You can enable and configure exclusions for and optimization of EDR telemetry about application processes using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices.
Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.
Exclusions of sent EDR telemetry about application processes are available when integrating Kaspersky Endpoint Agent with servers on which KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.
Kaspersky Endpoint Agent does not analyze or send data on excluded application processes to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.
Optimization of the amount of sent EDR telemetry about application processes can be managed (enabled/disabled) when Kaspersky Endpoint Agent is integrated with servers with Kaspersky Industrial CyberSecurity for Networks installed.
If optimization of the amount of sent EDR telemetry is enabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and Network Agent klnagent.exe about application processes to a server on which KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.
To enable and configure exclusions for and optimization of the volume of EDR telemetry on application processes:
In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
Select the policy you want to configure.
In the <Policy name> window that opens, select the Application settings tab.
In the EDR telemetry section, select Excluded processes.
The Excluded processes window opens.
In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
Configure optimization of the volume of EDR telemetry:
When integrating Kaspersky Endpoint Agent with servers with KATA Central Node installed, optimization of the amount of sent EDR telemetry should always be enabled.
Disable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol, WinRM service, and the Network Agent process klnagent.exe, as well as extended information about the type of network packets for all types of network protocols.
Enable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, as well as extended information about the type of network packets for all types of network protocols.
If the Use exclusions setting is disabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, as well as extended information about the type of network packets for all types of network protocols, regardless of the value of the Optimize the amount of telemetry setting.
Exclusion settings are applied using a logical AND.
The executable file of the process for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. If you first configure an exclusion for a process and then install an application associated with that process on the protected computer, then the exclusion will not be applied.
Specify the parameters of the executable file of the process for which Kaspersky Endpoint Agent will apply the exclusion rule:
Click on the Fill based on file properties button if you want the parameters of the process's executable file to be filled in automatically.
Unavailable in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
In 64-bit operating systems, the parameters of the 64-bit version of the process's executable file in the \windows\system32 folder must be entered manually, since when you click the Fill based on file properties button the plugin fills in the parameters of the process's executable file from the properties of the 32-bit version of the same executable file located in the \windows\syswow64 folder. For example, if you select the \windows\system32\cmd.exe file, the plugin displays the settings of the \windows\syswow64\cmd.exe file. This situation is related to operating system behavior.
Specify process parameters manually:
In the General data section, specify the values in the following fields:
Path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
Command line. Command line to run the object.
Parent folder path. The path to the folder where the file is located.
In the Version information section, specify the values in the following fields:
Description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
Version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
In the File data section, specify the values in the following fields:
MD5. MD5 hash of the file.
SHA256. SHA256 hash of the file.
In the Use this exclusion for the following event types list, select at least one value:
File modification.
Network events.
If this value is selected, specify the full path to the file in the Path field.
Interactive input in the console.
This event type is selected by default.
Loading the process module.
Changes in the Registry.
Click OK to save the changes and close the Rule properties window.
The new exclusion is created and displayed in the list of exclusions.
If you need to export the exclusion list to an XML file, click the Export button.
If you need to import the exclusion list from an XML file, click the Import button.
If you need to modify an exclusion, click the Modify button.
If you need to delete an exclusion from the list, select the exclusion and click the Delete button.
If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on.