Configuring start of Autonomous IOC Scan tasks

When Kaspersky Sandbox detects a threat, Kaspersky Endpoint Agent automatically creates IOC Scan tasks for all devices (search for MD5 hashes of objects in which the threat was detected).

To configure start of Autonomous IOC Scan tasks:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
     1. In the tree of Kaspersky Security Center Administration Console, expand the Managed devices node.
     2. Expand the administration group whose policy settings you want to configure, and select the Policies tab in the results pane.
     3. Select the policy you want to configure.
     4. Open the Properties: <Policy name> window in one of the following ways:
        • Select the Properties option in the context menu of the policy.
        • Click the Configure policy settings link in the results pane of the selected policy.
        • Double-click the required policy.

        The Properties: <Policy name> window opens.

   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to the settings of a local task or the application settings.
4. In the Kaspersky Sandbox integration section select the Threat response subsection.
5. In the Additional group of settings click Configure.

   The IOC Scan settings window will open.

6. In the Scanning area group of settings, select one of the following areas where Kaspersky Endpoint Agent will search for IOCs:
   • File areas containing system drives.
   • Critical file areas.
7. In the Scan start group of settings, select one of the following options to start IOC Scan tasks:
   • Manual start. IOC Scan tasks will be created automatically, but will not be started. You can start a single task or all tasks manually.
   • Immediately upon a Kaspersky Sandbox detection. IOC Scan tasks will be automatically created and started.
   • Start within the specified period. IOC Scan tasks will be created automatically and started in the specified period. For example, during after hours from 8:00 pm to 7:00 am.

     If you select the Start within the specified period option, specify the start and end of the period in the Period start time (hh:mm) and Period end time (hh:mm) fields.

     All IOC Scan tasks that were automatically created before the beginning of the specified period will start at any time within the specified period.

     All IOC Scan tasks that were automatically created within the specified period will start immediately after creation.

     All IOC Scan tasks that were automatically created after the end of the specified period will start during the next task execution period.

     For example, if you configured the tasks to run during the period from 8:00 p.m. to 7:00 a.m.:

     • Tasks that were automatically created at 7 p.m. are started at any arbitrary time from 8:00 p.m. to 7:00 a.m.
     • Tasks that were automatically created at 9 p.m. are started at 9 p.m.
     • Tasks that were automatically created at 8:00 a.m. are started during the next task execution period, from 8:00 p.m. to 7:00 a.m.

8. Click OK.

   The IOC Scan settings window will close.

9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
10. Click Apply and OK.

The start of Autonomous IOC Scan tasks has been configured.

See also Enabling and disabling Threat Response actions Adding Threat Response actions to the action list of the current policy Configuring authentication on the Administration Server for Autonomous IOC Scan tasks Device protection from legitimate applications that can be used by cybercriminals

Page top