Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for and optimization of EDR telemetry about application processes using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices. Kaspersky Endpoint Agent does not analyze or send data on excluded application processes to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

To enable and configure exclusions for and optimization of the volume of EDR telemetry on application processes:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the EDR telemetry section, select Excluded processes.

   The Excluded processes window opens.

3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Configure optimization of the volume of EDR telemetry:
   • Disable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol, WinRM service, and the Network Agent process klnagent.exe.
   • Enable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to not send events with codes 102 (basic communications) and 8 (the process’s network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe.

   If the Use exclusions setting is disabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, regardless of the value of the Optimize the amount of telemetry setting.

5. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings:

      Exclusion settings are applied using a logical AND.

      To create an exclusion, specify the value in the Full path field and select at least one event type in the Use this exclusion for the following types of events list.

      If the Network events value is selected for the Use this exclusion for the following types of events criterion, specify the full path to the file in the Full path field.

      The object for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. For example, if you first configure exclusion for a specific application, and then install that application on the protected device, this exclusion will not be applied.

      1. In the Information about the process section, specify the values in the following fields:
         • Full path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
         • Command line text. Command line to run the object.
         • Parent path. The path to the folder where the file is located.
      2. In the File properties section, specify the values in the following fields:
         • File description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
         • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
         • File version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
      3. In the File checksums section, specify the values in the following fields:
         • MD5. MD5 hash of the file.
         • SHA256. SHA256 hash of the file.
      4. In the Use this exclusion for the following types of events list, select at least one value:
         • File modification.
         • Network events.
         • Interactive console input.

           This event type is selected by default.

         • Process module load.
         • Registry modification.
   3. Click OK to save the changes and close the Rule properties window.

      The new exclusion is created and displayed in the list of exclusions.

   4. If you need to export the exclusion list to an XML file, click the Export button.
   5. If you need to import the exclusion list from an XML file, click the Import button.
   6. If you need to modify an exclusion, click the Modify button.
   7. If you need to delete an exclusion from the list, select the exclusion and click the Delete button.
6. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
7. Click OK to save the changes.

Page top