Kaspersky Sandbox

Contents

[Topic 218492]

Kaspersky Sandbox Online Help

See also

About the Kaspersky Sandbox solution

About the Kaspersky Sandbox application

About data provision

Installing and performing initial configuration of the solution

Installing the Kaspersky Sandbox application

Scaling Kaspersky Sandbox

Getting started with Kaspersky Sandbox

Managing the Kaspersky Sandbox application using the web interface

Managing Kaspersky Sandbox using Kaspersky Security Center Web Console

Managing Kaspersky Endpoint Security for Windows

Managing Kaspersky Endpoint Agent for Windows

Interaction with external systems using the API

Multitenancy

Contacting the Technical Support Service

Basic concepts of Kaspersky Security Center relevant to managing the solution using KSC

Information about third-party code

Trademark notices

Page top

[Topic 223822]

About the Kaspersky Sandbox solution

This section contains information about the Kaspersky Sandbox 2.0 solution.

Kaspersky Sandbox solution detects and automatically blocks advanced threats on workstations and servers of an organization.

The solution is developed for corporate users.

Architecture of the solution

The Kaspersky Sandbox solution consists of:

  • The Kaspersky Sandbox application – the server part of the solution. Kaspersky Sandbox is installed on one or more servers in your corporate LAN. Servers can be combined into a cluster. On Kaspersky Sandbox servers, virtual images of Microsoft Windows operating systems are deployed for running the objects that need to be scanned. Kaspersky Sandbox analyzes the behavior of the objects to detect malicious activity and advanced threats in the corporate IT infrastructure.
  • Kaspersky Security Center applications with Web Console. The Kaspersky Security Center application allows managing the solution in a centralized fashion and configuring it using a unified web interface.
  • Workstation protection applications (Endpoint Protection Platform, hereinafter also referred to as "EPP") compatible with Kaspersky Sandbox. EPP applications are installed on workstations on your corporate LAN and provides comprehensive protection of workstations from various threats, network and fraud attacks, as well as performs Automatic Threat Response actions configured in Kaspersky Security Center policies.

    EPP applications include: Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, and Kaspersky Security for Virtualization Light Agent. Kaspersky Security for Windows Server and Kaspersky Security for Virtualization Light Agent do not have built-in support for Kaspersky Sandbox.

  • Kaspersky Endpoint Agent applications. Kaspersky Endpoint Agent provides interaction between Kaspersky Sandbox and EPP applications that do not have built-in Kaspersky Sandbox support, as well as automatic Threat Response actions in response to threats detected by Kaspersky Sandbox.

Operating principle of the solution

When using an EPP application with built-in Kaspersky Sandbox support (Kaspersky Endpoint Security), the solution works as follows:

  1. When the object is accessed on the workstation (an executable file is run, or a document, for example, DOCX or PDF, is opened), Kaspersky Endpoint Security decides whether an additional scan of the object using Kaspersky Sandbox is necessary.
  2. If Kaspersky Endpoint Security decides to proceed with the additional scan of the object using Kaspersky Sandbox, it checks if the object was recently scanned in Kaspersky Sandbox. Kaspersky Endpoint Security blocks access to the object until it receives scan results.
    • If the object was recently scanned, Kaspersky Endpoint Security sends the scan results to Kaspersky Sandbox.

      If the object presents a threat, Kaspersky Endpoint Security performs Threat Response actions configured in the Kaspersky Security Center policy.

    • If the object was not scanned or was scanned a long time ago, Kaspersky Endpoint Security sends the object for scanning to Kaspersky Sandbox. Kaspersky Endpoint Security allows access to the object.
  3. Kaspersky Sandbox scans the object and sends the object scan result to Kaspersky Endpoint Security. If the object presents a threat, Kaspersky Endpoint Security performs Threat Response actions configured in the Kaspersky Security Center policy.

When using EPP applications without built-in Kaspersky Sandbox support, the solution works as follows:

  1. When an object on the workstation is being accessed, the EPP application makes a decision to perform an additional scan of the object using Kaspersky Sandbox.
  2. If the EPP application decides to perform an extra scan of the object using Kaspersky Sandbox, it sends an object scan request to the Kaspersky Endpoint Agent application. EPP blocks access to the object until it receives scan results from Kaspersky Endpoint Agent.
  3. Kaspersky Endpoint Agent checks if the object was recently scanned in Kaspersky Sandbox.
    • If the object was recently scanned, Kaspersky Endpoint Agent sends the scan results to EPP. If the object presents a threat, Threat Response actions configured in the EPP are performed.

      For details about configuring actions, see the documentation of the EPP you are using.

    • If the object was not scanned or was scanned a long time ago, Kaspersky Endpoint Agent tells EPP that it could not find data about the object and sends the object for scanning to Kaspersky Sandbox. The EPP application allows access to the object.
  4. Kaspersky Sandbox scans the objects and sends the scan results to Kaspersky Endpoint Agent. If the object presents a threat, Kaspersky Endpoint Agent performs Threat Response actions configured in the Kaspersky Security Center policy.

Time after which the object is not considered recently scanned is preset based on the experience of Kaspersky virus analysts.

Information about detected threats is stored in Kaspersky Sandbox until the application databases are updated.

Managing the solution

To ensure correct operation of Kaspersky Sandbox, depending on your configuration of the solution, you must make changes to the configuration of Kaspersky Sandbox and Kaspersky Endpoint Security or Kaspersky Sandbox and Kaspersky Endpoint Agent.

Kaspersky Sandbox can be configured in the web interface of the application. You can also remotely manage Kaspersky Sandbox settings in Kaspersky Security Center Web Console. For example, you can configure the display of Kaspersky Sandbox server status on the dashboard of Kaspersky Security Center Web Console or view the threats report.

Kaspersky Endpoint Security can be configured in Kaspersky Security Center Web Console. For example, you can:

You can configure Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console, Kaspersky Security Center Web Console, Kaspersky Security Center Cloud Console, or the command line. For example, you can:

Page top

[Topic 224898]

Components of the solution

The Kaspersky Sandbox 2.0 solution includes the following applications:

  • Kaspersky Sandbox 2.0.
  • EPP applications: Kaspersky Endpoint Security 11.7 or later for Windows, Kaspersky Security for Windows Server 11.0.1, Kaspersky Security for Virtualization 5.2 Light Agent.
  • Kaspersky Endpoint Agent 3.13 for Windows.
  • Kaspersky Security Center Web Console 13.2 or later.

The Kaspersky Sandbox 2.0 and Kaspersky Endpoint Security for Windows distribution kit also includes web plug-ins for managing applications using Kaspersky Security Center Web Console.

To manage Kaspersky Endpoint Security and Kaspersky Endpoint Agent using the Kaspersky Security Center Web Console, it is recommended to use the web plug-in of the corresponding version. Otherwise you will not be able to manage some features of the applications using Kaspersky Security Center Web Console.

Page top

[Topic 223823]

Updating the solution

To update the solution, you must first update all Kaspersky Security Center components including the Network Agent on user computers and Web Console to version 13.2 or later. If you are using Kaspersky Security Center Cloud Console, you only need to update the Network Agent.

Updating the solution when using EPP applications with built-in Kaspersky Sandbox support

When using EPP applications with built-in Kaspersky Sandbox support, updating Kaspersky Sandbox 2.0 involves the following steps:

  1. Updating the Kaspersky Sandbox application

    The application does not have a standard upgrade procedure. You must remove the 1.0 version and then install the 2.0 version.

  2. Installing the new version of web plug-ins

    Install Kaspersky Sandbox and Kaspersky Endpoint Security for Windows web plug-ins for Kaspersky Security Center Web Console with support for Kaspersky Sandbox 2.0 functionality.

    For details about installing the Kaspersky Endpoint Security web plug-in, see the Online Help of Kaspersky Endpoint Security 11.7 and later for Windows.

  3. Completing the steps of the Policy and Task Migration Wizard

    Run the Kaspersky Security Center Policy and Task Migration Wizard and complete all steps of the wizard.

    After completing the migration, make sure that policies of Kaspersky Endpoint Security for Windows have correct addresses for Kaspersky Sandbox 2.0 servers.

    For details about migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security, see the Migrating the [KES+KEA] configuration to [KES+built-in agent] configuration section in the Kaspersky Endpoint Security for Windows Help.

  4. Updating Kaspersky Endpoint Security

    Update Kaspersky Endpoint Security to the version that supports Kaspersky Sandbox 2.0 functionality on devices that you want to protect.

    Kaspersky Endpoint Security for Windows supports integration starting with version 11.7. For details on the supported versions of the applications, refer to the Hardware and Software Requirements section.

    For information about the update, see the Online Help of Kaspersky Endpoint Security for Windows 11.7 or later. You do not have to re-activate the application after the update.

Updating the solution when using EPP applications without built-in Kaspersky Sandbox support

When using EPP applications without built-in Kaspersky Sandbox support, updating Kaspersky Sandbox 2.0 involves the following steps:

  1. Updating the Kaspersky Sandbox application

    The application does not have a standard upgrade procedure. You must remove the 1.0 version and then install the 2.0 version.

  2. Installing the new version of web plug-ins

    Install Kaspersky Sandbox and Kaspersky Endpoint Agent web plug-ins for Kaspersky Security Center Web Console with support for Kaspersky Sandbox 2.0 functionality.

    For details about installing the Kaspersky Endpoint Agent web plug-in, see Kaspersky Endpoint Agent 3.13 for Windows Online Help.

  3. Updating Kaspersky Endpoint Agent

    Update Kaspersky Endpoint Agent to the version that supports Kaspersky Sandbox 2.0 functionality on devices that you want to protect.

    For information about the update, see Kaspersky Endpoint Agent 3.13 for Windows Online Help. You do not have to re-activate the application after the update.

Page top

[Topic 223825]

Configurations of the solution

Kaspersky Sandbox can be set up in the following configurations:

  • Kaspersky Sandbox 1.0.

    The solution consists of:

    • Kaspersky Sandbox 1.0 applications.
    • Kaspersky Endpoint Agent 3.7 to 3.11 for Windows.
    • EPP applications: Kaspersky Endpoint Security versions 11.2 to 11.6 for Windows, Kaspersky Security for Windows Server 11 and Kaspersky Security for Virtualization Light Agent 5.2.
    • Kaspersky Security Center applications 11, 12, 12.2.

      For more details about the principle of operation of Kaspersky Sandbox 1.0, see Kaspersky Sandbox 1.0 Online Help.

      Kaspersky Sandbox 1.0 does not support integration with Kaspersky Endpoint Security 11.7 and later for Windows.

  • Kaspersky Sandbox 2.0.

    The solution consists of:

    • Kaspersky Sandbox 2.0 applications.
    • EPP applications with built-in Kaspersky Sandbox support: Kaspersky Endpoint Security 11.7 and later for Windows.
    • EPP applications without built-in Kaspersky Sandbox support: Kaspersky Security for Windows Server 11.0.1, Kaspersky Security for Virtualization 5.2 Light Agent.
    • Kaspersky Endpoint Agent 3.13 for Windows.

      The application provides Kaspersky Sandbox support for EPP applications that do not have built-in support of the solution.

    • Applications of Kaspersky Security Center Web Console 13.2 or later.

The Kaspersky Sandbox solution can also function as a component of the Kaspersky Detection and Response Optimum solution. In that case, for synchronous detections by Kaspersky Sandbox you can open detection details provided by the functionality of Kaspersky Detection and Response Optimum. For details about the Kaspersky Detection and Response Optimum solution, see online help of the solution.

When using different versions of Kaspersky Detection and Response Optimum and Kaspersky Sandbox within the same infrastructure, you must provision a standalone Kaspersky Sandbox 1.0 server for workstations that remain protected by Kaspersky Endpoint Detection and Response Optimum 1.1 or older versions, and a separate Kaspersky Sandbox 2.0 server for workstations that are protected by Kaspersky Endpoint Detection and Response Optimum 2.0.

If you are using multiple Kaspersky Sandbox servers, you can combine these servers into a cluster to improve the performance Kaspersky Sandbox. The versions of Kaspersky Sandbox on servers you want to combine into a cluster must be identical.

Page top

[Topic 223827]

About the Kaspersky Sandbox application

This section contains information about the Kaspersky Sandbox 2.0 application.

Page top

[Topic 223039]

What's New

Kaspersky Sandbox 2.0 introduces the following changes:

  1. The user interface was updated.
  2. The application can now be used on a subscription basis.

    When you subscribe to Kaspersky Sandbox, you place an order for the right to use the application with selected parameters (subscription expiration date, the number of protected devices).

  3. You can also activate the application using an activation code.
  4. You can now receive notification about anti-virus databases becoming out of date.

    The databases are considered out of date after 14 days of no updates. The notifications are displayed in the web interface of Kaspersky Sandbox.

  5. Objects can now be scanned in the Windows 10 operating system (64-bit) in addition to Windows 7.

    If a virtual machine with a Windows 10 image is installed, Kaspersky Sandbox analyzes the properties of the file and selects the optimum operating system image for scanning the file.

  6. The threat detection engine is improved.
  7. You can now manage the Kaspersky Sandbox application using the Kaspersky Security Center Web Console web plug-in.
  8. Kaspersky Sandbox now supports multitenancy.

    Multitenancy lets you use the application to protect the infrastructure of multiple organizations simultaneously. To use Kaspersky Sandbox in multitenancy mode, you will need Kaspersky Security Center.

  9. Kaspersky Sandbox can now integrate with Kaspersky Endpoint Security for Windows.

See also

About the Kaspersky Sandbox application

Distribution kit

Hardware and software requirements

Limitations of the current version

Application licensing

Page top

[Topic 187410]

Distribution kit

The Kaspersky Sandbox application distribution kit contains the following files:

  1. Disk image (file with the "iso" extension) with installation files of the CentOS 7.9 operating system and the Kaspersky Sandbox application, as well as a file with information about third-party code used in Kaspersky Sandbox.
  2. Disk images (.iso files) of the following operating systems:
    • Windows 7 (64-bit).
    • Windows 10 (64-bit).

    Operating system images are supplied with installed software that Kaspersky Sandbox will use to open files. Operating systems and software are already activated.

  3. File of Kaspersky Sandbox management plug-in using Kaspersky Security Center Web Console.

For information about the contents of the distribution kit of Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, Kaspersky Security for Virtualization Light Agent, and Kaspersky Security Center, see the online help of the relevant application.

See also

About the Kaspersky Sandbox application

What's New

Hardware and software requirements

Limitations of the current version

Application licensing

Page top

[Topic 187411]

Hardware and software requirements

Deploying the application on a virtual platform requires installing the VMware ESXi 6.5, 6.7 or 7.0 hypervisor.

For the application to work correctly in a virtual environment, you must install an up-to-date patch for the hypervisor.

The configuration of the Kaspersky Sandbox servers depends on the volume of data to be processed by the application and the throughput of the network link.

Kaspersky Sandbox is not supported on AMD processors.

Hardware and software requirements of the Kaspersky Sandbox physical server

The Kaspersky Sandbox solution supports physical server configurations listed in the following table.

Configurations supported by the Kaspersky Sandbox solution

Physical server configuration

Number of workstations with Kaspersky Endpoint Agent/Kaspersky Endpoint Security

Workload when receiving files via API (objects per hour)

CPU: 4 cores with Hyper-Threading support (8 threads), 2.1 GHz

RAM: 32 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

250

75

CPU: 8 cores with Hyper-Threading support (16 threads), 2.2 GHz.

RAM: 48 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

500

150

CPU: 12 cores with Hyper-Threading support (24 threads), 2.2 GHz.

RAM: 64 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

750

225

CPU: 16 cores with Hyper-Threading support (32 threads), 2.2 GHz.

RAM: 64 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

1000

305

CPU: 14 cores with Hyper-Threading support (28 threads), 2.6 GHz.

RAM: 64 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

1000

305

2 CPUs: 18 cores with Hyper-Threading support (72 threads), 2.2 GHz

RAM: 196 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

5000

910

Example of Kaspersky Sandbox performance:

Physical server configuration:

CPU: 4 cores with Hyper-Threading support (8 threads), 2.1 GHz

RAM: 32 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

    On a server with the specified configuration, Kaspersky Sandbox can:

  • Process objects received from workstations with Kaspersky Endpoint Security or Kaspersky Endpoint Agent. Maximum number of workstations: 250.
  • Process objects received from external systems via the API. Maximum objects per hour: 75.

