Kaspersky Sandbox

Kaspersky Endpoint Security 11.7.0 now includes the Kaspersky Sandbox component. The component enables interoperability with the Kaspersky Sandbox solution. The Kaspersky Sandbox solution detects and automatically blocks advanced threats on computers. Kaspersky Sandbox analyzes object behavior to detect malicious activity and activity characteristic of targeted attacks on the IT infrastructure of the organization. Kaspersky Sandbox analyzes and scans objects on special servers with deployed virtual images of Microsoft Windows operating systems (Kaspersky Sandbox servers). For details about the solution, refer to the Kaspersky Sandbox Help.

When interacting with Kaspersky Sandbox, the application lets you:

Add a TLS certificate for securely connecting to Kaspersky Sandbox servers.
Add Kaspersky Sandbox servers.
Select a threat response action.
Scan for indicators of compromise (IOC).

Kaspersky Sandbox requires Kaspersky Security Center version 13.2. Earlier versions of Kaspersky Security Center do not allow the creation of standalone IOC Scan tasks for threat response.

The component can be managed only using the Web Console. You cannot manage this component using the Administration Console (MMC).

Integration with Kaspersky Sandbox

Integration with Kaspersky Sandbox involves the following steps:

Installing the Kaspersky Sandbox component
You can select the Kaspersky Sandbox component during installation or upgrade, as well as using the Change application components task.

Following the Change application components task execution, the status of the task is displayed incorrectly. Instead of Completed successfully, the task has the Scheduled status. However, the task can still be completed successfully. Make sure that the new component is installed in the computer properties of the Kaspersky Security Center console (Applications → Kaspersky Endpoint Security for Windows → Components) or in the local application interface.
Adding a TLS certificate
To configure a trusted connection with Kaspersky Sandbox servers, you must prepare a TLS certificate. Next you must add the certificate to Kaspersky Sandbox servers and the Kaspersky Endpoint Security policy. For details on preparing the certificate and adding the certificate to servers, refer to the Kaspersky Sandbox Help.

How to add a TLS certificate using Web Console
1. In the main window of Web Console, select Devices → Policies & profiles.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Go to Detection and Response → Kaspersky Sandbox.
5. Click Server connection settings.
  This opens the Kaspersky Sandbox server connection settings window.
6. Under Server TLS certificate, click Add and select the TLS certificate file.
  Kaspersky Endpoint Security can only have one TLS certificate for a Kaspersky Sandbox server. If you have added a TLS certificate before, that certificate is revoked. Only the last added certificate is used.
7. Configure advanced connections settings for Kaspersky Sandbox servers:
  - Request timeout. Connection timeout for Kaspersky Sandbox server. After the configured timeout elapses, Kaspersky Endpoint Security sends a request to the next server. You can increase the connection timeout for Kaspersky Sandbox if your connection speed is low or if the connection is unstable. The default value is 5 seconds.
  - Kaspersky Sandbox request queue. Size of the request queue folder. When an object is accessed on the computer (executable launched or document opened, for example in DOCX or PDF format), Kaspersky Endpoint Security can also send the object to be scanned by Kaspersky Sandbox. If there are multiple requests, Kaspersky Endpoint Security creates a request queue. By default, the size of the request queue folder is limited to 100 MB. After the maximum size is reached, Kaspersky Sandbox stops adding new requests to the queue and sends the corresponding event to Kaspersky Security Center. You can configure the size of the request queue folder depending on your server configuration.
8. Save your changes.
As a result, Kaspersky Endpoint Security verifies the TLS certificate. If the certificate is successfully verified, Kaspersky Endpoint Security uploads the certificate file to the computer during the next synchronization with Kaspersky Security Center. If you have added two TLS certificates, Kaspersky Sandbox will use the latest certificate to establish a trusted connection.
You can also add a TLS certificate to the computer locally using the command line.
Enabling the Kaspersky Sandbox component
You can enable or disable the component in Kaspersky Endpoint Security for Windows policy settings.

To use the component, the following conditions must be met:
- The application is activated and the functionality is covered by the license.
- The Kaspersky Sandbox component is enabled.
How to enable or disable Kaspersky Sandbox using Web Console
1. In the main window of Web Console, select Devices → Policies & profiles.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Go to Detection and Response → Kaspersky Sandbox.
5. Use the Integration with Kaspersky Sandbox toggle switch to enable or disable the component.
6. Save your changes.
You can also enable or disable Kaspersky Sandbox locally using the command line.

As a result, the Kaspersky Sandbox component is enabled. Check the operating status of the component by viewing the Application components status report. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Kaspersky Sandbox component is added to the list of Kaspersky Endpoint Security components.
Connecting computers to Kaspersky Sandbox servers
To connect computers to Kaspersky Sandbox servers with virtual images of operating systems, you must enter a server address and a port. For details about deploying virtual images and configuring Kaspersky Sandbox servers, refer to the Kaspersky Sandbox Help.

How to connect computers to Kaspersky Sandbox servers using Web Console
1. In the main window of Web Console, select Devices → Policies & profiles.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Go to Detection and Response → Kaspersky Sandbox.
5. Under Kaspersky Sandbox servers, click Add.
6. This opens a window; in the window, enter Kaspersky Sandbox server address (IPv4, IPv6, DNS) and port.
7. Save your changes.
Establishing a background connection between Kaspersky Security Center Web Console and Administration Server
For Kaspersky Sandbox to work with Administration Server via Kaspersky Security Center Web Console, you must establish a new secure connection, a background connection. For details about the integration of Kaspersky Security Center with other Kaspersky solutions, refer to the Kaspersky Security Center Help.

Establishing a background connection in Web Console
1. In the main window of Web Console, select Console settings → Integration.
2. Go to the Cross-service integration section.
3. Turn on the Establish a background connection for cross-service integration toggle switch.
4. Save your changes.
If a background connection between Kaspersky Security Center Web Console and Administration Server is not established, stand-alone IOC scan tasks cannot be created as part of Threat Response.
Enabling data transfer to Administration Server
To use all the features of Kaspersky Sandbox, make sure quarantine file data transfer is enabled. The data are required to obtain information about files quarantined on a computer through Web Console. For example, you can download a file from quarantine for analysis in Web Console.

How to enable data transfer to the Administration Server in Web Console
1. In the main window of Web Console, select Devices → Policies & profiles.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Select General settings → Reports and Storage.
5. Under Data transfer to Administration Server, check the About quarantine files box.
6. Save your changes.

Migration from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows

If you are using Kaspersky Endpoint Security 11.7.0 or newer with the Kaspersky Sandbox component installed, interoperability with the Kaspersky Sandbox solution is available immediately after installation. The Kaspersky Sandbox component is not compatible with Kaspersky Endpoint Agent. If Kaspersky Endpoint Agent is installed on the computer, when Kaspersky Endpoint Security is updated to version 11.7.0, Kaspersky Sandbox continues working with Kaspersky Endpoint Security. In addition, Kaspersky Endpoint Agent will be removed from the computer. To complete migration from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows, you need to transfer policy and task settings using the Migration Wizard.

If you are using Kaspersky Endpoint Security 11.4.0–11.6.0 for interoperability with Kaspersky Sandbox, the application includes Kaspersky Endpoint Agent. You can install Kaspersky Endpoint Agent side-by-side with Kaspersky Endpoint Security.

The Kaspersky Sandbox component that is part of Kaspersky Endpoint Security supports interoperability with Kaspersky Sandbox solution 2.0. Kaspersky Sandbox solution 1.0 is not supported.

Page top