Configuring the running of IOC scanning tasks

If Kaspersky Sandbox detects a threat, Kaspersky Endpoint Agent automatically creates IOC scanning tasks (MD5 hashes of objects in which the threat was found) for all workstations.

To view the list of tasks on the Kaspersky Security Center server:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

A list of tasks appears.

You can configure the running of such tasks.

To configure the running of IOC scanning tasks:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select the necessary policy and double-click it to open its properties.
  4. Under Kaspersky Sandbox integration, select Threat response.
  5. Under Additional, click Configure.

    The IOC scanning settings window opens.

  6. Under Scanning area, select one of the following areas which Kaspersky Endpoint Agent will scan for IOC:
    • File areas, containing system drives.
    • Critical file areas.
  7. Under Scan start, select one of the following options for running IOC scanning tasks:
    • Manual start.

      IOC scanning tasks are created automatically but are not run. You can run each task or all tasks manually.

    • Immediately on a Kaspersky Sandbox detect.

      IOC scanning tasks are automatically created and run.

    • Start within the specified period.

      IOC scanning tasks are created automatically and run during the specified period. For example, outside of working hours from 8:00 p.m. to 7:00 a.m.

      If you select the Start within the specified period option, in the Period start time (hh:mm) and Period end time (hh:mm) fields, configure the start and end times of the period.

      All IOC scanning tasks automatically created BEFORE the specified start time of the period are run at an arbitrary time DURING the specified period.

      All IOC scanning tasks automatically created DURING the specified period are launched immediately.

      All IOC scanning tasks automatically created AFTER the specified start time of the period are launched on the following day.

    Example:

    You configured to run the tasks during the specified period from 8:00 p.m. to 7:00 a.m.:

    Tasks automatically created at 19:00 are launched at an arbitrary time from 8:00 p.m. to 7:00 a.m.

    Tasks automatically created at 9:00 p.m. are run at 9:00 p.m.

    Tasks automatically created at 10:00 p.m. are run on the following day from 8:00 p.m. to 7:00 a.m.
  8. Click OK.

    The IOC scanning settings window closes.

  9. In the upper right corner of the settings group, move the toggle switch from Unaffected by policy to Under policy.
  10. Click Apply and OK.

Running of IOC scanning task is configured.

See also

Enabling and disabling Threat Response actions

Adding Threat Response actions to the action list of the current policy

Authentication for Threat Response group tasks at the Administration Server

Protection of workstations from legitimate applications that can be exploited by adversaries
Page top