For example, if you want to double the performance of Kaspersky Sandbox (to receive objects from 500 workstations or 150 objects per hour from external systems via the API), you can combine 2 servers into a cluster.

Hardware and software requirements of Kaspersky Sandbox virtual machine

The Kaspersky Sandbox application supports the following virtual machine configuration:

  • CPU: 12 cores (6 sockets, 2 cores each), 2.2 GHz or higher.
  • RAM: 32 GB.
  • HDD volume: 600 GB.
  • Two network adapters with 1 Gbit/s data transfer rate.

Virtual machine settings:

  1. Expose hardware assisted virtualization to the guest OS check box selected.
  2. Latency Sensitivity option set to High.
  3. Entire RAM reserved (32 GB).
  4. Entire CPU clock rate reserved.

    You can use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>.

When configuring the virtual machine, your configuration must match the description above. Only the CPU clock rate can be varied: you can configure a value of 2.2 GHz or higher. If the configuration of your virtual machine deviates from the description above, correct installation and operation of Kaspersky Sandbox is not guaranteed.

Installed on a virtual machine, Kaspersky Sandbox can process objects from up to 250 workstations or 100 objects per hour received using the API.

Throughput requirements for the link between workstations with the EPP application and the Kaspersky Sandbox server

Minimum requirements for the link between workstations that have the Kaspersky Endpoint Security application installed and the Kaspersky Sandbox server are listed in the following table.

Minimum requirements for the link between the Kaspersky Sandbox server and workstations with the EPP application

Number of workstations with Kaspersky Endpoint Agent/Kaspersky Endpoint Security

Required link throughput to be reserved for Kaspersky Endpoint Agent/Kaspersky Endpoint Security (Mbps)

10

2

20

2

30

2

40

2

50

3

100

4

150

4

200

5

250

5

500

6

750

8

1000

9

1500

11

2000

13

500

15

3000

18

3500

20

4000

22

4500

24

5000

27

Compatibility of the Kaspersky Sandbox solution version 2.0 with other applications

Kaspersky Sandbox version 2.0 is compatible with the following Kaspersky software:

  • EPP applications:
    • Kaspersky Endpoint Security for Windows 11.7.0 and later.
    • Kaspersky Security for Windows Server 11.0.1.
    • Kaspersky Security for Virtualization Light Agent 5.2
  • Kaspersky Endpoint Agent 3.13 or later for Windows.
  • Kaspersky Security Center Windows 13.2 or later.

    We recommend using versions of Kaspersky Security Center specified above. If you use an older version of Kaspersky Security Center, automatic creation of IOC scanning tasks is not available.

    To manage Kaspersky Sandbox 2.0 using Kaspersky Security Center Web Console, you must install the Kaspersky Sandbox management plug-in.

See also

What's New

Distribution kit

Limitations of the current version

Application licensing

Page top

[Topic 223040]

Limitations of the current version

The following limitations are known for Kaspersky Sandbox version 2.0:

  1. The application does not have a standard upgrade procedure. You must remove the 1.0 version and then install the 2.0 version.
  2. Installing Kaspersky Sandbox on a workstation with the UEFI interface requires disabling the Secure Boot protocol. Otherwise the application cannot be installed.
  3. To make sure the Kaspersky Sandbox is operational and able to process objects, you must install a virtual machine with a Windows 7 image. You can install a virtual machine with just the Windows 7 image or virtual machines with Windows 7 and Windows 10 images.

    Kaspersky Sandbox cannot function if you install just the virtual machine with the Windows 10 image.

  4. When Kaspersky Sandbox is integrated with external systems, objects from external systems are scanned only in Windows 7.
  5. Upgrade via Kaspersky Security Center Web Console is not supported.

See also

About the Kaspersky Sandbox application

What's New

Distribution kit

Hardware and software requirements

Application licensing

Page top

[Topic 188173]

About the license

The license is a time-limited right to use the application, granted under the End User License Agreement.

A current license entitles you to the following kinds of services:

  • Use of the application in accordance with the terms of the End User License Agreement
  • Technical support

The license is granted for the number of Kaspersky Sandbox servers and Kaspersky Endpoint Security workstations on which you are planning to use the Kaspersky Sandbox solution. For calculation, use the Kaspersky Sandbox scaling table.

You can combine servers into clusters.

The scope of services and application usage term depend on the type of license that was used to activate the application.

The following license types are provided for Kaspersky Sandbox:

  • NFR (not for resale) is a free license for a set period, intended to familiarize the user with the application and to carry out test deployments.
  • Commercial—Paid license that is provided when you buy the application.

When the license expires, the application continues to work but with limited functionality. To use the application full functionality, you must purchase a commercial license or renew a commercial license.

Page top

[Topic 188170]

About the End User License Agreement

The End User License Agreement (EULA) is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the Kaspersky Sandbox solution.

The End User License Agreement specifies the number of Kaspersky Sandbox servers and Kaspersky Endpoint Security workstations on which you are planning to use the Kaspersky Sandbox solution.

You can combine servers into clusters.

Read through the terms of the End User License Agreement carefully before you start using the application.

You can view the terms of the End User License Agreement (EULA) in the following ways:

  • During installation of Kaspersky Sandbox.
  • In the application web interface in the kata_icon_help menu, by clicking End User License Agreement and Privacy Policy.

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the EULA. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

Page top

[Topic 73976]

About the license certificate

The License Certificate is a document provided with the key file or activation code.

The License Certificate contains the following license information:

  • License key or order number.
  • Details of the license holder.
  • Information about the application that can be activated using the license.
  • Limitation on the number of licensing units (for example, devices on which the application can be used under the license).
  • License start date.
  • License expiration date or license validity period.
  • License type.
Page top

[Topic 220696]

About the subscription

When you subscribe to Kaspersky Sandbox, you place an order for the right to use the application with selected parameters (subscription expiration date, the number of protected devices). You can register the subscription to Kaspersky Sandbox at your service provider (for example, an ISP). You can renew the subscription manually or automatically, or alternatively you can cancel it. You can manage the subscription on the website of your service provider.

The subscription can be limited (for example, valid for a year) or unlimited (without an expiration date). To continue using Kaspersky Sandbox after the expiration of a limited subscription, you must renew it. An unlimited subscription is renewed automatically if pre-payment is paid to your service provider in a timely fashion.

In the case of a limited subscription, a grace period can be provided for renewal, during which the functionality of the application is maintained. The service provider decides whether a grace period is offered and stipulates its duration.

To subscribe to Kaspersky Sandbox, you must apply an activation code provided by the service provider. When you apply an activation code, an active key is added, which determines the license to be used for the subscription application. You cannot add a backup key when using a subscription.

Activation codes purchased as part of subscription cannot be used to activate older versions of Kaspersky Sandbox.

Page top

[Topic 188176]

About the key

A license key is a sequence of bits used to activate and use the application in accordance with the End User License Agreement. A license key is generated by Kaspersky.

After you add a key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky can black-list a key over violations of the End User License Agreement. If the license key has been black-listed, you have to add a different license key to continue using the application.

Page top

[Topic 174986]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. The purpose of the key file is to add a license key to activate the application.

After purchasing the application or ordering the trial version of the application, you receive a key file at the email address you specified.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To restore a key file, contact the vendor of the license.

Page top

[Topic 220264]

About the activation code

An activation code is a unique sequence of twenty Latin letters and numerical characters. You can enter an activation code to add a license key that activates Kaspersky Sandbox. After purchasing Kaspersky Sandbox or ordering the trial version of Kaspersky Sandbox, you receive an activation code at the email address you specified.

To activate the application with an activation code, Internet access is required to connect to Kaspersky activation servers. If Internet access is restricted or unavailable for Kaspersky Sandbox servers, you can activate Kaspersky Sandbox using an activation code by setting up Kaspersky Security Center as a proxy server for activating the application.

If the application was activated using an activation code, after activation, Kaspersky Sandbox queries Kaspersky activation servers once per day to verify the current status of the license. The application must have Internet access to query Kaspersky servers. If necessary, you can force update the information of the current license.

If the activation code was lost after activation of the application, contact a Kaspersky partner company from which you purchased a license.

Page top

[Topic 190774]

Viewing license information in the web interface

To view information about the license and added keys,

in the application web interface, select the Settings section.

The following about the license and added keys is displayed:

  • Serial number of the license
  • Description of the license
  • License expiration date
  • Number of days remaining until the expiration of the license

30 days in advance of the expiration of the license, the Dashboard section shows a notification about the need to renew the license.

See also

Application licensing

About the license

About the End User License Agreement

About the license certificate

About the subscription

About the key

About the key file

About the activation code

Viewing the text of the End User License Agreement and the Privacy Policy in the web interface

Activating the application using the web interface

Activating the application using Kaspersky Security Center Web Console

Application modes based on the license

Page top

[Topic 188199]

Viewing the text of the End User License Agreement and the Privacy Policy in the web interface

To view the text of the End User License Agreement in the web interface of Kaspersky Sandbox:

  1. In the application web interface window, click kata_icon_help in the upper right part of the menu.

    This opens a window with information about the application.

  2. Click End User License Agreement and Privacy Policy to open the window with the text of the End User License Agreement and the Privacy Policy for the application.
  3. Read the text of the End User License Agreement and Privacy Policy.
  4. When you are done, click Apt_icon_dashboard_window_close.

See also

Application licensing

About the license

About the End User License Agreement

About the license certificate

About the subscription

About the key

About the key file

About the activation code

Viewing license information in the web interface

Activating the application using the web interface

Activating the application using Kaspersky Security Center Web Console

Application modes based on the license

Page top

[Topic 220201]

Activating the application using the web interface

This section contains instructions for activating Kaspersky Sandbox locally using the interface of the application.

You can activate Kaspersky Sandbox in the following ways:

If necessary, you can replace or remove a license key.

In this Help section

Adding a key file

Adding an activation code

Replacing a key

Removing a key

Updating information of the current license

Application activation scenario using Kaspersky Security Center as a proxy server

Page top

[Topic 188212]

Adding a key file

To add a key file:

  1. In the Kaspersky Sandbox web interface window, select the Settings section.
  2. Under License, click Add.

    This opens the Adding a license key window.

  3. In the Type of license key list, select Key file.
  4. Add the key file in one of the following ways:
    • Click the specified area and select the key file in the window.
    • Drag and drop the key file to the specified area.
  5. Click Activate.

The key file is added to the application.

You can also activate the application using an activation code.

See also

Activating the application using the web interface

Adding an activation code

Replacing a key

Removing a key

Updating information of the current license

Application activation scenario using Kaspersky Security Center as a proxy server

Page top

[Topic 220111]

Adding an activation code

To add an activation code:

  1. In the Kaspersky Sandbox web interface window, select the Settings section.
  2. Under License, click Add.

    This opens the Adding a license key window.

  3. In the Type of license key list, select Activation code.
  4. Enter the activation code in the Activation code field.
  5. Click Activate.

The activation code is added to the application.

You can also activate the application using a key file.

See also

Activating the application using the web interface

Adding a key file

Replacing a key

Removing a key

Updating information of the current license

Application activation scenario using Kaspersky Security Center as a proxy server

Page top

[Topic 188213]

Replacing a key

To replace the active license key of the application with a different license key:

  1. In the Kaspersky Sandbox web interface window, select the Settings section.
  2. Under License, click Replace.

    This opens the Adding a license key window.

  3. In the Type of license key list, select the active license key replacement method:
    • Activation code if you want to replace the active license key using an activation code.
    • Key file if you want to replace the active license key using a key file.
  4. If you choose to replace the active license key using an activation code, enter the activation code in the Activation code text box.
  5. If you choose to replace the active license key using a key file, add a key file in one of the following ways:
    • Click the specified area and select the key file in the window.
    • Drag and drop the key file to the specified area.
  6. Click Activate.

The uploaded key replaces the active license key of the application.

See also

Activating the application using the web interface

Adding a key file

Adding an activation code

Removing a key

Updating information of the current license

Application activation scenario using Kaspersky Security Center as a proxy server

Page top

[Topic 188218]

Removing a key

To remove an active application license key:

  1. In the Kaspersky Sandbox web interface window, select the Settings section.
  2. Under License, click Revoke.

    The action confirmation window opens.

  3. Click Deleting the license key.

The key is removed.

If you remove an active key, you cannot use the full functionality of the application until you add a new key.

See also

Activating the application using the web interface

Adding a key file

Adding an activation code

Replacing a key

Updating information of the current license

Application activation scenario using Kaspersky Security Center as a proxy server

Page top

[Topic 220265]

Updating information of the current license

If the application was activated using an activation code, after activation, Kaspersky Sandbox queries Kaspersky activation servers once per day to verify the current status of the license. If necessary, you can force update the information of the current license.

To update the information of the current license:

  1. In the Kaspersky Sandbox web interface window, select the Settings section.
  2. Under License, click Update status.

The information of the current license is updated.

Page top

[Topic 220595]

Application activation scenario using Kaspersky Security Center as a proxy server

If Internet access is restricted or unavailable for Kaspersky Sandbox servers, you can activate Kaspersky Sandbox using an activation code by setting up Kaspersky Security Center as a proxy server for connecting to Kaspersky activation servers.

Activating Kaspersky Sandbox using Kaspersky Security Center as a proxy server for connecting to activation servers involves the following steps:

  1. Setting up Kaspersky Security Center as a proxy server for requests to the activation service.
  2. Adding an activation code.
Page top

[Topic 220622]

Setting up Kaspersky Security Center as a proxy server for connecting to activation servers

To set up Kaspersky Security Center as a proxy server for connecting to Kaspersky activation servers:

  1. In the Kaspersky Sandbox web interface window, select the Connection to KSC section.
  2. In the KSC server address field, enter the address and port of the Kaspersky Security Center server.
  3. Select the Use KSC as proxy server for activation check box.
  4. Click Connect.
  5. Refresh the page in the browser.

Kaspersky Security Center is set up as a proxy server for connecting to Kaspersky activation servers.

Page top

[Topic 220203]

Activating the application using Kaspersky Security Center Web Console

This section contains instructions for activating Kaspersky Sandbox remotely using Kaspersky Security Center Web Console by creating and running a license key adding task.

In this Help section

Adding a key

Replacing a key

Page top

[Topic 220191]

Adding a key

To add a Kaspersky Sandbox license key using Kaspersky Security Center Web Console:

  1. In the main window of Web Console, select the DevicesTasks folder.
  2. Click Add.

    The task creation wizard starts.

  3. In the Application drop-down list, select KSB.
  4. In the Task type drop-down list, select Add key.
  5. In the Task name field, enter the name of the task.
  6. Under Selecting the devices to which the task will be assigned, select the scope of the task.

    Select computers to which you want to assign the task. The following methods are available:

    • Assign task to an administration group. In this case, the task is assigned to devices that belong to a previously created administration group.
    • Select computers detected on the network by the Administration Server, that is, unassigned devices. The set of devices can include devices in administration groups as well as unassigned devices.
    • Enter the addresses of the devices manually or import them from a list. You can specify NetBIOS names, IP addresses, and ranges of IP addresses of devices to which you want to assign the task.

    Click Next.

  7. Select the license that you want to use to activate the application.

    Click Next.

  8. Select an account for running the task.

    You can select the default account or create an account:

    • If you select the default account, the task is run under the same account that was used to install and run the application that runs the task.
    • If you choose to create an account, enter the credentials of the account to use for running the task. The account must have sufficient permissions to run the task.
  9. If you want to view task properties immediately after creating the task, select the Open task properties window after task creation check box.
  10. Click Done.

The Kaspersky Sandbox license key is added. Kaspersky Sandbox is activated.

See also

Replacing a key

Page top

[Topic 220192]

Replacing a key

If you want to replace the Kaspersky Sandbox license key using Kaspersky Security Center, you must follow the steps to add a license key.

The uploaded key replaces the active license key of the application.

See also

Adding a key

Page top

[Topic 188174]

Application modes based on the license

Kaspersky Sandbox provides various operating modes depending on the added keys.

No license

This is the mode in which Kaspersky Anti Targeted Attack Platform operates from the time the application is installed and the web interface is started until you add a key.

