This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
You can configure exclusions for EDR telemetry about file operations using Kaspersky Security Center Administration Console, in the properties of an individual device or in the policy settings for a group of devices.
Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.
Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.
Exceptions for sent EDR telemetry about file operations are applicable when integrating Kaspersky Endpoint Agent with servers on which KATA Central Node or Kaspersky Managed Detection and Response is installed.
Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Managed Detection and Response installed.
To enable and configure EDR telemetry about file operations:
In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
In the workspace, select the Devices tab.
Select the device for which you want to configure Kaspersky Endpoint Agent settings.
Select Properties in the device context menu.
The device properties window opens.
Select the Applications section.
A list of Kaspersky applications installed on the device is displayed in the window.
Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
Double-click the application name.
In the application context menu, select Properties.
Click the Properties button under the list of Kaspersky applications.
Exclusion settings are applied using a logical AND.
In the Rule name field, enter the name of the rule.
The name of the rule must be unique.
In the File resource name or mask field, enter the name or name mask of the file or folder to which Kaspersky Endpoint Agent will apply the exclusion rule upon access attempts. A mask is specified using the symbols ? and *.
Specify the parameters of the applications to which Kaspersky Endpoint Agent will apply the exclusion rule upon attempts to access the specified file resource. If no application parameters are specified, Kaspersky Endpoint Agent applies the exclusion rule to any applications accessing the specified file resource:
Click on the Fill based on file properties button if you want the parameters of the application's executable file to be filled in automatically.
Unavailable in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
In 64-bit operating systems, the parameters of the 64-bit version of the application's executable file in the \windows\system32 folder must be entered manually, since when you click the Fill based on file properties button the plugin fills in the parameters of the application's executable file from the properties of the 32-bit version of the same executable file located in the \windows\syswow64 folder. For example, if you select the \windows\system32\cmd.exe file, the plugin displays the settings of the \windows\syswow64\cmd.exe file. This situation is related to operating system behavior.
Specify application parameters manually:
In the Process Information block, specify the application parameters:
Full path. Full path to the executable file, including its name and extension. You can enter a path mask using the characters ? and *.
Command line text. The command to run the application from the command line. You can enter a command mask using the symbols ? and *.
Parent folder path. The path to the folder where the application's executable file is located. You can enter a path mask using the characters ? and *.
In the File properties section, specify the values in the following fields:
Description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
Version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
In the File checksums section, specify the values in the following fields:
MD5. MD5 hash of the application's executable file.
SHA256. SHA256 hash of the application's executable file.
If you need to modify an exclusion, click the Modify button.
If you need to delete an exclusion, select the exclusion and click the Delete button.
If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on.