This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
When Kaspersky Sandbox detects a threat, Kaspersky Endpoint Agent automatically creates IOC Scan tasks for all devices (search for MD5 hashes of objects in which the threat was detected).
To configure start of Autonomous IOC Scan tasks:
Open Kaspersky Security Center Administration Console.
In the console tree, open the Policies folder.
Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
Double-click the policy name.
Select Properties in the policy context menu.
Select the Configure policy settings item in the right part of the window.
In the Kaspersky Sandbox integration section select the Threat Response subsection.
In the Additional group of settings click Configure.
The IOC scanning settings window will open.
In the Scanning scope group of settings, select one of the following areas where Kaspersky Endpoint Agent will search for IOCs:
File areas on system drives of the device.
Critical file areas on the device.
In the Scan start group of settings, select one of the following options to start IOC Scan tasks:
Manual start. IOC Scan tasks will be created automatically, but will not be started. You can start a single task or all tasks manually.
Immediately after Kaspersky Sandbox detects a threat. IOC Scan tasks will be automatically created and started.
Start within the specified time interval. IOC Scan tasks will be created automatically, and will be started within the specified period. For example, outside of working hours from 8:00 p.m. to 7:00 a.m.
If you select the Start within the specified time interval option, specify the start and end of the period in the Start time (hh:mm) and End time (hh:mm) fields.
All IOC Scan tasks that were automatically created before the beginning of the specified period will start at any time within the specified period.
All IOC Scan tasks that were automatically created within the specified period will start immediately after creation.
All IOC Scan tasks that were automatically created after the end of the specified period will start during the next task execution period.
For example, if you configured the tasks to run during the period from 8:00 p.m. to 7:00 a.m.:
Tasks that were automatically created at 7 p.m. are started at any arbitrary time from 8:00 p.m. to 7:00 a.m.
Tasks that were automatically created at 9 p.m. are started at 9 p.m.
Tasks that were automatically created at 8:00 a.m. are started during the next task execution period, from 8:00 p.m. to 7:00 a.m.
Click OK.
The IOC scanning settings window will close.
In the upper right corner of the settings group, change the switch from Policy not enforced to Under policy.
Click Apply and OK.
The start of Autonomous IOC Scan tasks has been configured.