Unlicensed mode has the following limitations:

  • Application databases are not updated.
  • Limited reception and processing of data from Kaspersky Endpoint Security.

Commercial license

In this mode, the application updates databases, and receives and processes data from Kaspersky Endpoint Security.

After the expiration of the current license, the application stops updating its databases and does not receive or process data from Kaspersky Endpoint Security.

To renew full operation of the application, you must replace the key or add a key for commercial license.

See also

Application licensing

About the license

About the End User License Agreement

About the license certificate

About the subscription

About the key

About the key file

About the activation code

Viewing license information in the web interface

Viewing the text of the End User License Agreement and the Privacy Policy in the web interface

Activating the application using the web interface

Activating the application using Kaspersky Security Center Web Console

Page top

[Topic 187414]

About data provision

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

  • End User License Agreements of Kaspersky Sandbox and Kaspersky Endpoint Security (for example, during installation of the application).

    For activating each of the Kaspersky Sandbox and Kaspersky Endpoint Security applications as part of Kaspersky Sandbox, separate End User License Agreements are provided with the respective distribution kits.

  • In the Kaspersky Security Network Statement of the Kaspersky Endpoint Security application.

    During the use of Kaspersky Security Network (also referred to as "KSN"), data acquired as a result of Kaspersky Security Network operation is automatically submitted to Kaspersky. Submitted data is enumerated in the Kaspersky Security Network Statement. The user of Kaspersky Endpoint Security independently makes the decision to participate in KSN.

    Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky.

    Kaspersky uses any received information in anonymized form and as general statistics only. General statistics are automatically generated using original collected information and do not contain any personal data or other confidential information. The original information received is destroyed as new information is accumulated (once a year). General statistics are stored indefinitely.

In this Help section

Kaspersky Sandbox application data

Kaspersky Endpoint Agent application data

EPP application data

Page top

[Topic 187424]

Kaspersky Sandbox application data

If an activation code is used to activate Kaspersky Sandbox, to verify the legality of using the application, you agree to regular and automatic sending of the following data to Kaspersky:

  • ID of the operating system installed on the server.
  • ID of the application.
  • Version number of the application.
  • Localization ID of the application.
  • Activation code.
  • List of IDs of applications compatible with the current version of the application.

Kaspersky Security Network is not designed for use on Kaspersky Sandbox application servers.

Kaspersky Sandbox servers store trace files, the configuration file, and system logs.

Data in trace files and system logs can contain:

  • Local time on the device.
  • Activation code (if an activation code is used to activate Kaspersky Sandbox).
  • Information about the acceptance of the License Agreement.
  • Name of the administrator account of the Kaspersky Sandbox server.
  • Session ID.
  • IP addresses and names of hosts that have contacted Kaspersky Sandbox servers.
  • IP addresses and names of Kaspersky Sandbox servers that are part of the same cluster.
  • IP address and name of the proxy server.
  • IP address and name of the Kaspersky Security Center server.
  • IP addresses and names of update servers.
  • HTTP headers of processed HTTP messages.
  • Names and hash codes of files sent for scanning.
  • Scan results for files.

Configuration file data contains the following information:

  • Hash of the administrator account password.
  • Unique ID of the license key file.

If Kaspersky Sandbox uses the system log, Kaspersky Sandbox data can be submitted to Kaspersky using the following scenario:

  1. The administrator of Kaspersky Sandbox downloads the Kaspersky Sandbox system log to the hard drive of the computer that the administrator is using to access the web interface of Kaspersky Sandbox.
  2. The administrator of Kaspersky Sandbox sends the system log file to Kaspersky Technical Support.

The administrator of Kaspersky Sandbox independently makes the decision concerning the security of sending host names of workstations with the Kaspersky Endpoint Security application to Kaspersky Technical Support.

See also

About data provision

Kaspersky Endpoint Agent application data

EPP application data

Page top

[Topic 187415]

Kaspersky Endpoint Agent application data

For details about the information that Kaspersky Endpoint Agent 3.13 sends to Kaspersky, refer to the "Data provision" section in Kaspersky Endpoint Agent 3.13 Online Help.

See also

About data provision

Kaspersky Sandbox application data

EPP application data

Page top

[Topic 221575]

EPP application data

For details about information that EPP applications send to Kaspersky, see the Data Provision section of the following online helps:

  • For Kaspersky Endpoint Security for Windows, see the Kaspersky Endpoint Security for Windows 11.7 and later online help.
  • For Kaspersky Security for Windows Server 11.0.1, see the Kaspersky Security for Windows Server 11.0.1 online help.
  • For Kaspersky Security for Virtualization 5.2 Light Agent, see the Kaspersky Security for Virtualization 5.2 Light Agent online help.

See also

About data provision

Kaspersky Sandbox application data

Kaspersky Endpoint Agent application data

Page top

[Topic 189274]

Preparing the IT infrastructure for Kaspersky Sandbox installation

Before installation of the application, prepare your corporate IT infrastructure:

  1. Ensure that the servers, the computer intended for managing the application web interface, and the workstations intended for the installation of EPP applications satisfy the hardware and software requirements.
  2. Prepare the corporate IT infrastructure for installation of Kaspersky Sandbox:
    1. For both network interfaces, block access of the Kaspersky Sandbox server to the corporate LAN in order to keep the network safe from the objects being analyzed.
    2. For the first network interface, allow Internet access for the Kaspersky Sandbox server for the purpose of analysis of object behavior.
    3. For the second network interface:

      Allow inbound connections to the Kaspersky Sandbox server on the following ports:

      • TCP 22 for connection to the server over the SSH protocol.
      • TCP 80 and 8443 for using the application web interface.
      • TCP 443 for interacting with external systems over the REST API interface, adding servers to a cluster, receiving object processing tasks from Kaspersky Endpoint Security or Kaspersky Endpoint Agent, balancing object processing tasks among servers in the cluster.
      • TCP 3301 for synchronizing data about processed objects between servers in the cluster.
      • UDP 15000 for interacting with the Network Agent (nagent) of the Kaspersky Security Center.

      Allow outbound connections from the Kaspersky Sandbox server on the following ports:

      • TCP 443 and 80 for database update.
      • TCP 13000 and 14000 for synchronizing data with the Network Agent (nagent) of Kaspersky Security Center. Ports are configured on the side of Kaspersky Security Center. TCP 13000 and 14000 are default values, you can modify them.
  3. Allow direct (without a proxy server) inbound connections between workstations that have Kaspersky Endpoint Security or Kaspersky Endpoint Agent installed and the Kaspersky Sandbox server.
  4. Configure network equipment to allow an encrypted communication link between Kaspersky Sandbox servers.

If needed, you can designate other ports for Kaspersky Sandbox to use in the administrator menu of the Kaspersky Sandbox server. If you change the ports in the administrator menu, you need to allow connections to these ports in your corporate IT infrastructure.

Page top

[Topic 191466]

Setting up Kaspersky Sandbox for virtual infrastructure

Installed on a virtual machine, Kaspersky Sandbox server can process objects from 250 workstations or 100 objects per hour received using the API. Deploying the application on a virtual platform requires installing the VMware ESXi 6.5.0 or 6.7.0 hypervisor.

For the application to work correctly in a virtual environment, you must install an up-to-date patch for the hypervisor.

When installing Kaspersky Sandbox on a virtual machine, set up the following virtual machine configuration:

  • CPU: 12 cores (6 sockets, 2 cores each), 2.2 GHz or higher.
  • RAM: 32 GB.
  • HDD volume: 600 GB.
  • Two network adapters with 1 Gbit/s data transfer rate.

Virtual machine settings:

  1. Expose hardware assisted virtualization to the guest OS check box selected.
  2. Latency Sensitivity option set to High.
  3. Entire RAM reserved (32 GB).
  4. Entire CPU clock rate reserved.

    You can use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>.

When configuring the virtual machine, your configuration must match the description above. Only the CPU clock rate can be varied: you can configure a value of 2.2 GHz or higher. If the configuration of your virtual machine deviates from the description above, correct installation and operation of Kaspersky Sandbox is not guaranteed.

Cloning virtual machines is not supported.

For details about using the VMware ESXi hypervisor, see VMware ESXi documentation.

See also

Preparing the IT infrastructure for Kaspersky Sandbox installation

Installing and configuring applications of the solution when using EPP applications with built-in Kaspersky Sandbox support

Installing and configuring applications of the solution when using EPP applications without built-in Kaspersky Sandbox support

Page top

[Topic 235404]

Installing and configuring applications of the solution when using EPP applications without built-in Kaspersky Sandbox support

Perform the steps for installation and configuration of the solution applications in the following sequence:

  1. Install the disk image containing Kaspersky Sandbox
  2. Complete the initial configuration of Kaspersky Sandbox using the web interface
  3. Install the disk images of Microsoft Windows 7 and Microsoft Windows 10 operating systems and software required by Kaspersky Sandbox
  4. Install Kaspersky Security Center

    For detailed information on installing Kaspersky Security Center, refer to Kaspersky Security Center Help.

  5. Configure the integration of Kaspersky Sandbox with Kaspersky Security Center
  6. Configure the set of components of the EPP application:

    Kaspersky Endpoint Agent 3.11 cannot be installed as part of an EPP application. To use Kaspersky Endpoint Agent 3.11 as a component of the Kaspersky Sandbox solution, you must install Kaspersky Endpoint Agent 3.10 as part of an EPP application and then update Kaspersky Endpoint Agent to version 3.11.

  7. Install Kaspersky Sandbox management plug-in and Kaspersky Endpoint Agent in KSC.
  8. Configure the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox.
  9. Configure the remaining settings of Kaspersky Sandbox.
  10. Configure Kaspersky Endpoint Agent policies in KSC
Page top

[Topic 189279]

Installing the Kaspersky Sandbox application

This section provides step-by-step instructions for installing Kaspersky Sandbox.

Installing Kaspersky Sandbox on a workstation with the UEFI interface requires disabling the Secure Boot protocol. Otherwise the application cannot be installed.

We strongly discourage allowing shared access to a drive where Kaspersky Sandbox is installed. The operating system on the workstation must be a single-user operating system.

In this Help section

Verifying the digital signature

Step 1. Starting installation of the Kaspersky Sandbox application and selecting the language for viewing End User License Agreements

Step 2. Viewing the Kaspersky Sandbox End User License Agreement and the Privacy Policy

Step 3. Viewing the Microsoft End User License Agreement

Step 4. Viewing the Adobe End User License Agreement

Step 5. Basic setup of Kaspersky Sandbox

Step 6. Completing the installation of Kaspersky Sandbox.

Page top

[Topic 224342]

Verifying the digital signature

The Kaspersky Sandbox distribution kit includes digital signatures of installation files in separate files with the .sig extension:

  • ksb_2.0.0.500.x86_64_en_ru.iso.sig
  • sandbox-images-win7_x64-1.0.0.21167-vl.x86_64.iso.sig
  • sandbox-images-win10_x64-1.1.0.18829-vl.x86_64.iso.sig

You can request the Kaspersky Research Sandbox OpenPGP public key (the ksb.crt.pgp certificate) on the Technical Support website and use it to verify digital signatures of installation files.

To verify the digital signature using GnuPG,

run the following command:

gpg --no-default-keyring --keyring ./ksb.crt.pgp --verify ./ksb_2.0.0.500.x86_64_en_ru.iso.sig ./ksb_2.0.0.500.x86_64_en_ru.iso

Page top

[Topic 189286]

Step 1. Starting installation of the Kaspersky Sandbox application and selecting the language for viewing End User License Agreements

To begin installing Kaspersky Sandbox and select the language for viewing the End User License Agreements:

  1. Run the Kaspersky Sandbox disk image.

    The Setup Wizard starts.

  2. Select Install Kaspersky Sandbox <version of the software>.
  3. This opens a window; in this window, press ENTER.

    A EULA language selection opens.

  4. Select your language of choice for viewing the End User License Agreements: Russian or English.
  5. Click Continue.

    The Setup Wizard proceeds to the next step.

See also

Verifying the digital signature

Step 2. Viewing the Kaspersky Sandbox End User License Agreement and the Privacy Policy

Step 3. Viewing the Microsoft End User License Agreement

Step 4. Viewing the Adobe End User License Agreement

Step 5. Basic setup of Kaspersky Sandbox

Step 6. Completing the installation of Kaspersky Sandbox.

Page top

[Topic 189280]

Step 2. Viewing the Kaspersky Sandbox End User License Agreement and the Privacy Policy

To proceed with the installation, please read the Kaspersky Sandbox End User License Agreement (EULA) and the Privacy Policy and accept the terms of both. Installation will not continue until you accept the terms of the End User License Agreement and the Privacy Policy.

To accept the terms of the Kaspersky Sandbox End User License Agreement and the Privacy Policy:

  1. Read through the End User License Agreement and the Privacy Policy.
  2. If you accept the terms and conditions of the End User License Agreement and the Privacy Policy, select the I accept the terms check box.
  3. Click Continue.

    The Setup Wizard proceeds to the next step.

See also

Installing the Kaspersky Sandbox application

Verifying the digital signature

Step 1. Starting installation of the Kaspersky Sandbox application and selecting the language for viewing End User License Agreements

Step 3. Viewing the Microsoft End User License Agreement

Step 4. Viewing the Adobe End User License Agreement

Step 5. Basic setup of Kaspersky Sandbox

Step 6. Completing the installation of Kaspersky Sandbox.

Page top

[Topic 189287]

Step 3. Viewing the Microsoft End User License Agreement

To continue the installation, please read the Microsoft End User License Agreement (EULA) and accept its terms. Installation will not continue until you accept the terms of the End User License Agreement.

To accept the terms of the Microsoft End User License Agreement:

  1. Please read the End User License Agreement.
  2. If you accept the terms and conditions of the End User License Agreement, select the I accept the terms check box.
  3. Click Continue.

    The Setup Wizard proceeds to the next step.

See also

Installing the Kaspersky Sandbox application

Verifying the digital signature

Step 1. Starting installation of the Kaspersky Sandbox application and selecting the language for viewing End User License Agreements

Step 2. Viewing the Kaspersky Sandbox End User License Agreement and the Privacy Policy

Step 4. Viewing the Adobe End User License Agreement

Step 5. Basic setup of Kaspersky Sandbox

Step 6. Completing the installation of Kaspersky Sandbox.

Page top

[Topic 189288]

Step 4. Viewing the Adobe End User License Agreement

To continue the installation, please read the Adobe End User License Agreement (EULA) and accept its terms. Installation will not continue until you accept the terms of the End User License Agreement.

To accept the terms of the Adobe End User License Agreement:

  1. Please read the End User License Agreement.
  2. If you accept the terms and conditions of the End User License Agreement, select the I accept the terms check box.
  3. Click Continue.

    This takes you to the Installation summary menu.

See also

Installing the Kaspersky Sandbox application

Verifying the digital signature

Step 1. Starting installation of the Kaspersky Sandbox application and selecting the language for viewing End User License Agreements

Step 2. Viewing the Kaspersky Sandbox End User License Agreement and the Privacy Policy

Step 3. Viewing the Microsoft End User License Agreement

Step 5. Basic setup of Kaspersky Sandbox

Step 6. Completing the installation of Kaspersky Sandbox.

Page top

[Topic 189282]

Creating an administrator account for Kaspersky Sandbox

To create an administrator account for Kaspersky Sandbox:

  1. In the Installation summary menu, select the Management interface section.
  2. In the Administrator account field, enter the name of the account. The 'admin' account is used by default.

  3. In the Password field, enter the password for the administrator.

    The password must satisfy the following requirements:

    • Must contain at least 8 characters.
    • Must only contain Latin characters, numerical characters, or special characters.
    • Must contain at least three types of characters:
      • Uppercase character (A-Z).
      • Lowercase character (a-z).
      • Numerical character.
      • Special character.
    • Must not be the same as the user name.
  4. Enter the password again in the Confirm password field.
  5. Click Done.

See also

Step 5. Basic setup of Kaspersky Sandbox

Configuring server date and time

Selecting a drive for installing Kaspersky Sandbox

Configuring the management network interface

Page top

[Topic 222777]

Configuring server date and time

To configure server date and time:

  1. In the Installation summary menu, select the Date & time section.
  2. In the Region drop-down list, select the country where the server is physically located.
  3. In the City drop-down list, select the city where the server is physically located.

