Running the IOC Scan task. An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the computer and taking threat response measures.
To run the command, go to the folder where the Kaspersky Endpoint Security executable file is located. You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.
Command syntax
avp.com IOCSCAN <full path to the IOC file>|/path=<path to the IOC files folder> [/process=on|off] [/hint=<full path to executable file of a process|full file path>] [/registry=on|off] [/dnsentry=on|off] [/arpentry=on|off] [/ports=on|off] [/services=on|off] [/system=on|off] [/users=on|off] [/volumes=on|off] [/eventlog=on|off] [/datetime=<event publication date>] [/channels=<list of channels>] [/files=on|off] [/drives=<all|system|critical|custom>] [/excludes=<list of exclusions>][/scope=<list of folders to scan>]
IOC files |
|
|
Full path to the IOC file that you want to use for scanning. You can specify multiple IOC files separated by spaces. The full path to the IOC file must be entered without the / For example, |
|
Path to the folder with IOC files that you want to use for scanning. IOC files are files containing the sets of indicators that the application tries to match to count a detection. IOC files must conform to the OpenIOC standard. For example, |
Data type for IOC scanning |
|
|
Analyze process data when performing the IOC scan (ProcessItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes process data only if the ProcessItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze file data when performing the IOC scan (ProcessItem and FileItem terms). You can select a file in one of the following ways:
|
|
Analyze Windows registry data when performing an IOC scan (RegistryItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes the Windows registry only if the RegistryItem IOC document is described in the IOC file that is provided for the scan. For the RegistryItem data type, Kaspersky Endpoint Security scans a set of registry keys. |
|
Analyze the data about records in the local DNS cache when performing the IOC scan (DnsEntryItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes the local DNS cache only if the DnsEntryItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze the data about records in the ARP table when performing the IOC scan (ArpEntryItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes the ARP table only if the ArpEntryItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze data about ports open for listening when performing the IOC scan (PortItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes the table of active connections only if the PortItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze data about services installed on the device when performing the IOC scan (ServiceItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes service data only if the ServiceItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze environment data when performing the IOC scan (SystemInfoItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes environment data only if the SystemInfoItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze data about users when performing the IOC scan (UserItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes data about users created in the system only if the UserItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze data about volumes when performing the IOC scan (VolumeItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes volume data only if the VolumeItem IOC document is described in the IOC file that is provided for the scan. |
|
Analyze the data about records in the Windows event log when performing the IOC scan (EventLogItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes the Windows event log if the EventLogItem IOC document is described in the IOC file that is provided for the scan. |
|
Take into consideration the date when the event was published in the Windows event log when determining the IOC scan scope for the corresponding IOC document. When performing an IOC scan, Kaspersky Endpoint Security scans Windows event log entries published during the period from the specified time and date to the moment when the task is run. Kaspersky Endpoint Security allows specifying the event publication date as the value of the argument. The scan is performed only for events published in the Windows event log after the specified date and before the scan is run. If the argument is not specified, Kaspersky Endpoint Security scans events with any publication date. The TaskSettings::BaseSettings::EventLogItem::datetime setting cannot be edited. The setting is used only if the EventLogItem IOC document is described in the IOC file provided for the scan. |
|
List of channel (log) names for which you want to perform an IOC scan. If the argument is specified, Kaspersky Endpoint Security scans records published in the specified logs. The IOC document must have the EventLogItem term described. The name of the log is specified as a string in accordance with the name of the log (channel) specified in the properties of the log (the Full Name parameter) or in the event properties (the <Channel></Channel> parameter in the xml schema of the event). You can specify multiple channels separated by spaces. If the argument is not specified, Kaspersky Endpoint Security scans records for channels |
|
Analyze file data when performing the IOC scan (FileItem term). If the value of the argument is If the argument is not specified, Kaspersky Endpoint Security analyzes file data only if the FileItem IOC document is described in the IOC file that is provided for the scan. |
|
Set IOC scan scope when analyzing data for the FileItem IOC document. You can set the following values for the scan scope:
If the argument is not specified, the scan is performed for critical areas. |
|
Set exclusion scope when analyzing data for the FileItem IOC document. You can specify multiple paths separated by spaces. |
|
User-defined IOC scan scope when analyzing data for the FileItem IOC document ( |
Command return values:
-1
means the command is not supported by the version of the application that is installed on the computer.0
means the command was executed successfully.1
means a mandatory argument was not passed to the command.2
means a general error occurred.4
means there was a syntax error.If the command was executed successfully (return value 0
) and indicators of compromise were detected along the way, Kaspersky Endpoint Security outputs the following task result information to the command line:
|
ID of the IOC file from the header of the IOC file structure (the |
|
Description of the IOC file from the header of the IOC file structure (the |
|
List of IDs of all matched indicators. |
|
Data for each IOC document for which there was a match. |