Enabling and configuring exclusions for sent EDR telemetry about network communications

Expand all | Collapse all

You can configure exclusions for EDR telemetry about file operations using Kaspersky Security Center Administration Console, in the properties of an individual device or in the policy settings for a group of devices.

Exceptions for sent EDR telemetry about file operations are applicable when integrating Kaspersky Endpoint Agent with servers on which KATA Central Node or Kaspersky Managed Detection and Response is installed.

Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Managed Detection and Response installed.

To enable and configure EDR telemetry about file operations:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
     2. In the workspace, select the Devices tab.
     3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
     4. Select Properties in the device context menu.

        The device properties window opens.

     5. Select the Applications section.

        A list of Kaspersky applications installed on the device is displayed in the window.

     6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
        • Double-click the application name.
        • In the application context menu, select Properties.
        • Click the Properties button under the list of Kaspersky applications.

   • Open the policy properties window.
     1. Open Kaspersky Security Center Administration Console.
     2. In the console tree, open the Policies folder.
     3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
        • Double-click the policy name.
        • Select Properties in the policy context menu.
        • Select the Configure policy settings item in the right part of the window.

2. In the EDR telemetry section, select Excluded file operations.

   The Excluded file operations window opens.

3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings:

      Exclusion settings are applied using a logical AND.

      1. In the Rule name field, enter the name of the rule.

         The name of the rule must be unique.

      2. In the File resource name or mask field, enter the name or name mask of the file or folder to which Kaspersky Endpoint Agent will apply the exclusion rule upon access attempts. A mask is specified using the symbols ? and *.
      3. Specify the parameters of the applications to which Kaspersky Endpoint Agent will apply the exclusion rule upon attempts to access the specified file resource. If no application parameters are specified, Kaspersky Endpoint Agent applies the exclusion rule to any applications accessing the specified file resource:
         • Click on the Fill based on file properties button if you want the parameters of the application's executable file to be filled in automatically.

           Unavailable in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console

           In 64-bit operating systems, the parameters of the 64-bit version of the application's executable file in the \windows\system32 folder must be entered manually, since when you click the Fill based on file properties button the plugin fills in the parameters of the application's executable file from the properties of the 32-bit version of the same executable file located in the \windows\syswow64 folder. For example, if you select the \windows\system32\cmd.exe file, the plugin displays the settings of the \windows\syswow64\cmd.exe file. This situation is related to operating system behavior.

         • Specify application parameters manually:
           1. In the Process Information block, specify the application parameters:
              • Full path. Full path to the executable file, including its name and extension. You can enter a path mask using the characters ? and *.
              • Command line text. The command to run the application from the command line. You can enter a command mask using the symbols ? and *.
              • Parent folder path. The path to the folder where the application's executable file is located. You can enter a path mask using the characters ? and *.
           2. In the File properties section, specify the values in the following fields:
              • Description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
              • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
              • Version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
           3. In the File checksums section, specify the values in the following fields:
              • MD5. MD5 hash of the application's executable file.
              • SHA256. SHA256 hash of the application's executable file.
   3. If you need to modify an exclusion, click the Modify button.
   4. If you need to delete an exclusion, select the exclusion and click the Delete button.
5. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on.
6. Click OK to save the changes.

Page top