    You can specify the country and city by selecting the region on the map under the drop-down lists.

  4. Configure the synchronization with :
    1. Click KSB_icon_installer_sinchronize_NTP.

      This opens the Add and mark for usage NTP servers window.

    2. Select the check box next to the NTP server with which you want to synchronize.

      If the list of NTP servers does not include the server you need, enter the name of the server in the Add and mark for usage NTP servers field and click KSB_icon_installer_add. The added NTP server is displayed in the server list.

    3. Click Ok.
    4. Turn on the Network time toggle switch.
  5. If the synchronization with NTP servers is disabled, enter the server date and time manually:
    1. Select a time format option: 24-hour or AM/PM.
    2. If you selected AM/PM, set an interval by clicking KSB_period_choose_down_button and KSB_period_choose_down_button.
    3. Enter the current time by clicking KSB_time_choose_down_button and KSB_time_choose_up_button.
    4. In drop-down lists in the right part of the screen, select the current date.
  6. Click Done.

Server date and time is configured.

Page top

[Topic 189281]

Selecting a drive for installing Kaspersky Sandbox

At this step, select a physical drive for installing Kaspersky Sandbox.

To select a drive for installing the Kaspersky Sandbox component:

  1. In the Installation summary menu, select the Installation destination section.
  2. In the Device selection window, select a drive from the list of drives.
  3. Click Done.

    The drive is selected. This opens the Installation summary menu.

See also

Step 5. Basic setup of Kaspersky Sandbox

Creating an administrator account for Kaspersky Sandbox

Configuring server date and time

Configuring the management network interface

Page top

[Topic 189283]

Configuring the management network interface

To configure the management network interface:

  1. In the Installation summary menu, select the Management interface section.
  2. In the list of network interfaces, select the network interface that you want to use as the controlling interface.
  3. In the Host name field, enter the fully qualified domain name of the server and click Apply.

    Enter the fully qualified domain name (FQDN) of the server, for example: host.domain.com or host.domain.subdomain.com.

  4. Click Configure and configure the network interface:
    1. In the Connection name field, enter the name of the connection.
    2. Enter the IP address, subnet mask and gateway IP address.

      Under Addresses, click Add and do the following:

      1. In the Address field, enter the IP address that you want to assign to this network interface.
      2. In the Netmask field, enter the mask of the network in which you want to use this network interface.
      3. In the Gateway field, enter the IP address of the default gateway.
    3. In the DNS servers field, enter the IPv4 address of the primary DNS server.

      You can enter a comma-separated list of servers.

    4. If necessary, in the Search domains field, enter a domain name for quick access to the server.
    5. If you want to use only IPv4 for this connection, select the Require IPv4 addressing for this connection to complete check box.

      By default, the check box is cleared. Enabling only IPv4 addressing for this connection is not recommended.

    6. Configure the static network route.
      1. Click Routes.
      2. Click Add and do the following:
        1. In the Address field, enter the subnet prefix.
        2. In the Netmask field, enter the subnet mask.
        3. In the Gateway field, enter the IP address of the default gateway.
        4. In the Metric field, enter the network metric value.
        5. Select the Use this connection only for resources on its network check box if you want to configure the connection only for workstations that belong to the network.

          By default, the check box is cleared. Enabling the connection only for resources on the selected network is not recommended.

      3. Click Ok.
  5. Click Save.
  6. Turn on the Ethernet toggle switch.
  7. Click Done.

The management network interface is configured.

Page top

[Topic 189285]

Step 6. Completing the installation of Kaspersky Sandbox.

To complete the installation of the Kaspersky Sandbox,

click Restart.

The server is restarted. In the window that is opened after the server restarts, you see the URL of the Kaspersky Sandbox server, which you can use to log into the application web interface and configure Kaspersky Sandbox.

Page top

[Topic 195820]

Scaling Kaspersky Sandbox

To attain and maintain optimum performance of the Kaspersky Sandbox solution in various conditions, you need to take into account the number of devices on the network, the topology of the network, and the functionality of the solution that you need.

You can choose an optimum configuration of the solution using the following table.

Configurations supported by the Kaspersky Sandbox solution

Physical server configuration

Number of workstations with Kaspersky Endpoint Agent/Kaspersky Endpoint Security

Workload when receiving files via API (objects per hour)

CPU: 4 cores with Hyper-Threading support (8 threads), 2.1 GHz

RAM: 32 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

250

75

CPU: 8 cores with Hyper-Threading support (16 threads), 2.2 GHz.

RAM: 48 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

500

150

CPU: 12 cores with Hyper-Threading support (24 threads), 2.2 GHz.

RAM: 64 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

750

225

CPU: 16 cores with Hyper-Threading support (32 threads), 2.2 GHz.

RAM: 64 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

1000

305

CPU: 14 cores with Hyper-Threading support (28 threads), 2.6 GHz.

RAM: 64 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

1000

305

2 CPUs: 18 cores with Hyper-Threading support (72 threads), 2.2 GHz

RAM: 196 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

5000

910

Example of Kaspersky Sandbox performance:

Physical server configuration:

CPU: 4 cores with Hyper-Threading support (8 threads), 2.1 GHz

RAM: 32 GB

Two hard drives in a RAID 1 array:

  • volume: 600 GB each
  • rotation speed: 10,000 rpm

    Two network adapters with 1 Gbit/s data transfer rate.

    On a server with the specified configuration, Kaspersky Sandbox can:

  • Process objects received from workstations with Kaspersky Endpoint Security or Kaspersky Endpoint Agent. Maximum number of workstations: 250.
  • Process objects received from external systems via the API. Maximum objects per hour: 75.

For example, if you want to double the performance of Kaspersky Sandbox (to receive objects from 500 workstations or 150 objects per hour from external systems via the API), you can combine 2 servers into a cluster.

Kaspersky Endpoint Security can be installed on a terminal server, file server, or a network-attached storage (NAS).

If Kaspersky Endpoint Security is installed on a terminal server, the load generated by Kaspersky Endpoint Security is calculated as follows: one Kaspersky Endpoint Security instance on a terminal server serving X users generates the same load as X Kaspersky Endpoint Security instances on a workstation (X users = X Kaspersky Endpoint Security instances).

If Kaspersky Endpoint Security is installed on a file server or a network-attached storage, the load generated by Kaspersky Endpoint Security is calculated as follows: one Kaspersky Endpoint Security instance on a file server or network-attached storage generates the same load as 20 Kaspersky Endpoint Security instances on a workstation.

Virtual machine configuration

The Kaspersky Sandbox application supports the following virtual machine configuration:

  • CPU: 12 cores (6 sockets, 2 cores each), 2.2 GHz or higher.
  • RAM: 32 GB.
  • HDD volume: 600 GB.
  • Two network adapters with 1 Gbit/s data transfer rate.

    Virtual machine settings:

  1. Expose hardware assisted virtualization to the guest OS check box selected.
  2. Latency Sensitivity option set to High.
  3. Entire RAM reserved (32 GB).
  4. Entire CPU clock rate reserved.

    You can use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>.

When configuring the virtual machine, your configuration must match the description above. Only the CPU clock rate can be varied: you can configure a value of 2.2 GHz or higher. If the configuration of your virtual machine deviates from the description above, correct installation and operation of Kaspersky Sandbox is not guaranteed.

Installed on a virtual machine, Kaspersky Sandbox can process objects from up to 250 workstations or 100 objects per hour received using the API.

Page top

[Topic 191059]

Getting started with Kaspersky Sandbox

This section contains information about getting started with the Kaspersky Sandbox application in the web interface and the Technical Support Mode.

Kaspersky Sandbox application settings can be managed using the Kaspersky Sandbox web interface and the Kaspersky Security Center.

In case of problems with the application, Technical Support staff can ask you to perform the following actions for debugging purposes in the Kaspersky Sandbox administrator menu or in the Technical Support Mode.

For example, they can ask you to:

  • Activate the advanced diagnostics feature.
  • Perform additional configuration on some application components that are not normally configurable via the user interface.
  • Modify the settings for storing and submitting collected diagnostic data.
  • Set up network traffic capturing and save it in a file.

All necessary information for performing the actions listed above (procedure, settings to be modified, configuration files, special utilities, etc), as well as the list of data to be collected for debugging purposes, will be disclosed by Technical Support staff. Advanced debugging information is collected and stored on the user computer. Collected data is not automatically submitted to Kaspersky.

The actions listed above must only be performed under guidance of Technical Support staff and following instructions they provide. Unsupervised modification of application settings in ways not described in the documentation or recommendations of Technical Support staff can lead to slow-downs and faults of the operating system, reduction of the security level of computers and integrity of processed data.

In this Help section

Getting started with the web interface of Kaspersky Sandbox

Getting started with the administrator menu of Kaspersky Sandbox

Getting started with Kaspersky Sandbox Technical Support Mode

Page top

[Topic 191060]

Getting started with the web interface of Kaspersky Sandbox

The web interface of Kaspersky Sandbox is located on the server where you have installed the application.

The Kaspersky Sandbox web interface is protected against CSRF attacks and works only if the web interface user's browser provides the Referrer header for HTTP POST requests. Make sure that the browser that you are using to work with Kaspersky Sandbox web interface does not modify the Referrer header of HTTP POST requests. If the connection with the web interface of Kaspersky Sandbox is established through your company's proxy server, make sure that the proxy server does not modify the Referrer header for HTTP POST requests.

To begin working with the Kaspersky Sandbox web interface, proceed as follows:

  1. In a browser on any computer on which access to the Kaspersky Sandbox server is allowed, enter the IP address of the server that is displayed at the final step of application installation.

    A window opens where you can enter Kaspersky Sandbox user credentials.

  2. Enter the user name and password for logging in to the application web interface that you specified when installing the application.

You can now use the web interface of Kaspersky Sandbox.

Page top

[Topic 191061]

Getting started with the administrator menu of Kaspersky Sandbox

You can manage Kaspersky Sandbox settings in the administrator menu of the management console of each server where the application is installed.

To get started with the Kaspersky Sandbox administrator menu of the Kaspersky Sandbox server management console:

  1. Use SSH or a terminal to log into the management console of the server whose settings you want to modify.
  2. At the system prompt, enter the user name of the administrator account and the password configured during the installation of the application (Installing and performing initial configuration of the solution, Creating an administrator account for Kaspersky Sandbox).

    The application administrator menu is displayed.

You can now use the application administrator menu.

Page top

[Topic 191062]

Getting started with Kaspersky Sandbox Technical Support Mode

Using the Technical Support Mode to manage Kaspersky Sandbox without oversight or instructions of Technical Support staff is not recommended.

The Technical Support Mode gives the administrator of Kaspersky Sandbox unlimited (root) access to the application and all data (including personal data), which is stored within.

Managing Kaspersky Sandbox from the management console in Technical Support Mode with the superuser privileges allows to:

  • Manage application settings using configuration files.

    You can modify data encryption settings for data transfer between application servers, and settings for storing and processing scanned objects.

    In this case, data is sent in a plain non-encrypted form. The administrator of Kaspersky Sandbox must independently secure servers with the data. The administrator of Kaspersky Sandbox bears responsibility for modifying application configuration files.

  • Manage trace log settings.

    Trace files can contain confidential information of users.

To begin managing the application in Technical Support Mode:

  1. Use SSH or a terminal to log into the management console of the server whose settings you want to modify.
  2. At the system prompt, enter the user name of the administrator account and the password configured during the installation of the application (Installing and performing initial configuration of the solution, Creating an administrator account for Kaspersky Sandbox).

    The application component administrator menu is displayed.

  3. In the application administrator menu, select the Technical Support Mode.
  4. Press Enter.

    The Technical Support Mode confirmation window opens.

  5. If you really want to manage the application in the Technical Support Mode, select Yes and press Enter.
Page top

[Topic 188091]

Managing the Kaspersky Sandbox application using the web interface

The Kaspersky Sandbox web interface is protected against CSRF attacks and operates only if the web interface user's browser provides the Referrer header of an HTTP POST request. Make sure that the browser that you are using to work with the Sandbox web interface does not modify the Referrer header of an HTTP POST request. If the connection with the web interface is established through a proxy server of your organization, check the settings and make sure that the proxy server does not modify the Referrer header for an HTTP POST request.

To begin working with the Kaspersky Sandbox web interface, proceed as follows:

  1. In a browser on any computer on which access to the Kaspersky Sandbox server is allowed, enter the IP address of the Kaspersky Sandbox server.

    The Kaspersky Sandbox administrator credentials input window opens.

  2. Enter the Kaspersky Sandbox administrator user name and password that you specified when installing the application.

You can now start working in the web interface of the application.

In this Help section

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Configuring integration with Kaspersky Security Center

Creating a TLS certificate of Kaspersky Sandbox web interface

Setting the date and time

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

Managing the cluster

Downloading Kaspersky Sandbox system log to the hard drive

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Changing Kaspersky Sandbox administrator account password

Page top

[Topic 188099]

Configuring integration with Kaspersky Security Center

To configure integration with Kaspersky Security Center:

  1. In the Kaspersky Sandbox web interface window, select the Connection to KSC section.
  2. In the KSC server address field, enter the address and port of the Kaspersky Security Center server.
  3. If you want to establish a trusted connection with the Kaspersky Security Center server, select the Use TLS encryption check box.
  4. If you want to use Kaspersky Security Center as a proxy server for connecting to Kaspersky activation servers, select the Use KSC as proxy server for activation check box. Click Next in the lower part of the window.

    The initial configuration wizard proceeds to the next step.

You can skip this step and connect to Kaspersky Security Center later using Kaspersky Sandbox web interface.

You must also configure the integration on the Kaspersky Security Center side using Kaspersky Security Center Web Console.

To configure integration with Kaspersky Sandbox on the Kaspersky Security Center side:

  1. In the main window of Web Console, go to the Device discoveryUnassigned devices section.
  2. Select the check box next to the name of the Kaspersky Sandbox server.

    You can select multiple servers.

  3. Click Move to group in the upper part of the table.

    This opens the Move to group window.

  4. Select the group of Kaspersky Security Center Web Console devices that you want to manage in Kaspersky Sandbox and click Move.

    For example, you can select the Managed devices group, create a new group in the Managed devices group, and place the Kaspersky Sandbox server in the created group.

Kaspersky Security Center Web Console displays devices for which integration is configured in managed device groups. Health status of these devices is displayed on the dashboard. If problems are encountered with these devices, Kaspersky Security Center Web Console displays the Critical or Warning status to alert the administrator.

Because Kaspersky Sandbox is not a standard workstation that is managed using KSC, you must separately configure the display of Kaspersky Sandbox device status in Kaspersky Security Center Web Console.

To display the status of Kaspersky Sandbox devices in KSC correctly, place Kaspersky Sandbox servers into a separate managed device groups.

The Kaspersky Sandbox server is displayed in the list of devices of the device group.

Integration of Kaspersky Sandbox with Kaspersky Security Center is configured.

See also

Initial configuration of the application

Adding a license key

Uploading ISO images of operating systems and software required by Kaspersky Sandbox and configuring the network interface to provide Internet access to virtual machines

Page top

[Topic 188270]

Adding a license key

To add a license key:

  1. Click Add.

    This opens the Adding a license key window.

  2. In the Type of license key list, select the method that you want to use to add a license key:
    • Activation code if you want to add a license key using an activation code.
    • Key file if you want to add a license key using a key file.
  3. If you choose to add a license key using an activation code, enter the activation code in the Activation code text box.
  4. If you choose to add a license key using a key file, add the key file in one of the following ways:
    • Click the specified area and select the key file in the window.
    • Drag and drop the key file to the specified area.
  5. Click Activate.

The license key is added.

The initial configuration wizard proceeds to the next step.

You can skip this step and add the license key later in one of the following ways:

- Add the key using Kaspersky Sandbox web interface

- Create a task for distributing the key to Kaspersky Sandbox servers in Kaspersky Security Center

See also

Initial configuration of the application

Configuring integration with Kaspersky Security Center

Uploading ISO images of operating systems and software required by Kaspersky Sandbox and configuring the network interface to provide Internet access to virtual machines

Page top

[Topic 188274]

Uploading ISO images of operating systems and software required by Kaspersky Sandbox and configuring the network interface to provide Internet access to virtual machines

Objects processed by Kaspersky Sandbox may attempt activities on the Internet via the network interface used by virtual machines for Internet access. Kaspersky Sandbox can analyze the behavior of these objects.

