Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Kaspersky Endpoint Agent can perform Threat Response actions in response to threats detected by Kaspersky Sandbox.

You can configure the following types of actions:

• Local actions are performed on each workstation where the threat is detected.
• Group actions are performed on all workstations in the administration group for which you are configuring the policy.

Local actions:

• Quarantine and delete.

  If a threat is detected on a workstation, a copy of the object containing the threat is placed in Quarantine, and the object is deleted from the workstation.

• Notify device user.

  If a threat is detected on a device, a notification about the detected threat is displayed to the user of the device.

  The notification is displayed if the same user account under which the threat was detected is currently logged in to the device. If the device is powered down or a different user account is logged in, the notification is not displayed.

• Run Endpoint Protection Platform scan of critical areas on the device

  If a threat is detected on a Kaspersky Endpoint Agent host, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan, refer to the documentation of the EPP you are using.

Group actions:

• Run IOC Scan on a managed group of devices.

  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.

• Quarantine and delete when IOC is found.

  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.

• Run Endpoint Protection Platform scan of critical areas on the device when IOC is found.

  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group's devices where the object containing the threat was detected. For more details on configuring the scan, refer to the documentation of the EPP you are using.

To configure group Threat Response actions, you must configure permissions for Kaspersky Security Center Web Console users accounts that you want to use to manage IOC scanning tasks.

If you configure Threat Response actions, keep in mind that execution of some of the configured actions can result in the threatening object being deleted from the workstation where it was detected.

See also Getting started with Kaspersky Endpoint Agent Configuring Kaspersky Endpoint Agent security settings Configuring proxy server connection settings Configuring the usage of Kaspersky Security Network Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox Configuring Quarantine settings and restoration of objects from Quarantine Configuring data synchronization with the Administration Server Managing Kaspersky Endpoint Agent tasks

In this Help section Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox Adding Threat Response actions to the action list of the current policy Authentication for Threat Response group tasks at the Administration Server Enabling detection of legitimate applications that can be used by cybercriminals Configuring the running of IOC scanning tasks

Page top