Kaspersky Endpoint Security can perform response actions aimed at providing security functions:
The response action settings of Kaspersky Anti Targeted Attack Platform and Kaspersky Endpoint Detection and Response Optimum are different.
Kaspersky Endpoint Security can perform the following response actions:
This action is performed using the Get file task. For example, you can configure the application to get an event log file generated by a third-party program.
This action is performed using the Delete file task.
This action is performed using the Run process task.
For example, you can remotely run a utility that creates a device configuration file, and then fetch it with Get file.
The action is performed using the Terminate process task.
For example, you can remotely terminate an Internet speed test utility that was launched using the "Run process" task.
This action is performed using the IOC Scan task.
The IOC Scan task checks for IOC terms (properties of IOC objects, for example, a file hash) only in the operating system's main namespace. The IOC Scan task does not calculate the hash of files larger than 200 MB.
When Kaspersky Endpoint Security interacts with Kaspersky Endpoint Detection and Response Optimum, you can:
When Kaspersky Endpoint Security interacts with Kaspersky Endpoint Detection and Response (KATA), you can:
To read more, check out the Kaspersky Anti Targeted Attack Platform Help.
Network isolation limitations
When you use network isolation, we strongly recommended that you familiarize yourself with the limitations described below.
For network isolation to work, Kaspersky Endpoint Security must be running. If Kaspersky Endpoint Security malfunctions (and the application is not running), traffic blocking is not guaranteed when network isolation is enabled by Kaspersky Anti Targeted Attack Platform or Kaspersky Endpoint Detection and Response Optimum.
Transit traffic with network isolation enabled is supported with limitations and may be filtered.
DHCP and DNS are not automatically added to network isolation exceptions, so if the network address of a resource is changed during network isolation, Kaspersky Endpoint Security will not be able to access it. The same applies to the nodes of the fault-tolerant KATA server. We recommend to not change their addresses so that Kaspersky Endpoint Security does not lose contact with them.
The proxy server is also not automatically added to the network isolation exclusions, so you need to add it to the exclusions manually so that Kaspersky Endpoint Security does not lose contact with the KATA server.
Adding a process to network isolation and excluding a process from network isolation by name is not supported.
If Kaspersky Endpoint Security is used in standard mode, we recommend doing the following when using network isolation:
If it is impossible to use Kaspersky Security Center as a proxy server, configure the settings of the required proxy server and add it to the exclusions.
These recommendations do not apply if Kaspersky Endpoint Security is used in Light Agent mode.
Page top