If you prohibit Internet access Kaspersky Sandbox uses Internet access emulation to compensate for the lower detection rate due to the lack of Internet access for processed objects.

The network interface to be used by virtual machines for Internet access must be connected to a subnet that does not intersect, in terms of addressing, with the subnet that the management interface is connected to.

If the security policy of your organization denies access to the Internet from computers of local network users, and you have configured Kaspersky Sandbox network interface to be used by virtual machines for Internet access, there is a risk of the following scenario:

A hacker can attach a malware to a random file and initiate a Sandbox scan of this file from the computer of a local network user. This file is then exfiltrated from the local network through the network interface used by virtual machines for Internet access while the file is being scanned by Kaspersky Sandbox.

If virtual machines do not have internet access, Kaspersky Sandbox detection rate may be significantly decreased.

To upload the ISO image of the operating system and software required by Kaspersky Sandbox and configure a network interface for providing Internet access to processed objects:

  1. Click Add.

    The file selection window opens.

  2. Select the operating system image from the distribution kit (ISO file), which you want to upload, and click Open.

    The image upload begins.

  3. Click Install in the row with the name of the image that you want to install.

    To make sure the Kaspersky Sandbox server is operational and able to process objects, you must install a virtual machine with a Windows 7 image. You can install a virtual machine with just the Windows 7 image or virtual machines with Windows 7 and Windows 10 images. The Kaspersky Sandbox server cannot function if you install just the virtual machine with the Windows 10 image.

  4. If you want to use a network interface to provide virtual machines with Internet access, turn on the Internet access interface for virtual machines (detonation interface) toggle switch.
  5. In the Network interface list, select the network interface that you want to use for Internet access of objects being processed.

    The management network interface cannot be selected from this list of network interfaces.

  6. In the IP address field, enter the IP address that you want to assign to this network interface.
  7. In the Mask field, enter the mask of the network in which you want to use this network interface.
  8. In the Default gateway field, enter the gateway address of the network in which you want to use this network interface.
  9. Click Next in the lower part of the window.

    The initial configuration wizard proceeds to the next step.

  10. Click Finish.

You can skip this step and configure the internet access interface for virtual machines later using Kaspersky Sandbox web interface.

Initial configuration of the application is complete and you switch to the application web interface.

Page top

[Topic 191044]

Monitoring of application operation

You can monitor the operation of the Kaspersky Sandbox application in the Dashboard and Cluster management sections of the Kaspersky Sandbox web interface, as well as in the Administration Server section on the Dashboard tab of Kaspersky Security Center Web Console.

You can use color indicators to quickly evaluate the state of the application. The goal of the administrator is to maintain all indicators in the "green" state.

If all indicators are green, Kaspersky Sandbox is working as intended.

If at least one indicator is amber, Kaspersky Sandbox is operational but requires attention of the administrator.

If at least one indicator is red or gray, Kaspersky Sandbox is not receiving objects for processing from Kaspersky Endpoint Security and requires attention of the administrator.

The Dashboard section of Kaspersky Sandbox web interface displays the following information:

  • Self-diagnostics. Indicators and description of the self-diagnosed state of the application.
  • Database update. Indicators and description of the database update state of the application.
  • License. Indicators and description of the application activation status and license validity period.
  • All requests. A widget that displays the processing status of objects received from Kaspersky Endpoint Security.

The Cluster management section of Kaspersky Sandbox web interface displays the following information:

  • Online. Indicators and the number of cluster servers that:
    • are online;
    • are offline.
  • Self-diagnostics. Indicators and the number of cluster servers that:
    • are operating normally;
    • are experiencing problems that need to be addressed.
  • Database update. Indicators and the number of servers in the cluster that:
    • have the current version of the database;
    • require a database update.
  • License. Indicators and the number of servers in the cluster that:
    • have a successfully activated Kaspersky Sandbox application;
    • require a license key to be uploaded or the application to be activated.

In this Help section

Information about self diagnostics of the application in Kaspersky Sandbox web interface

Information about database update state in Kaspersky Sandbox web interface

Information about the application activation state and the license validity period in the Kaspersky Sandbox web interface

Configuring the data display period on the widget in the Kaspersky Sandbox web interface

Monitoring the processing of objects received from Kaspersky Endpoint Security in the Kaspersky Sandbox web interface

Page top

[Topic 191047]

Information about self diagnostics of the application in Kaspersky Sandbox web interface

To quickly evaluate the self-diagnosed state of Kaspersky Sandbox, you can use green, red, and gray indicators.

The Self-diagnostics indicator is green if:

  • Self diagnostics was run recently and completed successfully.
  • Kaspersky Sandbox is working without errors.
  • All systems are working without errors.

The Self-diagnostics indicator is red if:

  • Self diagnostics was last run over one hour ago.
  • Self diagnostics terminated with an error.
  • Self diagnostics detected problems in the operation of the application.
  • You need to re-activate the virtual machine.

The Self-diagnostics indicator is gray if:

  • The application is not activated: no license key was uploaded to the server or the license has expired.
  • Could not receive self-diagnostics data from one or more servers in the Kaspersky Sandbox cluster.

See also

Monitoring of application operation

Information about database update state in Kaspersky Sandbox web interface

Information about the application activation state and the license validity period in the Kaspersky Sandbox web interface

Configuring the data display period on the widget in the Kaspersky Sandbox web interface

Monitoring the processing of objects received from Kaspersky Endpoint Security in the Kaspersky Sandbox web interface

Page top

[Topic 191053]

Information about database update state in Kaspersky Sandbox web interface

To quickly evaluate the database update state of Kaspersky Sandbox, you can use green, amber, and gray indicators.

The Database update indicator is green if:

  • Databases are up to date.
  • The last successful database update was completed less than 24 hours ago.
  • The application is activated.

The Database update indicator is amber if the last successful database update was completed over 24 hours ago.

The Database update indicator is gray if:

  • The application is not activated: no license key was uploaded to the server or the license has expired.
  • Could not receive data about the database update state from one or more servers in the Kaspersky Sandbox cluster.

See also

Monitoring of application operation

Information about self diagnostics of the application in Kaspersky Sandbox web interface

Information about the application activation state and the license validity period in the Kaspersky Sandbox web interface

Configuring the data display period on the widget in the Kaspersky Sandbox web interface

Monitoring the processing of objects received from Kaspersky Endpoint Security in the Kaspersky Sandbox web interface

Page top

[Topic 191054]

Information about the application activation state and the license validity period in the Kaspersky Sandbox web interface

To quickly evaluate the activation status of the application and the Kaspersky Sandbox license validity period in the Dashboard section of Kaspersky Sandbox web interface, you can use color indicators that can be green, amber, red, or gray.

The License indicator is green if:

  • The application is activated.
  • The server is using a current license.
  • Over 30 days until license expiration.

The License indicator is amber if less than 30 days remain until the license expires.

The License indicator is red if:

  • No license key was uploaded to the server.
  • License expired.

The License indicator is gray if information about the application activation status and license validity period could not be retrieved from one or more Kaspersky Sandbox servers.

You can click Go to license management to go to the Settings section of the application web interface then under License, replace the license key or upload a new license key.

See also

Monitoring of application operation

Information about self diagnostics of the application in Kaspersky Sandbox web interface

Information about database update state in Kaspersky Sandbox web interface

Configuring the data display period on the widget in the Kaspersky Sandbox web interface

Monitoring the processing of objects received from Kaspersky Endpoint Security in the Kaspersky Sandbox web interface

Page top

[Topic 191046]

Configuring the data display period on the widget in the Kaspersky Sandbox web interface

You can configure data display in the All requests widget for the selected period.

To configure data display for the selected period:

  1. In the application web interface window, select the Dashboard section.
  2. In the upper right corner of the application web interface window, in the drop-down list of data display periods, select the start date and end date of the period.

Data display for the selected period in the All requests widget is configured.

See also

Monitoring of application operation

Information about self diagnostics of the application in Kaspersky Sandbox web interface

Information about database update state in Kaspersky Sandbox web interface

Information about the application activation state and the license validity period in the Kaspersky Sandbox web interface

Monitoring the processing of objects received from Kaspersky Endpoint Security in the Kaspersky Sandbox web interface

Page top

[Topic 191055]

Monitoring the processing of objects received from Kaspersky Endpoint Security in the Kaspersky Sandbox web interface

In the Dashboard section of the Kaspersky Sandbox web interface, the All requests widget displays the number of requests for object processing received from Kaspersky Endpoint Security and processed by Kaspersky Sandbox during the selected period.

All requests are counted in the following categories:

  • PE files for requests to process executable files of the PE_EXE format.
  • Documents for requests to process documents of supported formats.

The All requests widget displays the total number of requests, which is incremented after each request to scan an object or a request for information that already exists for that object.

If requests to scan the same object were received from multiple workstations, or if no threats were found when scanning the object, all such requests are reflected in the widget.

Example of counting the total number of requests:

Kaspersky Sandbox received from Kaspersky Endpoint Security and processed:

example.exe file: 1

example.docx document: 1

example.pdf document: 1.

In this case, the example.docx file is present on 10 workstations that have the Kaspersky Endpoint Security application installed.

The All requests widget displays the following number of objects:

PE files – 1

Documents – 11

See also

Monitoring of application operation

Information about self diagnostics of the application in Kaspersky Sandbox web interface

Information about database update state in Kaspersky Sandbox web interface

Information about the application activation state and the license validity period in the Kaspersky Sandbox web interface

Configuring the data display period on the widget in the Kaspersky Sandbox web interface

Page top

[Topic 188092]

Database update

Kaspersky Sandbox databases are files with records that make it possible to detect a malicious code and signs of suspicious behavior in scanned objects.

Virus analysts at Kaspersky detect hundreds of new threats daily, create records to identify them, and include them in database updates packages (or update packages). Update packages consist of one or more files containing records to identify threats that were detected since the previous update package was released. We recommend that you regularly receive update packages.

The Kaspersky Sandbox database update package includes databases for the server component of the Kaspersky Sandbox solution and Kaspersky Endpoint Security application databases.

During the license validity period, you can obtain update packages automatically or update the databases manually.

In this Help section

Updating databases manually

Selecting a database update source

Enabling and disabling a proxy server for database update

Configuring proxy server connection settings for database update

Page top

[Topic 222269]

Updating databases manually

To start a database update manually:

  1. In the Kaspersky Sandbox web interface window, select the Database update section.

    The Last update group of settings displays the time and status of the last database update.

  2. Click Start update.

See also

Database update

Selecting a database update source

Enabling and disabling a proxy server for database update

Configuring proxy server connection settings for database update

Page top

[Topic 188094]

Selecting a database update source

To select a database update source, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Database update section.
  2. Under Update source, select a source from which you want to receive update packages:
    • Kaspersky update server.
    • Kaspersky secure update server.
    • KSC server.
    • Custom server.

      You can only use a HTTP server as the Custom server.

  3. If you have selected KSC server, in the field under the name of the setting, enter the IP address of the Kaspersky Security Center server.
  4. If you have selected Custom server, in the field under the name of this setting, enter the URL of the update package on your HTTP server or the full path to the folder that contains the update package.
  5. Click Save in the lower part of the window.

See also

Database update

Updating databases manually

Enabling and disabling a proxy server for database update

Configuring proxy server connection settings for database update

Page top

[Topic 188095]

Enabling and disabling a proxy server for database update

To enable or disable a proxy server for Kaspersky Sandbox database update:

  1. In the Kaspersky Sandbox web interface window, select the Database update section.
  2. Do one of the following:
    • If you want to use a proxy server when updating application databases, turn on the toggle switch next to the title of the Proxy server group of settings.
    • If you do not want to use a proxy server when updating application databases, turn off the toggle switch next to the title of the Proxy server group of settings.

See also

Database update

Updating databases manually

Selecting a database update source

Configuring proxy server connection settings for database update

Page top

[Topic 188096]

Configuring proxy server connection settings for database update

To configure proxy server connection settings for Kaspersky Sandbox database update, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Database update section.
  2. Turn on the toggle switch next to the Start update group of settings.
  3. In the Address field, enter the address and port of the proxy server.
  4. Do one of the following:
    • Select the Bypass proxy server for local addresses check box if you do not want to use a proxy server for internal addresses of your organization.
    • Clear the Bypass proxy server for local addresses check box if you want to use a proxy server for all addresses including internal addresses of your organization.
  5. In the User name field, enter the user name for the proxy server.
  6. In the Password field, enter the password for connecting to the proxy server.
  7. Click Save in the lower part of the window.

The proxy server connection for Kaspersky Sandbox database updates is configured.

See also

Database update

Updating databases manually

Selecting a database update source

Enabling and disabling a proxy server for database update

Page top

[Topic 188102]

Configuring DNS settings

Kaspersky Endpoint Security certificates and network interfaces cannot be managed after the cluster is created.

To configure DNS settings:

  1. In the Kaspersky Sandbox web interface window, select the Network interfaces section.
  2. In the Host name field, enter the name of the Kaspersky Sandbox server in FQDN format (for example, 'sandbox').
  3. Click Add next to the DNS servers setting.

    This will add an empty field for the DNS server IP address input.

  4. Enter the IPv4 address of the primary DNS server.
  5. Click Apply in the lower part of the window.

    The DNS server will be added.

  6. If you want to add an additional DNS server, repeat steps 3-5.
  7. If you want to remove a previously added DNS server, click Sandbox_dns_delete to the right of the row containing the IP address of the DNS server.

    You can only remove additional DNS servers. You cannot remove the primary DNS server. If you added 2 and more DNS servers, you can remove any of them, and the remaining DNS server will be used as the primary server.

Page top

[Topic 188103]

Configuring the management network interface

Kaspersky Endpoint Security certificates and network interfaces cannot be managed after the cluster is created.

The management network interface is used for accessing the Kaspersky Sandbox server using the SSH protocol.

You can configure a management network interface during installation of the application.

You can also configure a management network interface in the web interface of the application.

To configure a management network interface in the web interface of Kaspersky Sandbox:

  1. In the Kaspersky Sandbox web interface window, select the Network interfaces section.
  2. Under Management interface, in the Network interface drop-down list, select the network interface that you want to use as the management interface.
  3. In the IP address field, enter the IP address that you want to assign to this network interface if no IP address is assigned.
  4. In the Mask field, enter the mask of the network in which you want to use this network interface.
  5. In the Default gateway field, enter the gateway address of the network in which you want to use this network interface.
  6. Click Apply in the lower part of the window.
Page top

[Topic 188104]

Configuring a network interface to be used by virtual machines for Internet access (the detonation interface)

Objects processed by Kaspersky Sandbox may attempt activities on the Internet via the network interface used by virtual machines for Internet access. Kaspersky Sandbox can analyze the behavior of these objects.

If you prohibit Internet access Kaspersky Sandbox uses Internet access emulation to compensate for the lower detection rate due to the lack of Internet access for processed objects.

The network interface to be used by virtual machines for Internet access must be connected to a subnet that does not intersect, in terms of addressing, with the subnet that the management interface is connected to.

If the security policy of your organization denies access to the Internet from computers of local network users, and you have configured Kaspersky Sandbox network interface to be used by virtual machines for Internet access, there is a risk of the following scenario:

A hacker can attach a malware to a random file and initiate a Sandbox scan of this file from the computer of a local network user. This file is then exfiltrated from the local network through the network interface used by virtual machines for Internet access while the file is being scanned by Kaspersky Sandbox.

If virtual machines do not have internet access, Kaspersky Sandbox detection rate may be significantly decreased.

To configure a network interface used for Internet access of processed objects, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Virtual machines section.
  2. Under Internet access interface for virtual machines (detonation interface), from the Network interface list, select the network interface that you want to use for Internet access of processed objects.

    The management network interface cannot be selected from this list of network interfaces.

