Enabling and configuring network communications exclusions for EDR telemetry
This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
You can configure exclusions for EDR telemetry about network communications using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices. Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.
Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.
Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.
To enable and configure EDR telemetry about network communications:
Exclusion settings are applied using a logical AND.
In the Name field, enter the name of the exclusion.
In the Direction drop-down list, select the direction of network traffic.
In the Protocol drop-down list, select the network protocol.
If you select a custom protocol, in the Number field, enter the network protocol number.
Select the Local port OR range check box and enter the port number or number range.
For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the local device.
For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the remote device.
The values 1–65535 are available for port numbers.
The values 1–10, 20–30000 and 1–65535 are available for a range of ports.
Limitations:
For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
Select the Remote port OR range check box and enter the port number or number range.
For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the remote device.
For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the local device.
The values 1–65535 are available for port numbers.
The values 1–10, 20–30000 and 1–65535 are available for a range of ports.
Limitations:
For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
Select the Local address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
For incoming exclusions (in the Direction drop-down list, Incoming is selected), enter the network address for the local device.
For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address of the remote device.
For IP addresses, only addresses in IPv4 format are supported.
Select the Remote address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
For incoming connections (in the Direction drop-down list, Incoming is selected), enter the network address for the remote device.
For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address for the local device.
For IP addresses, only addresses in IPv4 format are supported.
Create the list of application for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
Select the Applications check box.
In the field below, specify the path to the executable file of the application you want to add to the list. You can enter the path manually or with the help of the Browse button.
Click the Add button.
For each application you want to add to the list, repeat steps 2 and 3 of the guide.
If necessary, remove an application from the list:
Select the application in the list.
Click the Delete button.
Click OK to save the changes and close the Rule properties window.
The new exclusion is created and displayed in the list of exclusions.
If you need to modify an exclusion, click the Modify button.
If you need to delete an exclusion, select the exclusion and click the Delete button.
If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.