This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
Kaspersky Endpoint Agent can perform actions in response to threats detected by Kaspersky Sandbox.
You can configure the following types of actions:
Local – actions to be performed on each device where a threat is detected.
Group – actions to be performed on all devices of the administration group for which the policy is configured.
If a threat is detected on a device, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan settings refer to the documentation of EPP being used.
If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.
If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.
If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group's devices where the object containing the threat was detected. For more details on configuring the scan settings refer to the documentation of EPP being used.
To configure group threat response actions, set up the permissions of the Kaspersky Security Center users whose accounts you want to use to manage IOC Scan tasks.
When configuring threat response actions, keep in mind that as a result of some actions, the object containing the threat may be deleted from the workstation where it was detected.