  3. In the IP address field, enter the IP address that you want to assign to this network interface.
  4. In the Mask field, enter the mask of the network in which you want to use this network interface.
  5. In the Default gateway field, enter the gateway address of the network in which you want to use this network interface.
  6. Click Apply.
Page top

[Topic 188105]

Adding, changing and removing static network routes

Kaspersky Endpoint Security certificates and network interfaces cannot be managed after the cluster is created.

To add a static network route, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Network interfaces section.
  2. Under Static routes, click Add.

    A line with empty fields will be added in the list of static network routes.

  3. In the IP address field, enter the subnet prefix.
  4. In the Mask field, enter the subnet mask.
  5. In the Default gateway field, enter the IP address of the gateway.
  6. From the Network interface list, select the network interface for which you want to add a static network route.
  7. Click Apt_icon_sensors_OK.
  8. Click Apply in the lower part of the window.

To remove a static network route, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Network interfaces section.
  2. Under Static routes, in the row containing the static route that you want to delete, click Sandbox_dns_delete.
  3. Click Apply in the lower part of the window.

To change a static network route, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Network interfaces section.
  2. Under Static routes, in the row containing the static network route that you want to modify, click Sandbox_static_route_edit.

    The static network route line will become editable.

  3. Make the relevant changes.
  4. Click Apt_icon_sensors_OK.
  5. Click Apply in the lower part of the window.
Page top

[Topic 189495]

Configuring integration with Kaspersky Security Center

You must configure the integration on the Kaspersky Sandbox side using the Kaspersky Sandbox web interface, as well as on the Kaspersky Security Center side using the Kaspersky Security Center Web Console.

To configure integration with Kaspersky Security Center on the Kaspersky Sandbox side:

  1. In the Kaspersky Sandbox web interface window, select the Connection to KSC section.
  2. In the KSC server address field, enter the address and port of the Kaspersky Security Center server.
  3. If you want to establish a trusted connection with the Kaspersky Security Center server, select the Use TLS encryption check box.
  4. If you want to use Kaspersky Security Center as a proxy server for connecting to Kaspersky activation servers, select the Use KSC as proxy server for activation check box. Click Connect.

To configure integration with Kaspersky Sandbox on the Kaspersky Security Center side:

  1. In the main window of Web Console, go to the Device discoveryUnassigned devices section.
  2. Select the check box next to the name of the Kaspersky Sandbox server.

    You can select multiple servers.

  3. Click Move to group in the upper part of the table.

    This opens the Move to group window.

  4. Select the group of Kaspersky Security Center Web Console devices that you want to manage in Kaspersky Sandbox and click Move.

    For example, you can select the Managed devices group, create a new group in the Managed devices group, and place the Kaspersky Sandbox server in the created group.

Kaspersky Security Center Web Console displays devices for which integration is configured in managed device groups. Health status of these devices is displayed on the dashboard. If problems are encountered with these devices, Kaspersky Security Center Web Console displays the Critical or Warning status to alert the administrator.

Because Kaspersky Sandbox is not a standard workstation that is managed using KSC, you must separately configure the display of Kaspersky Sandbox device status in Kaspersky Security Center Web Console.

To display the status of Kaspersky Sandbox devices in KSC correctly, place Kaspersky Sandbox servers into a separate managed device groups.

The Kaspersky Sandbox server is displayed in the list of devices of the device group.

Integration of Kaspersky Sandbox with Kaspersky Security Center is configured.

See also

Managing the Kaspersky Sandbox application using the web interface

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Creating a TLS certificate of Kaspersky Sandbox web interface

Setting the date and time

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

Managing the cluster

Downloading Kaspersky Sandbox system log to the hard drive

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Changing Kaspersky Sandbox administrator account password

Page top

[Topic 189624]

Generating a TLS certificate for the Kaspersky Sandbox web interface

To generate a TLS certificate for the Kaspersky Sandbox web interface:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for Kaspersky Sandbox web interface, click Generate.

    The action confirmation window opens.

  3. Click Yes.

Kaspersky Sandbox generates a new TLS certificate. The browser page is automatically reloaded.

See also

Creating a TLS certificate of Kaspersky Sandbox web interface

Uploading a TLS certificate of Kaspersky Sandbox web interface

Page top

[Topic 189623]

Uploading a TLS certificate of Kaspersky Sandbox web interface

You can prepare the TLS certificate and upload it via the Kaspersky Sandbox web interface.

The uploaded TLS certificate file must satisfy the following requirements:

  • The file must contain the certificate itself and a private encryption key for the connection.
  • The file must be in PEM format.
  • The private key length must be 2048 bits or longer.

For more details about preparing TLS certificates for import, see the Open SSL documentation.

To upload the TLS certificate via the Kaspersky Sandbox web interface:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for Kaspersky Sandbox web interface, click Upload.

    The file selection window opens.

  3. Select the TLS certificate file that you want to upload and click Open.

    The file selection window closes.

The TLS certificate is added to Kaspersky Sandbox.

See also

Creating a TLS certificate of Kaspersky Sandbox web interface

Generating a TLS certificate for the Kaspersky Sandbox web interface

Page top

[Topic 188107]

Setting the date and time

To set a date and time of Kaspersky Sandbox, proceed as follows:

  1. In the Kaspersky Sandbox web interface window, select the Date and time section.
  2. In the Country drop-down list, select the relevant country.
  3. In the Time zone drop-down list, select the relevant time zone.
  4. If you prefer to synchronize the time with an NTP server, turn on the toggle switch to the right of the Synchronization with NTP servers setting.
  5. If you prefer to set the date and time manually, do not turn on the switch to the right of the Synchronization with NTP servers setting and instead:
    1. In the Date field, enter the current date or click Sandbox_calendar and select a date in the calendar.
    2. In the Time field, enter the current time.
  6. Click Apply in the lower part of the window.

The date and time for Kaspersky Sandbox are configured.

See also

Managing the Kaspersky Sandbox application using the web interface

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Configuring integration with Kaspersky Security Center

Creating a TLS certificate of Kaspersky Sandbox web interface

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

Managing the cluster

Downloading Kaspersky Sandbox system log to the hard drive

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Changing Kaspersky Sandbox administrator account password

Page top

[Topic 188108]

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

The Kaspersky Sandbox distribution kit includes images of the Windows 7 х64 and Windows 10 x64 operating systems and installed software required for the operation of Kaspersky Sandbox. You do not have to activate these operating systems and software. The images in the distribution kit already include license keys.

Kaspersky Sandbox starts objects in these operating systems and analyzes the behavior of these objects to in order to detect malicious activity and signs of targeted attacks and intrusions into the corporate IT infrastructure.

If you encounter problems with activation of the operating system or software, the web interface of Kaspersky Sandbox displays an error message. If this happens, please contact Kaspersky Technical Support.

The application is not designed to work with other operating system images.

See also

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Configuring integration with Kaspersky Security Center

Creating a TLS certificate of Kaspersky Sandbox web interface

Setting the date and time

Managing the cluster

Downloading Kaspersky Sandbox system log to the hard drive

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Changing Kaspersky Sandbox administrator account password

In this Help section

Uploading the ISO image of the operating system and software required for the operation of Kaspersky Sandbox

Installing virtual machines with the image of the operating system and software required for the operation of Kaspersky Sandbox

Deleting virtual machines

Page top

[Topic 188109]

Uploading the ISO image of the operating system and software required for the operation of Kaspersky Sandbox

To make sure the Kaspersky Sandbox server is operational and able to process objects, you must install a virtual machine with a Windows 7 image. You can install a virtual machine with just the Windows 7 image or virtual machines with Windows 7 and Windows 10 images. The Kaspersky Sandbox server cannot function if you install just the virtual machine with the Windows 10 image.

To upload an ISO image of an operating system and software required for the operation of Kaspersky Sandbox, do the following for each ISO image:

  1. In the Kaspersky Sandbox web interface window, select the Virtual machines section.
  2. Click Add.

    The file selection window opens.

  3. Select an ISO file that you want to upload and click Open.

    The file selection window closes.

The Virtual machines section displays the uploaded operating system image.

Page top

[Topic 188110]

Installing virtual machines with the image of the operating system and software required for the operation of Kaspersky Sandbox

To make sure the Kaspersky Sandbox server is operational and able to process objects, you must install a virtual machine with a Windows 7 image. You can install a virtual machine with just the Windows 7 image or virtual machines with Windows 7 and Windows 10 images. The Kaspersky Sandbox server cannot function if you install just the virtual machine with the Windows 10 image.

To install a virtual machine with an operating system image and software required for the operation of Kaspersky Sandbox:

  1. In the Kaspersky Sandbox web interface window, select the Virtual machines section.
  2. In the list of virtual machines, click Install in the row with the virtual machine that you want to install.

    Archive unpacking and virtual machine installation process begins.

When the installation is complete, the virtual machine is displayed under Virtual machines with the Installed status.

Page top

[Topic 188112]

Deleting virtual machines

To delete a virtual machine:

  1. In the Kaspersky Sandbox web interface window, select the Virtual machines section.
  2. In the list of virtual machines, click Delete in the row with the virtual machine that you want to delete.

    The selected virtual machine is deleted.

Page top

[Topic 188791]

Managing the cluster

To eliminate the risk of IP spoofing attacks

, we recommend locating servers that you plan to combine into a cluster in a separate virtual local area network (VLAN) to which other network devices and/or users cannot possibly establish unauthorized connections, or using the IPSec protocol.

A number of limitations apply when adding servers to the cluster.

If you are using multiple Kaspersky Sandbox servers, you can combine these servers into a cluster to improve the performance Kaspersky Sandbox.

All servers in the cluster are peers regardless of which server was used as the base for creating the cluster. When a server in the cluster processes an object, information about the result of processing is saved on all servers in the cluster.

The Kaspersky Sandbox application balances load among the servers. When integrating with Kaspersky Endpoint Security, objects that Kaspersky Endpoint Security sends for processing to Kaspersky Sandbox are processed on the least busy server.

Kaspersky Endpoint Security's list of Kaspersky Sandbox servers only displays the servers that you have added to the list. Nevertheless, objects can be processed by any server in the cluster thanks to load balancing. The current list of servers in the cluster is displayed in the web interface of Kaspersky Sandbox.

Kaspersky Endpoint Security can connect to a different Kaspersky Sandbox server in the list if one of the following errors occurs:

  • Kaspersky Sandbox response timeout (connection timeout).
  • Kaspersky Sandbox unavailable (error code 503 or 504).
  • Self-diagnosis problem other than a license problem (error code 500).

When you delete a server from a cluster, the following object processing scenarios are possible:

  • If there is still at least one server from the cluster with a current IP address or FQDN in the list of Kaspersky Sandbox servers in Kaspersky Endpoint Security, Kaspersky Sandbox continues to process objects from Kaspersky Endpoint Security.
  • If no servers from the cluster remain in the list of Kaspersky Sandbox servers in Kaspersky Endpoint Security, or if IP addresses or FQDNs of cluster servers are not current, Kaspersky Sandbox cannot receive and process objects from Kaspersky Endpoint Security.

After creating the cluster, the Cluster management section of Kaspersky Sandbox web interface window displays the server table of the cluster, as well as server status monitoring data for the cluster.

You can add servers to the cluster or remove servers from the cluster.

See also

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Configuring integration with Kaspersky Security Center

Creating a TLS certificate of Kaspersky Sandbox web interface

Setting the date and time

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

Downloading Kaspersky Sandbox system log to the hard drive

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Changing Kaspersky Sandbox administrator account password

In this Help section

Creating a new cluster

Limitations that apply when adding servers to the cluster

Viewing the server table of the cluster

Monitoring the status of servers in the cluster

Adding a server to the cluster

Removing a server from a cluster

Deleting the cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 188792]

Creating a new cluster

A number of limitations apply when adding servers to the cluster.

To create a new cluster:

  1. In the Cluster management section of the web interface of any server that you plan to include in the cluster, click Create a new cluster.
  2. In the confirmation window, click Yes.

The cluster is created. The browser page is reloaded. The table of servers in the cluster is displayed, showing information about the server on which the cluster was created, as well as information about the status of the servers in the cluster.

Having created a cluster, you can add other servers to that cluster.

See also

Limitations that apply when adding servers to the cluster

Viewing the server table of the cluster

Monitoring the status of servers in the cluster

Adding a server to the cluster

Removing a server from a cluster

Deleting the cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 218515]

Limitations that apply when adding servers to the cluster

The following limitations apply when combining Kaspersky Sandbox servers into a cluster:

  • The versions of Kaspersky Sandbox on servers you want to combine into a cluster must be identical.
  • The set of installed virtual machines with Windows 7 and Windows 10 images on servers you want to combine into a cluster must be identical.
  • One cluster can include at most 32 servers.
  • Kaspersky Endpoint Security certificates and network interfaces cannot be managed after the cluster is created.

    When configuring a trusted connection with Kaspersky Endpoint Security, the certificate of the Kaspersky Sandbox server on which the cluster was created is applied on all other servers. If you want to configure a trusted connection with Kaspersky Endpoint Security for servers in the cluster, you must first configure a trusted connection with Kaspersky Endpoint Security for the server on which you want to create the cluster.

Page top

[Topic 188793]

Viewing the server table of the cluster

The server table of the cluster is displayed in the Yes section of the application web interface after the cluster is created.

The server table of the cluster contains the following information:

  1. Server address is the IP address of the server.
  2. Connection status is one of the following connection statuses of the server in the cluster:
    • Connected.
    • Connecting.
    • Pending connection.
    • Cancelling connection.
    • Failed.
    • Offline.
  3. Health is the information about the health of the server and problems with the server. The following statuses are possible:
    • OK.
    • License issue.
    • All update attempts have failed for last 24 hours.
    • Self-diagnostics exited with an error.
    • Self-diagnostics has not started for a long time.
    • Data on server health is outdated.
    • VM image requires reactivation.
    • Database versions do not match.
    • VM configurations do not match.
    • No VM with a Windows 7 image on the server.
    • No VM images installed.
    • Problems with server system service.
    • Time is not synchronized between servers.

You can go to the web interface of a server by clicking the link with the IP address of the server.

See also

Managing the cluster

Creating a new cluster

Limitations that apply when adding servers to the cluster

Monitoring the status of servers in the cluster

Adding a server to the cluster

Removing a server from a cluster

Deleting the cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 191070]

Monitoring the status of servers in the cluster

To quickly evaluate the status of servers in the cluster, you can use green, amber, and red indicators. The goal of the administrator is to maintain all indicators in the "green" state.

If all indicators are green, Kaspersky Sandbox is working as intended.

If at least one indicator is amber, Kaspersky Sandbox is operational but requires attention of the administrator.

If at least one indicator is red or gray, Kaspersky Sandbox is not receiving objects for processing from Kaspersky Endpoint Security and requires attention of the administrator.

The Cluster management section of Kaspersky Sandbox web interface displays the following information about the status of servers in the cluster:

  • Online. Indicators and the number of cluster servers that:
    • are online;
    • are offline.
  • Self-diagnostics. Indicators and the number of cluster servers that:
    • are operating normally;
    • are experiencing problems that need to be addressed.
  • Database update. Indicators and the number of servers in the cluster that:
    • have the current version of the database;
    • require a database update.
  • License. Indicators and the number of servers in the cluster that:
    • have a successfully activated Kaspersky Sandbox application;
    • require a license key to be uploaded or the application to be activated.

The Self-diagnostics, Database update, and License indicators follow the same principle as the application monitoring indicators in the Dashboard section of Kaspersky Sandbox web interface.

See also

Managing the cluster

Creating a new cluster

Limitations that apply when adding servers to the cluster

Viewing the server table of the cluster

Adding a server to the cluster

Removing a server from a cluster

Deleting the cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 188795]

Adding a server to the cluster

To add a server to the cluster:

  1. In the Cluster management section of the web interface of a server in the cluster, click Add.

    This opens the Cluster token window, which contains a unique token. You can only use this token for adding a single server to the cluster. The token is valid for 30 minutes after creation.

  2. Click Copy.
  3. In the Cluster management section of the web interface of the server that you want to include in the cluster, click Adding this server to the existing cluster.
  4. Paste the token that you received at step 2 into the Cluster token text box.
  5. Click Connecting.

    The server begins connecting to the cluster.

  6. If the server could not be added to the cluster, click Close in the web interface of the server that you want to add to the cluster and repeat the steps to add the server to the cluster.

