItem IOC document. The parameter can have one of the following values:
|
|
Optional parameter. The parameter allows you to specify exclusion scopes when analyzing data for the FileItem IOC document. Several values separated by space can be passed by the parameter. If the parameter is not passed, all folders are scanned, with no exclusions. |
|
Optional parameter. The parameter becomes required if the The parameter allows you to specify a list of scan areas. Several values separated by space can be passed by the parameter. |
|
Optional parameter. The parameter is used to start the task in the Retrospective IOC Scan mode. In addition to this parameter, you can specify the time interval within which the application performs a retrospective IOC scan using the following parameters:
|
Return codes of the --scan-ioc
command:
-1
– command is not supported by Kaspersky Endpoint Agent version installed on the device.0
– command successfully executed.1
– required argument is not passed to the command.2
– general error.4
– syntax error.If the command execution completed successfully (code 0
) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the following data on the task execution results in the command line:
Data displayed by the application in the command line when IOC is detected
|
IOC file identifier from the header of the IOC file structure ( |
|
IOC file description from the header of the IOC file structure ( |
|
The list of identifiers of all triggered indicators. |
|
Data on each IOC document where a match was detected. |
|
Creation date of the file where indicators of compromise were detected. |
|
Only for FileItem. Creation time of the object where indicators of compromise were detected. |
|
Identifier of the process for which indicators of compromise were detected. |
|
Unique identifier of the process for which indicators of compromise were detected. |
|
Identifier of the parent object that contains the process for which indicators of compromise were detected. |
|
Name of the user who made changes to the object being scanned. |
|
The start time of the process for which indicators of compromise were detected. |