About the Kaspersky Sandbox solution

This section contains information about the Kaspersky Sandbox 2.0 solution.

Kaspersky Sandbox solution detects and automatically blocks advanced threats on workstations and servers of an organization.

The solution is developed for corporate users.

Architecture of the solution

The Kaspersky Sandbox solution consists of:

• The Kaspersky Sandbox application – the server part of the solution. Kaspersky Sandbox is installed on one or more servers in your corporate LAN. Servers can be combined into a cluster. On Kaspersky Sandbox servers, virtual images of Microsoft® Windows® operating systems are deployed for running the objects that need to be scanned. Kaspersky Sandbox analyzes the behavior of the objects to detect malicious activity and advanced threats in the corporate IT infrastructure.
• Kaspersky Security Center applications with Web Console. The Kaspersky Security Center application allows managing the solution in a centralized fashion and configuring it using a unified web interface.
• Workstation protection applications (Endpoint Protection Platform, hereinafter also referred to as "EPP") compatible with Kaspersky Sandbox. EPP applications are installed on workstations on your corporate LAN and provides comprehensive protection of workstations from various threats, network and fraud attacks, as well as performs Automatic Threat Response actions configured in Kaspersky Security Center policies.

  EPP applications include: Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, and Kaspersky Security for Virtualization Light Agent. Kaspersky Security for Windows Server and Kaspersky Security for Virtualization Light Agent do not have built-in support for Kaspersky Sandbox.

• Kaspersky Endpoint Agent applications. Kaspersky Endpoint Agent provides interaction between Kaspersky Sandbox and EPP applications that do not have built-in Kaspersky Sandbox support, as well as automatic Threat Response actions in response to threats detected by Kaspersky Sandbox.

Operating principle of the solution

When using an EPP application with built-in Kaspersky Sandbox support (Kaspersky Endpoint Security), the solution works as follows:

1. When the object is accessed on the workstation (an executable file is run, or a document, for example, DOCX or PDF, is opened), Kaspersky Endpoint Security decides whether an additional scan of the object using Kaspersky Sandbox is necessary.
2. If Kaspersky Endpoint Security decides to proceed with the additional scan of the object using Kaspersky Sandbox, it checks if the object was recently scanned in Kaspersky Sandbox. Kaspersky Endpoint Security blocks access to the object until it receives scan results.
   • If the object was recently scanned, Kaspersky Endpoint Security sends the scan results to Kaspersky Sandbox.

     If the object presents a threat, Kaspersky Endpoint Security performs Threat Response actions configured in the Kaspersky Security Center policy.

   • If the object was not scanned or was scanned a long time ago, Kaspersky Endpoint Security sends the object for scanning to Kaspersky Sandbox. Kaspersky Endpoint Security allows access to the object.
3. Kaspersky Sandbox scans the object and sends the object scan result to Kaspersky Endpoint Security. If the object presents a threat, Kaspersky Endpoint Security performs Threat Response actions configured in the Kaspersky Security Center policy.

When using EPP applications without built-in Kaspersky Sandbox support, the solution works as follows:

1. When an object on the workstation is being accessed, the EPP application makes a decision to perform an additional scan of the object using Kaspersky Sandbox.
2. If the EPP application decides to perform an extra scan of the object using Kaspersky Sandbox, it sends an object scan request to the Kaspersky Endpoint Agent application. EPP blocks access to the object until it receives scan results from Kaspersky Endpoint Agent.
3. Kaspersky Endpoint Agent checks if the object was recently scanned in Kaspersky Sandbox.
   • If the object was recently scanned, Kaspersky Endpoint Agent sends the scan results to EPP. If the object presents a threat, Threat Response actions configured in the EPP are performed.

     For details about configuring actions, see the documentation of the EPP you are using.

   • If the object was not scanned or was scanned a long time ago, Kaspersky Endpoint Agent tells EPP that it could not find data about the object and sends the object for scanning to Kaspersky Sandbox. The EPP application allows access to the object.
4. Kaspersky Sandbox scans the objects and sends the scan results to Kaspersky Endpoint Agent. If the object presents a threat, Kaspersky Endpoint Agent performs Threat Response actions configured in the Kaspersky Security Center policy.

Time after which the object is not considered recently scanned is preset based on the experience of Kaspersky virus analysts.

Information about detected threats is stored in Kaspersky Sandbox until the application databases are updated.

Managing the solution

To ensure correct operation of Kaspersky Sandbox, depending on your configuration of the solution, you must make changes to the configuration of Kaspersky Sandbox and Kaspersky Endpoint Security or Kaspersky Sandbox and Kaspersky Endpoint Agent.

Kaspersky Sandbox can be configured in the web interface of the application. You can also remotely manage Kaspersky Sandbox settings in Kaspersky Security Center Web Console. For example, you can configure the display of Kaspersky Sandbox server status on the dashboard of Kaspersky Security Center Web Console or view the threats report.

Kaspersky Endpoint Security can be configured in Kaspersky Security Center Web Console. For example, you can:

• Edit the settings of the application by creating a Kaspersky Endpoint Security policy.

  For details on policy creation, refer to Kaspersky Endpoint Security for Windows Help.

• Configure Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox.
• Configure stand-alone IOC scanning tasks.
• View information for IOC detections.
• Manage Quarantine settings.

You can configure Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console, Kaspersky Security Center Web Console, Kaspersky Security Center Cloud Console, or the command line. For example, you can:

• Edit the settings of the application by creating a Kaspersky Endpoint Agent policy.

  For details on policy creation, refer to Kaspersky Endpoint Agent 3.13 for Windows Help.

• Configure Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox.
• Manage tasks.
• Manage Quarantine settings.

Page top