The server is added to the cluster and displayed in the server table of the cluster in the Cluster management section of the web interface of all servers that are part of the cluster.

Kaspersky Endpoint Security certificates and network interfaces cannot be managed after the cluster is created.

If you want the added server to process objects from Kaspersky Endpoint Security, add the server to the Kaspersky Endpoint Security server list.

See also

Creating a new cluster

Limitations that apply when adding servers to the cluster

Viewing the server table of the cluster

Monitoring the status of servers in the cluster

Removing a server from a cluster

Deleting the cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 188796]

Removing a server from a cluster

To remove a server from the cluster:

  1. In the Cluster management section of the web interface of a server that is part of the cluster, click Delete in the row of the server that you want to remove from the cluster.

    A window opens requesting confirmation of the removal of the server from the cluster.

  2. Click Yes.

The server is removed from the cluster. Information about the server is no longer displayed in the server table of the cluster. The removed server continues operating without connecting to the cluster. Kaspersky Endpoint Security certificates and network interfaces can now be managed. Other servers of the cluster continue to work as part of the cluster.

See also

Creating a new cluster

Limitations that apply when adding servers to the cluster

Viewing the server table of the cluster

Monitoring the status of servers in the cluster

Adding a server to the cluster

Deleting the cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 188797]

Deleting the cluster

If the cluster includes only one server you can delete the cluster. The server continues operating without connecting to the cluster.

To delete a cluster:

  1. In the Cluster management section of the web interface of the sole server that is part of the cluster, click Delete in the row containing information about the server.

    A window opens requesting confirmation of the deletion of the cluster.

  2. Click Yes.

The cluster is deleted. The server continues operating without connecting to the cluster. Kaspersky Endpoint Security certificates and network interfaces can now be managed.

See also

Creating a new cluster

Limitations that apply when adding servers to the cluster

Viewing the server table of the cluster

Monitoring the status of servers in the cluster

Adding a server to the cluster

Removing a server from a cluster

Modifying the IP address of a server that is part of a cluster

Page top

[Topic 188114]

Downloading Kaspersky Sandbox system log to the hard drive

Data in the Kaspersky Sandbox system log is stored in plain, non-encrypted form. The data is stored for the last 30 days.

If Kaspersky Sandbox uses the system log, Kaspersky Sandbox data can be submitted to Kaspersky using the following scenario:

  1. The administrator of Kaspersky Sandbox downloads the Kaspersky Sandbox system log to the hard drive of the computer that the administrator is using to access the web interface of Kaspersky Sandbox.
  2. The administrator of Kaspersky Sandbox sends the system log file to Kaspersky Technical Support.

The administrator of Kaspersky Sandbox independently makes the decision concerning the security of sending host names of workstations with the Kaspersky Endpoint Security application to Kaspersky Technical Support.

To download the Kaspersky Sandbox system log to the hard drive:

  1. In the Kaspersky Sandbox web interface window, select the Settings section.
  2. Under System log, click Download.

    The Kaspersky Sandbox system log is downloaded to the hard drive of your computer in the browser download directory.

See also

Managing the Kaspersky Sandbox application using the web interface

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Configuring integration with Kaspersky Security Center

Creating a TLS certificate of Kaspersky Sandbox web interface

Setting the date and time

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

Managing the cluster

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Changing Kaspersky Sandbox administrator account password

Page top

[Topic 188119]

Changing Kaspersky Sandbox administrator account password

To change the Kaspersky Sandbox administrator account password, proceed as follows:

  1. In the lower part of the application web interface window, click the link with the name of your account to expand the action list.
  2. Select Password change.
  3. In the Current password field, enter the current password for the administrator account.
  4. In the New password field, enter a new password for the administrator account.
  5. In the Confirm password field, enter the new password for the administrator account again.
  6. Click Change password.

The Kaspersky Sandbox administrator account password will be changed.

See also

Managing the Kaspersky Sandbox application using the web interface

Initial configuration of the application

Monitoring of application operation

Database update

Configuring network interfaces

Configuring integration with Kaspersky Security Center

Creating a TLS certificate of Kaspersky Sandbox web interface

Setting the date and time

Installing and configuring images of operating systems and software required for the operation of Kaspersky Sandbox

Managing the cluster

Downloading Kaspersky Sandbox system log to the hard drive

Restarting Kaspersky Sandbox server

Shutdown of Kaspersky Sandbox server

Page top

[Topic 189564]

Managing Kaspersky Sandbox using Kaspersky Security Center Web Console

Managing the application requires Kaspersky Security Center 13.2 Web Console.

You can remotely manage application settings using Kaspersky Security Center Web Console (hereinafter also referred to as "Web Console"). You can manage the Web Console in a browser on any computer that has access to the Administration Server.

Kaspersky Sandbox publishes detections in the web interface of the Web Console. The administrator of the Web Console can configure the expiration time of detections and actions performed for detections in properties of each Kaspersky Sandbox servers.

In this Help section

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189565]

Installing the Kaspersky Sandbox management web plug-in

To manage Kaspersky Sandbox using Kaspersky Security Center Web Console, you must install the Kaspersky Sandbox management web plug-in.

To install the Kaspersky Sandbox management web plug-in:

  1. In the main window of Web Console, select the Console settingsWeb plug-ins section.
  2. On the Web plug-ins tab, click Add from file.
  3. This opens a window; in this window, click Upload a ZIP file.
  4. Select the ZIP file containing the Kaspersky Sandbox management web plug-in.
  5. Click Upload signature.
  6. Select the TXT format file that contains the signature.
  7. Click Add.

The management plug-in for managing Kaspersky Sandbox using Kaspersky Security Center Web Console is installed.

See also

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 191468]

Configuring Kaspersky Sandbox device status display

Kaspersky Security Center Web Console displays devices for which integration is configured in managed device groups. Health status of these devices is displayed on the dashboard. If problems are encountered with these devices, Kaspersky Security Center Web Console displays the Critical or Warning status to alert the administrator.

Since Kaspersky Sandbox is not a standard workstation managed using Kaspersky Security Center Web Console, you must separately configure the display of Kaspersky Sandbox device status in Kaspersky Security Center Web Console.

To correctly display the status of Kaspersky Sandbox devices in Kaspersky Security Center Web Console, you must place Kaspersky Sandbox servers into a separate managed device group.

To configure Kaspersky Sandbox device status display in Kaspersky Security Center Web Console:

  1. In the main window of Web Console, select the DevicesGroup hierarchy section.
  2. This opens the group list; in the list, click the link with the name of the group for which you want to change the device status switching.
  3. This opens a window; in this window, select the Device status tab.
  4. Under Critical and Warning, turn off the following conditions that are turned on by default for standard workstations managed using Kaspersky Security Center (for details about device statuses, see Kaspersky Security Center Online Help):
    • Security application is not installed. Network Agent is installed on the device but the security application is not installed.
    • Too many viruses detected. A virus scanning task, for example, the Virus scan task, has found viruses on the device, and the number of viruses is above the specified value.
    • Real-time protection level differs from the level set by the Administrator. The device is visible on the network, but the real-time protection level differs from the level set by the administrator in the status device condition.
    • Virus scan has not been performed in a long time. The device is visible on the network, and the security application is installed on the device, but the virus scan task has not been performed for more than the specified time. This condition applies only to devices that were added to the Administration Server database 7 or more days ago.
    • Active threats are detected. The number of unprocessed objects in the Unprocessed files folder exceeds the specified value.
    • Restart is required. The device is visible on the network, but the application has been waiting for a device restart for more than the specified time because of one of selected reasons.
    • Incompatible applications are installed. The device is visible on the network, but an inventory of application software performed by the Network Agent has detected incompatible installed applications.
    • Software vulnerabilities have been detected. The device is visible on the network and the Network Agent is installed but the Find vulnerabilities and required updates task has scanned the device and detected software vulnerabilities with the specified severity level.
    • Check for Windows Update updates has not been performed in a long time. The Find vulnerabilities and required updates task has not been run for the specified time.
    • Invalid encryption status. Network Agent is installed on the device and the encryption result of the device is equal to the value displayed.
    • Mobile device settings do not comply with the policy. Mobile device settings differ from settings specified in the policy of Kaspersky Endpoint Security for Android when checked for adherence to compliance rules.
    • Unprocessed incidents detected. Unprocessed incidents detected on the device. Incidents can be created either automatically by Kaspersky managed applications installed on the client device or manually by the administrator.
    • Protection is disabled. The device is visible on the network, but the security application on the device has been turned off for more than the specified time.
    • Security application is not running. The device is visible on the network and the security application is installed on the device but is not running. Turn on the toggle switch next to the condition in the list.
  5. Under Critical, turn on the following conditions:
    • License expired. The device is visible on the network, but its license has expired.
    • Device status defined by the application. The device status is defined by the managed application. Kaspersky Sandbox servers that encounter a self diagnostics problem have the status Critical: Problems with the Kaspersky Sandbox server. The server does not receive objects for scanning.
  6. Under Warning, turn on the following conditions:
    • License expires soon. The device is visible on the network, but the license will expire in less than the specified number of days.
    • Databases are outdated. Double-click to open the status conditions window and enter 1 as the value. Kaspersky Sandbox servers that have not successfully run the database update task for over a day have the Warning status.
  7. Click Save.

Kaspersky Sandbox device status display is configured.

The status of all devices in the Kaspersky Sandbox device group that have no problems changes to OK/Visible on the network.

The list of devices that have problems is updated in accordance with the settings.

See also

Installing the Kaspersky Sandbox management web plug-in

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189620]

Configuring events of Kaspersky Sandbox

To configure Kaspersky Sandbox events:

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click KSB.
  3. This opens a window; in this window, select the Event settings tab.

    Events are grouped in sections in accordance with severity levels:

    • Critical
    • Functional failure
    • Warning
    • Informational message

    Each section displays a list of event types. By default, the storage duration of events on the Administration Server is specified in days.

  4. Select the event that you want to configure.
  5. This opens the event properties window; in that window, configure the following:
    1. Under Event logging, enter the expiration time of stored events in days and select one or more event storage types:
      • Store in the Administration Server database for (days).
      • Export to the SIEM system over the Syslog protocol.
      • Store in the OS event log on the client device.
      • Store in the OS event log on the Administration Server.
    2. Under Event notifications, select one or more event notification methods:
      • Notify by email.
      • Notify by SMS.
      • Notify by launching an executable file or script.
      • Notify by SNMP.

        For details about configuring event notifications, see Kaspersky Security Center Online Help.

Event configuration is complete.

See also

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189614]

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

To get started with Kaspersky Sandbox in Kaspersky Security Center Web Console:

  1. In the main window of Web Console, select the DevicesManaged devices section.
  2. Click the link with the name of the Kaspersky Sandbox server.
  3. This opens a window; in this window, select the Applications tab.
  4. Click the KSB link.

    The Kaspersky Sandbox settings window opens.

You can now manage Kaspersky Sandbox settings.

See also

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189616]

Viewing information about Kaspersky Sandbox and the database update status

To view information about Kaspersky Sandbox and the database update status in Kaspersky Security Center Web Console:

  1. In the main window of Web Console, select the DevicesManaged devices section.
  2. Click the link with the name of the Kaspersky Sandbox server.
  3. This opens a window; in this window, select the Applications tab.
  4. Click the KSB link.
  5. Select the General tab.

The Information section displays the version of Kaspersky Sandbox, the application installation date and database update dates, the update release date, the number of records in anti-virus databases.

See also

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189617]

Going to the Kaspersky Sandbox web interface

You can manage Kaspersky Sandbox settings using the web interface.

To go to the Kaspersky Sandbox web interface:

  1. In the main window of Web Console, select the DevicesManaged devices section.
  2. Click the link with the name of the Kaspersky Sandbox server.
  3. This opens a window; in this window, select the Applications tab.
  4. Click the KSB link.
  5. Select the Application settings tab.
  6. Click Kaspersky Sandbox web interface.

This takes you to the Kaspersky Sandbox web interface.

See also

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Viewing Kaspersky Sandbox license information

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189619]

Viewing Kaspersky Sandbox license information

To view information about the Kaspersky Sandbox license and installed keys:

  1. In the main window of Web Console, select the DevicesManaged devices section.
  2. Click the link with the name of the Kaspersky Sandbox server.
  3. This opens a window; in this window, select the Applications tab.
  4. Click the KSB link.
  5. Select the General tab.
  6. Go to the License section.

Information about Kaspersky Sandbox license keys is displayed. 30 days in advance of the expiration of the license, a notification is shown about the need to renew the license.

You can also use the key usage report to view information about license key usage on devices in all groups.

To view the license key usage report:

  1. In the main window of Web Console, select the Reports section.

    The list of available reports is displayed.

  2. Click Key usage report.

A window opens, containing the report about the usage of license keys on devices of all groups.

See also

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Displaying information about the Kaspersky Sandbox management web plug-in

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189687]

Displaying information about the Kaspersky Sandbox management web plug-in

To view information about the Kaspersky Sandbox management web plug-in:

  1. In the main window of Web Console, select the Console settingsWeb plug-ins section.
  2. On the Web plug-ins tab, select KSB.

Information about the Kaspersky Sandbox management web plug-in is displayed.

See also

Installing the Kaspersky Sandbox management web plug-in

Configuring Kaspersky Sandbox device status display

Kaspersky Sandbox event configuration

Getting started with Kaspersky Sandbox in Kaspersky Security Center Web Console

Viewing information about Kaspersky Sandbox and the database update status

Going to the Kaspersky Sandbox web interface

Viewing Kaspersky Sandbox license information

Viewing the threat report

Monitoring the processing of objects received from Kaspersky Endpoint Security

Page top

[Topic 189688]

Viewing the threat report

You can view threat reports in the Kaspersky Security Center Web Console. For details about creating and editing report templates, configuring report fields, saving and updating reports, see Kaspersky Security Center Help.

To view the threat report:

  1. In the main window of Web Console, select the Reports section.

    The list of available reports is displayed.

  2. Click Threat Report.

A window with the threat report opens.

Page top

[Topic 189690]

Monitoring the processing of objects received from Kaspersky Endpoint Security

You can view the number of requests for processing objects received from Kaspersky Endpoint Security and processed by the Kaspersky Sandbox application during the selected period on the Kaspersky Security Center Web Console dashboard.

To view the number of requests for processing objects received from Kaspersky Endpoint Security and processed by the Kaspersky Sandbox application during the selected period on the Kaspersky Security Center Web Console dashboard:

  1. In the main window of Kaspersky Security Center Web Console, select the Administration Server.
  2. Go to the Monitoring and reportsDashboard section.
  3. Click Add or restore web widget.
  4. In the Protection Status list, select All requests.

    The widget displays information about the total number of requests (about object processing requests and each request of pre-existing information about objects) for PE files and Documents categories.

    If requests to scan the same object were received from multiple workstations, or if no threats were found when scanning the object, all such requests are reflected in the widget.

  5. Click Add.
  6. To specify the period for which you want to display statistics:
    1. Click the icon in the upper right corner of the widget.
    2. Select Show settings.
    3. Specify the period for which you want to view statistics.
    4. Click Save.
  7. To alter the appearance of the widget:
    1. Click the icon in the upper right corner of the widget.
    2. To display the widget as a bar chart, select Chart type: bar chart.
    3. To display the widget as a line chart, select Chart type: line chart.

The widget with statistics is displayed on the dashboard. Statistics is displayed for all Kaspersky Sandbox servers that are connected to the selected Administration Server.

Page top

[Topic 219782]

Managing Kaspersky Endpoint Security for Windows

Kaspersky Endpoint Security automatically performs Threat Response actions in response to threats detected by Kaspersky Sandbox.

You can install and remove the application as well as remotely manage application settings in the Web Console using the Kaspersky Endpoint Security management plug-in via Kaspersky Endpoint Security policies.

For details about managing the Kaspersky Security Center Windows and Kaspersky Security Center Web Console, see Kaspersky Security Center Online Help.

To provide support in case of problems with Kaspersky Endpoint Security, Technical Support can ask you to create a trace file. The trace file allows step-by-step tracing of commands executed by the application and finding out at which stage the error occurs.

In addition, Technical Support may need more information about the operating system, processes running on the computer, detailed reports of application components.

