Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Kaspersky Endpoint Security can perform Threat Response actions in response to threats detected by Kaspersky Sandbox.

You can configure the following types of actions:

• Local actions are performed on each workstation where the threat is detected.
• Group actions are performed on all workstations in the administration group for which you are configuring the policy.

Local actions:

• Move copy to Quarantine, delete object.

  If a threat is detected on a workstation, a copy of the object containing the threat is placed in Quarantine, and the object is deleted from the workstation.

• Run Critical Areas Scan.

  If a threat is detected on a workstation, Kaspersky Endpoint Security scans critical areas of that workstation. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For details about configuring scan settings, see the Kaspersky Endpoint Security for Windows Online Help.

Group actions:

• Create IOC scanning task.

  If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat.

• If IOC is detected, move its copy to Quarantine and delete the object.

  If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. If Kaspersky Endpoint Security detects an object containing the threat on any workstations in this administration group, a copy of the object is placed in Quarantine, and the object is deleted from the workstations.

• Run Critical Areas Scan on IOC detection.

  If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. For details about configuring scan settings, see the Kaspersky Endpoint Security for Windows Online Help.

To configure group Threat Response actions, you must configure permissions for Kaspersky Security Center Web Console users accounts that you want to use to manage IOC scanning tasks.

If you configure Threat Response actions, keep in mind that execution of some of the configured actions can result in the threatening object being deleted from the workstation where it was detected.

See also Getting started with Kaspersky Endpoint Security Configuring the proxy server connection Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox Managing stand-alone IOC scanning tasks Configuring Quarantine settings Configuring data synchronization with the Administration Server Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

In this Help section Configuring Threat Response actions Configuring the running of IOC scanning tasks

Page top