Enabling and configuring EDR telemetry exclusions

Expand all | Collapse all

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure EDR telemetry exclusions using the Administration Console both in the properties of an individual device and in the policy settings for a group of devices.

To enable and configure EDR telemetry exclusions:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
     2. In the workspace, select the Devices tab.
     3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
     4. Select Properties in the device context menu.

        The device properties window opens.

     5. Select the Applications section.

        A list of Kaspersky applications installed on the device is displayed in the window.

     6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
        • Double-click the application name.
        • In the application context menu, select Properties.
        • Click the Properties button under the list of Kaspersky applications.

   • Open the policy properties window.
     1. Open Kaspersky Security Center Administration Console.
     2. In the console tree, open the Policies folder.
     3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
        • Double-click the policy name.
        • Select Properties in the policy context menu.
        • Select the Configure policy settings item in the right part of the window.

2. Select the EDR telemetry → Exclusions section.
3. To enable usage of EDR telemetry exclusions, enable the Use exclusions setting in the EDR telemetry section.
4. To add a new exclusion:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the following exclusion criteria:

      The criteria are applied using logical AND.

      To create a rule, specify the value in the Full path field and select at least one event type in the Use this exclusion for the following types of events list.

      If the Network events option is selected for the Use this exclusion for the following types of events criterion, specify the full path to the file in the Full path field.

      The object for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. For example, if you first configure exclusion for a specific application, and then install that application on the protected device, this exclusion will not be applied.

      • In the Information about the process section, specify the values in the following fields:
        • Full path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
        • Command line text. Command line to run the object.
        • Parent path. The path to the folder where the file is located.
      • In the File properties section, specify the values in the following fields:
        • File description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
        • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
        • File version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
      • In the File checksums section, specify the values in the following fields:
        • MD5. MD5 hash of the file.
        • SHA256. SHA256 hash of the file.
      • In the Use this exclusion for the following types of events list, select at least one of the following options:
        • File modification.
        • Network events.
        • Interactive console input. This option is selected by default.
        • Process module load.
        • Registry modification.
   3. Click OK to save the changes and close the Rule properties window.

   The new rule is created and displayed in the list of exclusions.

5. To remove a rule from the list of exclusions, select the rule and click Remove.
6. To open the properties window for an existing rule and to change the specified criteria, select the rule in the list of exclusions and click Edit.
7. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is set to Under policy. It is the default position of the switch.
8. Click OK to save the changes.

EDR telemetry exclusions will be used according to the configured rules.

Page top