Configuring Standard IOC Scan task

Task creation is performed before, as an individual step.

If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.

To configure the settings of a Standard IOC Scan task:

  1. In the main Kaspersky Security Center Web Console window select DevicesTasks.
  2. To open the task settings window, click the task name.
  3. Select the Application settings tab.
  4. In the IOC scan settings section, configure the IOC collection by following these steps:
    1. In the IOC files group of settings click the Redefine IOC files button.
    2. In the dialog that opens, click the Add IOC files button and specify the IOC files that you want to use for the task.

      You can select multiple IOC files for a single IOC Scan task.

    3. Click OK to close the dialog box.

      If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

    4. To view the list of all IOC files that are included in the IOC collection, as well as to obtain information about each IOC file, do the following:
      1. Click the link with the names of all downloaded IOC files in the IOC files group of settings.

        The IOC contents () window opens.

      2. To view detailed information about an individual IOC file, click the name of the required IOC file in the list of files on the IOC collection tab.

        In the window that opens, information about the selected IOC file is displayed.

      3. To close the window with information about the selected IOC file, click the OK or Cancel.
      4. To view information about all downloaded IOC files at once, open the IOC data tab.

        Information about each downloaded IOC file is displayed in the workspace of the window.

      5. If you do not want to use a specific IOC file when the IOC Scan task is executed, on the IOC collection tab, switch the toggle button next to the IOC file name from Include to Exclude.
      6. Click OK to save the changes and close the IOC contents () window.
    5. To export the created IOC collection, click Export IOC collection.

      In the window that opens, specify the name of the file and select the folder where you want to save it.

    6. Click the Save button.

      The application creates a ZIP file in the specified folder.

  5. In the IOC scan settings configure the response actions when indicator of compromise is found:
    1. In the Actions group of settings, select the Take response actions after an indicator of compromise is found check box.
    2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
    3. Select the Quarantine and delete check box to quarantine the detected object and remove it from the device.
    4. Select the Run Endpoint Protection Platform scan of critical areas on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

      If the Quarantine and delete or Run critical areas scan option is enabled, Kaspersky Endpoint Agent may recognize the detected files as infected and delete them from the device as a response action.

  6. In the Advanced section, select data types (IOC documents) that you want to analyze during the task execution and configure the additional scan settings:
    1. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.

      Depending on the loaded IOC files, some check boxes may be disabled.

      Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.

    2. If the Analyze data of files (FileItem) check box is selected, click the Advanced for FileItem link and in the FileItem document scan settings window that opens, select the scan areas on the protected device disks where to look for indicators of compromise.

      You can select one of the predefined areas, or specify the paths to the desired areas manually.

    3. Click OK to save the changes and close the FileItem document scan settings window.
    4. If the Analyze data of Windows Event Log (EventLogItem) check box is selected, click the Advanced for EventLogItem link and in the EventLogItem document scan settings window that opens, configure additional event analysis settings:
      • Scan only events that are logged within the specified period.

        If the check box is selected, only the events that were logged during the specified period are taken into account during the task execution.

      • Scan events that belong to the following channels.

        List of channels that are analyzed during the task execution.

    5. Click OK to save the changes and close the FileItem document scan settings window.
  7. Click the Save button.

The created task can be started manually or automatically according to a schedule.

Page top