Task creation is performed before, as an individual step.
If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.
Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
To configure the Standard IOC Scan task settings:
In the main Kaspersky Security Center Web Console window select Devices → Tasks.
To open the task settings window, click the task name.
Select the Application settings tab.
In the IOC Scan settings section, configure the IOC collection by following these steps:
In the IOC collection group of settings click the Redefine IOC files button.
In the dialog that opens, click the Add IOC files button and specify the IOC files that you want to use for the task.
You can select multiple IOC files for a single IOC Scan task.
Click OK to close the dialog box.
If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
To view the list of all IOC files that are included in the IOC collection, as well as to obtain information about each IOC file, do the following:
Click the link with the names of all downloaded IOC files in the IOC files group of settings.
The IOC contents () window opens.
To view detailed information about an individual IOC file, click the name of the required IOC file in the list of files on the IOC collection tab.
In the window that opens, information about the selected IOC file is displayed.
To close the window with information about the selected IOC file, click the OK or Cancel.
To view information about all downloaded IOC files at once, open the IOC data tab.
Information about each downloaded IOC file is displayed in the workspace of the window.
If you do not want to use a specific IOC file when the IOC Scan task is executed, on the IOC collection, switch the toggle button next to the IOC file name from Include to Exclude.
Click OK to save the changes and close the IOC contents () window.
To export the created IOC collection, click Export IOC collection.
In the window that opens, specify the name of the file and select the folder where you want to save it.
Click the Save button.
The application creates a ZIP file in the specified folder.
Retrospective IOC Scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.
IOC (Indicator of Compromise) is a set of data about a malicious object or malicious activity.
The Retrospective IOC Scan mode is available only for Standard IOC Scan tasks.
In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
Specify the time interval.
During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.
If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.
In the Actions group of settings, configure the response actions on detecting the indicator of compromise:
Select the Take response actions after an indicator of compromise is found check box.
Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
Select the Quarantine and delete check box to quarantine the detected object and remove it from the device.
Select the Run Endpoint Protection Platform scan of critical areas on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.
If the Quarantine and delete or Run critical areas scan option is enabled, Kaspersky Endpoint Agent may recognize the detected files as infected and delete them from the device as a response action.
In the Protection of critical system files group of settings, select the Do not perform actions on critical system files check box if you want to protect critical system files from being quarantined or deleted when an indicator of compromise is detected.
The option is available only if the Quarantine and delete option is selected in the Actions group of settings.
If this option is selected and an object is a critical system file, the application does not perform any actions on this object. This information is logged in the task execution report.
In the Advanced section, select data types (IOC documents) that you want to analyze during the task execution and configure the additional scan settings:
In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.
Depending on the loaded IOC files, some check boxes may be disabled.
Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.
If the Analyze data of files (FileItem) check box is selected, click the Advanced for FileItem link and in the FileItem document scan settings window that opens, select the scan areas on the protected device disks where to look for indicators of compromise.
You can select one of the predefined areas, or specify the paths to the desired areas manually.
Click OK to save the changes and close the FileItem document scan settings window.
If the Analyze data of Windows Event Log (EventLogItem) check box is selected, click the Advanced for EventLogItem link and in the EventLogItem document scan settings window that opens, configure additional event analysis settings:
Scan only events that are logged within the specified period.
If the check box is selected, only the events that were logged during the specified period are taken into account during the task execution.
Scan events that belong to the following channels.
List of channels that are analyzed during the task execution.
Click OK to save the changes and close the FileItem document scan settings window.