About response actions for commands

When interacting with the Kaspersky Endpoint Detection and Response Optimum solution, Kaspersky Industrial CyberSecurity for Linux Nodes can perform response actions to provide security functions.

Kaspersky Industrial CyberSecurity for Linux Nodes can perform the following response actions:

• Get files from devices.

  This action is performed using the Get file task. For example, you can configure the application to get an event log file generated by a third-party program.

• Delete files from devices.

  This action is performed using the Delete file task.

• Remotely run processes on devices.

  This action is performed using the Run process task.

  For example, you can remotely run a utility that creates a device configuration file, and then get the created file with the Get file task.

• Remotely terminate processes on devices.

  The action is performed using the Terminate process task.

  For example, you can remotely terminate an Internet speed test utility that was launched using the "Run process" task.

• Detect Indicators of Compromise on devices and perform threat response actions.

  An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts.

  This action is performed using the IOC Scan task.

  The IOC Scan task checks for IOC terms (properties of IOC objects, for example, a file hash) only in the operating system's main namespace. The IOC Scan task does not calculate the hash of files larger than 200 MB.

• Enable or disable network isolation of the device.

  When Kaspersky Endpoint Detection and Response Optimum is interacting with Kaspersky Endpoint Detection and Response Optimum, you can:

  • Enable or disable network isolation in the Web Console.
  • Disable network isolation in the command line.
  • Configure automatic disabling of network isolation in the Web Console.

Network isolation limitations

When you use network isolation, we strongly recommended that you familiarize yourself with the limitations described below.

For network isolation to work, the Kaspersky Industrial CyberSecurity for Linux Nodes application must be running. If Kaspersky Industrial CyberSecurity for Linux Nodes malfunctions (the application is not running), traffic blocking is not guaranteed when network isolation is enabled by Kaspersky Endpoint Detection and Response Optimum.

Transit traffic with network isolation enabled is supported with limitations and may be filtered.

DHCP and DNS are not automatically added to network isolation exclusions, so if the network address of a resource is changed during network isolation, Kaspersky Industrial CyberSecurity for Linux Nodes will not be able to access it.

The proxy server is also not automatically added to the network isolation exclusions; if necessary, you can add it to the exclusions manually.

Adding a process to network isolation and excluding a process from network isolation by name is not supported.

When using network isolation, it is recommended to:

• Use a KSN proxy server to interact with Kaspersky Security Network.
• Use Kaspersky Security Center as a proxy server for application activation.

  If it is impossible to use Kaspersky Security Center as a proxy server, configure the settings of the required proxy server and add it to the exclusions.

• Specify Kaspersky Security Center as the database update source.

Page top