Adding Threat Response actions to the action list of the current policy

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To add Threat Response actions to the list of actions of the current policy:

Open Kaspersky Security Center Administration Console.
In the console tree, open the Policies folder.
Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
- Double-click the policy name.
- Select Properties in the policy context menu.
- Select the Configure policy settings item in the right part of the window.
In the Kaspersky Sandbox integration section select the Threat Response subsection.
In the Actions group of settings, select the Take response actions on threats detected by Kaspersky Sandbox check box, if it is not selected.
Click Add and in the drop-down list, select one of the following actions:
- Quarantine and delete
  When a threat is detected on a device, a copy of the object containing the threat is quarantined, and the object is deleted from the device.
- Notify device user
  When a threat is detected on a device, a notification about the detected threat is displayed to the device user.
  
  The notification is displayed if the device is running under the user account same to the account under which the threat was detected.
  
  If the device is not running or is running under another user account, the notification is not displayed.
- Run Endpoint Protection Platform scan of critical areas on the device
  If a threat is detected on a device, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan settings refer to the documentation of EPP being used.
- Run IOC Scan on a managed group of devices
  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.
- Quarantine and delete when IOC is found
  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.
- Run Endpoint Protection Platform scan of critical areas on the device when IOC is found
  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group's devices where the object containing the threat was detected. For more details on configuring the scan settings refer to the documentation of EPP being used.
The action is added to the Selected actions list.

When configuring threat response actions, keep in mind that as a result of some actions, the object containing the threat may be deleted from the workstation where it was detected.
To remove an action, select it in the table and click Remove.
In the upper right corner of the settings group, change the switch from Policy not enforced to Under policy.
Click Apply and OK.