Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox
Kaspersky Endpoint Agent can perform Threat Response actions in response to threats detected by Kaspersky Sandbox.
You can configure the following types of actions:
- Local actions are performed on each workstation where the threat is detected.
- Group actions are performed on all workstations in the administration group for which you are configuring the policy.
Local actions:
- Quarantine and delete.
If a threat is detected on a workstation, a copy of the object containing the threat is placed in Quarantine, and the object is deleted from the workstation.
- Notify workstation user.
If a threat is detected on a workstation, the user of the workstation will be notified about the detected threat.
The notification is displayed if the workstation is powered on, and the same user account under which the threat was detected is logged in.
If the workstation is powered down or a different user account is logged in, the notification is not displayed.
- Push Endpoint Protection Platform (EPP) scanning on critical areas.
If a threat is detected on a workstation, Kaspersky Endpoint Agent instructs the EPP application (Kaspersky Endpoint Security for Windows) to scan critical areas of that workstation. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For details about configuring scan settings, see the documentation of the EPP you are using.
Group actions:
- Run IOC scanning on a managed group of hosts.
If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Agent scans all workstations in the administration group, looking for objects that contain the detected threat.
- Quarantine and delete after IOC is found.
If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Agent scans all workstations in the administration group, looking for objects that contain the detected threat. If Kaspersky Endpoint Agent detects an object containing the threat on any workstations in this administration group, a copy of the object is placed in Quarantine, and the object is deleted from the workstations.
- Push Endpoint Protection Platform (EPP) scanning on critical areas after IOC is found.
If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Agent instructs the EPP application to scan critical areas on any workstations in the administration group on which Kaspersky Endpoint Agent finds an object containing the threat. For details about configuring scan settings, see the documentation of the EPP you are using.
To configure group Threat Response actions, you must configure user permissions for KSC users accounts that you want to use to manage IOC scanning tasks.
If you configure Threat Response actions, keep in mind that execution of some of the configured actions can result in the threatening object being deleted from the workstation where it was detected.