Integration with Kaspersky Endpoint Detection and Response

To integrate with Kaspersky Endpoint Detection and Response, you must add the Endpoint Detection and Response Optimum (EDR Optimum) component or the Endpoint Detection and Response Expert (EDR Expert) component, and configure Kaspersky Endpoint Security.

The EDR Optimum and EDR Expert components are not compatible. Moreover, the EDR Expert component is incompatible with the Managed Detection and Response component.

The following conditions must be fulfilled for Endpoint Detection and Response to work:

• Kaspersky Security Center 13.2. In earlier versions of Kaspersky Security Center, it is impossible to activate the Endpoint Detection and Response feature.
• EDR Optimum can be managed in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console. EDR Expert can be managed only using the Kaspersky Security Center Cloud Console. You cannot manage this functionality using the Administration Console (MMC).
• The application is activated and the functionality is covered by the license.
• The Endpoint Detection and Response component is turned on.
• Application components that Endpoint Detection and Response depends on are enabled and operational. Endpoint Detection and Response depends on the following components:
  • File Threat Protection.
  • Web Threat Protection.
  • Mail Threat Protection.
  • Exploit Prevention.
  • Behavior Detection.
  • Host Intrusion Prevention.
  • Remediation Engine.
  • Adaptive Anomaly Control.

Integration with Kaspersky Endpoint Detection and Response involves the following steps:

1. Installing Endpoint Detection and Response components

   You can select the EDR Optimum or EDR Expert component during installation or upgrade, as well as using the Change application components task. You must restart your computer to finish upgrading the application with the new components.

   Following the Change application components task execution, the status of the task is displayed incorrectly. Instead of Completed successfully, the task has the Scheduled status. However, the task can still be completed successfully. Make sure that the new component is installed in the computer properties of the Kaspersky Security Center console (Applications → Kaspersky Endpoint Security for Windows → Components) or in the local application interface.

2. Activating Kaspersky Endpoint Detection and Response

   You can acquire a license to use Kaspersky Endpoint Detection and Response in the following ways:

   • Endpoint Detection and Response functionality is included in the Kaspersky Endpoint Security for Windows license.

     The feature will be available immediately after activation of Kaspersky Endpoint Security for Windows.

   • License extension for use of EDR Optimum or EDR Expert (Kaspersky Endpoint Detection and Response Add-on).

     The feature will be available after you add a separate key for Kaspersky Endpoint Detection and Response. As a result, two keys are installed on the computer: a key for Kaspersky Endpoint Security and a key for Kaspersky Endpoint Detection and Response.

     Licensing for the stand-alone Endpoint Detection and Response functionality is the same as the licensing of Kaspersky Endpoint Security.

   Make sure that the EDR Optimum or EDR Expert functionality is included in the license and is running in the local interface of the application.

3. Enabling Endpoint Detection and Response components

   You can enable or disable the component in Kaspersky Endpoint Security for Windows policy settings.

   How to enable or disable the Endpoint Detection and Response component in the Web Console and Cloud Console

   1. In the main window of the Web Console, select Devices → Policies & Profiles.
   2. Click the name of the Kaspersky Endpoint Security policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Go to Detection and Response → Endpoint Detection and Response.
   5. Turn on the Endpoint Detection and Response toggle.
   6. Save your changes.

   The Kaspersky Endpoint Detection and Response component is enabled. Check the operating status of the component by viewing the Application components status report. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint Detection and Response Optimum or Endpoint Detection and Response Expert component is added to the list of Kaspersky Endpoint Security components.

4. Enabling data transfer to Administration Server

   To enable all the Endpoint Detection and Response features, data transfer must be enabled for the following types of data:

   • Quarantine file data.

     The data are required to obtain information about files quarantined on a computer through Web Console and Cloud Console. For example, you can download a file from quarantine for analysis in Web Console and Cloud Console.

   • Threat development chain data.

     The data are required to obtain information about threats detected on a computer in Web Console and Cloud Console. You can view alert details and take response actions in Web Console and Cloud Console.

   How to enable data transfer to the Administration Server in Web Console and Cloud Console

   1. In the main window of the Web Console, select Devices → Policies & Profiles.
   2. Click the name of the Kaspersky Endpoint Security policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Go to General settings → Reports and Storage.
   5. Please check the following boxes in the Data transfer to Administration Server block:
      • About Quarantine files.
      • About a threat development chain.
   6. Save your changes.

Page top