As part of diagnostics, Technical Support may ask you to modify application settings:

  • Activate the advanced diagnostics feature.
  • Fine-tune individual application components using methods other than the standard user interface.
  • Modify the settings for storing collected diagnostic data.
  • Set up network traffic capturing and save it in a file.

All necessary information for performing the actions listed above (procedure, settings to be modified, configuration files, scripts, extra command line functionality, debugging modules, special utilities, and so on), as well as the scope of data that is collected for debugging purposes, will be disclosed by Technical Support. The collected advanced debugging information is stored on the user computer. Collected data is not automatically sent to Kaspersky.

The actions listed above must only be performed under guidance of Technical Support staff and following instructions they provide. Unsupervised modification of application settings in ways not described in this Help or recommendations of Technical Support can lead to slow-downs and faults of the operating system, reduction of computer security and compromise of availability and integrity of processed data.

In this Help section

Getting started with Kaspersky Endpoint Security

Configuring the proxy server connection

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Managing stand-alone IOC scanning tasks

Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings

Configuring data synchronization with the Administration Server

Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

Page top

[Topic 222936]

Getting started with Kaspersky Endpoint Security

After installing Kaspersky Endpoint Security, you can perform basic setup of the application:

Page top

[Topic 220565]

Configuring proxy server connection settings

Proxy server connection settings are used for updating databases, activating the application, and external services.

If you are using NGINX as your proxy server, you must configure the client_max_body_size setting: the value of the client_max_body_size setting must be equal to the maximum size of object that Kaspersky Endpoint Security can send for processing to the Kaspersky Sandbox application. Otherwise NGINX will block objects that go above the specified value. The default value is 1 MB.

To configure proxy server connection settings:

  1. In the main window of Web Console, go to the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.
  3. Go to the Application settings tab.
  4. Select the General settings section.
  5. Click Network settings.
  6. Under Proxy server settings, select one of the following options:
    • Use proxy server.

      If you select this option, configure the connection to the proxy server by entering the proxy server address and port.

    • Automatically detect proxy server settings.

      If you select this option, you cannot modify proxy server settings.

  7. If you want to enable authentication on the proxy server, select the Use proxy server authentication check box and enter your user account credentials.
  8. If you want to disable proxy server use when updating databases and application modules from a shared folder, select the Bypass proxy server for local addresses check box.
  9. Save your changes.

Proxy server connection settings are configured.

See also

Getting started with Kaspersky Endpoint Security

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Managing stand-alone IOC scanning tasks

Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings

Configuring data synchronization with the Administration Server

Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

Page top

[Topic 221107]

Enabling and disabling integration with Kaspersky Sandbox

To enable or disable integration with Kaspersky Sandbox:

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.

    This opens the policy properties window.

  3. Select the Application settings tab.
  4. Go to the Detection and ResponseKaspersky Sandbox section.
  5. Use the Integration with Kaspersky Sandbox toggle switch to enable or disable the component.
  6. Save your changes.

Integration with Kaspersky Sandbox is enabled or disabled.

See also

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Security list

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Security for Windows

Page top

[Topic 218513]

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Security list

If you have enabled the integration with Kaspersky Sandbox, you must add Kaspersky Sandbox servers to the Kaspersky Endpoint Security list. Servers added to the list receive objects for processing from Kaspersky Endpoint Security.

If you want objects sent for processing by Kaspersky Endpoint Security to be received by a cluster of Kaspersky Sandbox servers, you must add at least one Kaspersky Sandbox server from the cluster to the Kaspersky Endpoint Security list. It is recommended to add all servers of the cluster to the Kaspersky Endpoint Security list.

If Kaspersky Sandbox servers are combined into a cluster, within one policy the list should only include servers that are part of the same cluster. If servers belong to different clusters, the outcome is unpredictable.

All servers in the cluster are peers regardless of which server was used as the base for creating the cluster. When a server in the cluster processes an object, information about the result of processing is saved on all servers in the cluster.

The Kaspersky Sandbox application balances load among the servers. When integrating with Kaspersky Endpoint Security, objects that Kaspersky Endpoint Security sends for processing to Kaspersky Sandbox are processed on the least busy server.

Kaspersky Endpoint Security's list of Kaspersky Sandbox servers only displays the servers that you have added to the list. Nevertheless, objects can be processed by any server in the cluster thanks to load balancing. The current list of servers in the cluster is displayed in the web interface of Kaspersky Sandbox.

Kaspersky Endpoint Security can connect to a different Kaspersky Sandbox server in the list if one of the following errors occurs:

  • Kaspersky Sandbox response timeout (connection timeout).
  • Kaspersky Sandbox unavailable (error code 503 or 504).
  • Self-diagnosis problem other than a license problem (error code 500).

When you delete a server from a cluster, the following object processing scenarios are possible:

  • If there is still at least one server from the cluster with a current IP address or FQDN in the list of Kaspersky Sandbox servers in Kaspersky Endpoint Security, Kaspersky Sandbox continues to process objects from Kaspersky Endpoint Security.
  • If no servers from the cluster remain in the list of Kaspersky Sandbox servers in Kaspersky Endpoint Security, or if IP addresses or FQDNs of cluster servers are not current, Kaspersky Sandbox cannot receive and process objects from Kaspersky Endpoint Security.

To add Kaspersky Sandbox servers to the Kaspersky Endpoint Security list:

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.

    This opens the policy properties window.

  3. Select the Application settings tab.
  4. Go to the Detection and ResponseKaspersky Sandbox section.
  5. Under Kaspersky Sandbox servers, click Add.
  6. This opens a window; in this window, enter the address of the Kaspersky Sandbox server (IPv4, IPv6, DNS) and the port to be used for connecting to the server.
  7. Save your changes.
  8. Repeat the steps to add each Kaspersky Sandbox server to the list.

Kaspersky Sandbox servers are added to the Kaspersky Endpoint Security list.

See also

Enabling and disabling integration with Kaspersky Sandbox

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Security for Windows

Page top

[Topic 218573]

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Security for Windows

You can configure a trusted connection of Kaspersky Sandbox to Kaspersky Endpoint Security in the web interface of the Kaspersky Sandbox server.

Establishing and configuring a trusted connection between Kaspersky Sandbox and Kaspersky Endpoint Security involves:

  1. Generating or uploading a TLS certificate for the connection with Kaspersky Endpoint Security to the Kaspersky Sandbox server.

    If the TLS certificate that you prepared yourself restricts the IP address or host name, you can configure a trusted connection of Kaspersky Endpoint Security with only one Kaspersky Sandbox server. You cannot configure a trusted connection of Kaspersky Endpoint Security with a cluster of Kaspersky Sandbox servers with such a certificate.

  2. Creating a new cluster based on the server to which the certificate was uploaded
  3. Removing all servers that you want to add to the cluster that you created on the previous step, from clusters they currently belong to
  4. Adding all necessary servers to the new cluster.
  5. Adding all servers of the new Kaspersky Sandbox cluster to the Kaspersky Endpoint Security list.
  6. Configuring a trusted connection with Kaspersky Sandbox on the Kaspersky Endpoint Security side.

If you have already combined servers into a cluster, you must remove the server for which you want to configure a trusted connection with Kaspersky Endpoint Security from the cluster then create a new cluster based on that server and add all servers intended for Kaspersky Sandbox to the new cluster.

If the servers you need are part of a different cluster, you must remove them from that cluster one by one and then add them to the new cluster.

In this case, establishing and configuring a trusted connection between Kaspersky Sandbox and Kaspersky Endpoint Security involves:

  1. Removing a server from the cluster (if the server is currently part of the cluster).
  2. Generating or uploading a TLS certificate for the connection with Kaspersky Endpoint Security to the Kaspersky Sandbox server.
  3. Creating a new cluster based on the server to which the certificate was uploaded
  4. Removing all servers that you want to add to the cluster that you created on the previous step, from clusters they currently belong to
  5. Adding all necessary servers to the new cluster.
  6. Adding all servers of the new Kaspersky Sandbox cluster to the Kaspersky Endpoint Security list.
  7. Configuring a trusted connection with Kaspersky Sandbox on the Kaspersky Endpoint Security side.

See also

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Enabling and disabling integration with Kaspersky Sandbox

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Security list

In this Help section

Configuring a trusted connection on the Kaspersky Sandbox server

Configuring a trusted connection on the Kaspersky Endpoint Security side

Replacing the TLS certificate for the connection with Kaspersky Endpoint Security

Page top

[Topic 221108]

Configuring a trusted connection on the Kaspersky Sandbox server

To configure a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Security, you must generate or upload a TLS certificate in Kaspersky Sandbox, save it on a computer, and then upload it to Kaspersky Endpoint Security.

To generate a TLS certificate for the connection of Kaspersky Sandbox with Kaspersky Endpoint Security:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for connection to the EPP application, click Generate.

    The action confirmation window opens.

  3. Click Yes.

Kaspersky Sandbox generates a new TLS certificate. The browser page is automatically reloaded.

You can prepare the TLS certificate and upload it via the Kaspersky Sandbox web interface.

The uploaded TLS certificate file must satisfy the following requirements:

  • The file must contain the certificate and a private encryption key for the connection.
  • The file must be in PEM format.
  • The private key length must be 2048 bits or longer.

For more details about preparing TLS certificates for import, see the Open SSL documentation.

To upload the TLS certificate via the Kaspersky Sandbox web interface:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for connection to the EPP application, click Upload.

    The file selection window opens.

  3. Select the TLS certificate file that you want to upload and click Open.

    The file selection window closes.

    The TLS certificate is added to Kaspersky Sandbox.

To save the TLS certificate file for the connection with Kaspersky Endpoint Security on a computer:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for connection to the EPP application, click Download.

    When downloading, the browser may display a notification saying that the file is potentially dangerous. This is a standard warning for .crt files. The TLS certificate file is not dangerous for the computer.

The TLS certificate file is saved in the downloads folder of the browser.

See also

Configuring a trusted connection on the Kaspersky Endpoint Security side

Replacing the TLS certificate for the connection with Kaspersky Endpoint Security

Page top

[Topic 219796]

Configuring a trusted connection on the Kaspersky Endpoint Security side

You can configure a trusted connection on the Kaspersky Endpoint Security side using Kaspersky Security Center Web Console or the command line (available for Kaspersky Endpoint Security 11.7).

To configure a trusted connection on the Kaspersky Endpoint Security side using Kaspersky Security Center Web Console:

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.

    This opens the policy properties window.

  3. Select the Application settings tab.
  4. Go to the Detection and ResponseKaspersky Sandbox section.
  5. Click Server connection settings.

    This opens the Kaspersky Sandbox server connection settings window.

  6. Under Server TLS certificate, click Add and select the TLS certificate file.

    Kaspersky Endpoint Security can have only one TLS certificate of a Kaspersky Sandbox server. If you already have added a TLS certificate, that certificate becomes inactive. Only the latest added certificate is used.

  7. Perform additional configuration of the connection to Kaspersky Sandbox servers:
    • Timeout. Timeout of the connection with the Kaspersky Sandbox server. When the specified timeout elapses, Kaspersky Endpoint Security sends the request to the next server. You can set a longer Kaspersky Sandbox connection timeout if you have a slow or unstable connection. The recommended request timeout value is 0.5 seconds or less.
    • Kaspersky Sandbox request queue. Size of the request queue folder. When an object is accessed on the computer (executable file launched or document opened, for example in DOCX or PDF format), Kaspersky Endpoint Security can also send the object to be scanned by Kaspersky Sandbox. If there are multiple requests, Kaspersky Endpoint Security creates a request queue. By default, the size of the request queue folder is limited to 100 MB. After the maximum size is reached, Kaspersky Sandbox stops adding new requests to the queue and sends the corresponding event to Kaspersky Security Center. You can configure the size of the request queue folder depending on your server configuration.
  8. Save your changes.

As a result, Kaspersky Endpoint Security verifies the TLS certificate. If the certificate passes the verification, Kaspersky Endpoint Security sends the certificate file to the computer at the time of the next synchronization with Kaspersky Security Center. If you have added two TLS certificates, Kaspersky Sandbox uses the latest certificate to establish the trusted connection.

To configure a trusted connection on the Kaspersky Endpoint Security side using the command line:

  1. On the computer with an installed Kaspersky Endpoint Security application, run the 'cmd' command line interpreter as the administrator.
  2. Go to the Kaspersky Endpoint Security installation folder that contains the avp.com file.
  3. Run the following commands:

    avp.com stop sandbox [/login=<user name> /password=<password>]

    avp.com start sandbox

    avp.com sandbox /set [--tls=yes|no] [--servers=<server address>:<port>] [--timeout=<timeout of the connection with the Kaspersky Sandbox server (ms)>] [--pinned-certificate=<path to the TLS certificate>][/login=<user name> /password=<password>]

    avp.com sandbox /show

    As a result, you will receive the following response:

    sandbox.timeout=<timeout of the connection with the Kaspersky Sandbox server (ms)>

    sandbox.tls=<trusted connection usage status>

    sandbox.servers=<list of Kaspersky Sandbox servers>

    For the login and password arguments, you must specify credentials of a user that has the necessary permissions.

See also

Configuring a trusted connection on the Kaspersky Sandbox server

Replacing the TLS certificate for the connection with Kaspersky Endpoint Security

Page top

[Topic 221118]

Replacing the TLS certificate for the connection with Kaspersky Endpoint Security

You can replace the TLS certificate for the connection with Kaspersky Endpoint Security.

Replacing the TLS certificate for the connection with Kaspersky Endpoint Security involves the following steps:

  1. Removing the server where you want to replace the TLS certificate from the cluster (if the server is currently included in the cluster)
  2. Generating or uploading a TLS certificate for the connection with Kaspersky Endpoint Security to that server

    The added certificate will replace the existing one. Simultaneous use of several certificates is not possible.

  3. Creating a new cluster based on that server
  4. Removing all servers that you want to add to the new cluster from clusters they currently belong to
  5. Adding all necessary servers to the new cluster
  6. Adding all servers of the new Kaspersky Sandbox cluster to the Kaspersky Endpoint Security list
  7. Updating Kaspersky Sandbox TLS certificate data in Kaspersky Endpoint Security

See also

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Security for Windows

Configuring a trusted connection on the Kaspersky Sandbox server

Configuring a trusted connection on the Kaspersky Endpoint Security side

Page top

[Topic 221276]

About autonomous IOC scanning tasks

Autonomous IOC scanning tasks are automatically created on the Kaspersky Security Center server if the Create IOC scanning task Threat Response action is configured in Kaspersky Endpoint Security policies. To enable automatic creation of IOC scanning tasks, you must also establish a background connection of Kaspersky Security Center Web Console with the Administration Server.

You can view the list of tasks, remove unused tasks from the list, view task results, run tasks manually, configure autonomous IOC scanning tasks.

By default, autonomous IOC scanning tasks are stored on the Kaspersky Security Center server for 7 days after last run. If the number of tasks exceeds 100, the tasks are rotated.

Kaspersky Endpoint Security deletes the autonomous IOC scanning task regardless of which workstation the object was first detected on and whether the Threat Response action was executed. The deleted task becomes unavailable for all workstations in the administration group.

Unused autonomous IOC scanning tasks are deleted automatically. The user cannot configure settings of automatic task deletion.

If autonomous IOC scanning task deletion works incorrectly or you want to modify the behavior of the application, contact Kaspersky Technical Support.

By default, the autonomous IOC scanning task stores all types of events resulting from running group tasks. By default, autonomous IOC scanning task results are stored for 30 days. You can modify the storage duration of task results.

It is not recommended to change default task result storage settings or to shorten the storage duration of autonomous IOC scanning task results.

See also

Configuring an autonomous IOC scanning task

Viewing information about an IOC detection

Establishing a background connection between Kaspersky Security Center Web Console and the Administration Server

Page top

[Topic 221277]

Configuring an autonomous IOC scanning task

To configure the IOC scanning task:

  1. In the main window of Web Console, select the DevicesTasks folder.
  2. This opens a list of tasks; in this list, select the IOC scanning task.
  3. Modify the following task settings:
    • Task name.
      1. On the General tab, in the Task name field, enter the name of the task.
      2. Click Save.
    • Storage duration of task results on the Administration Server.
      1. Go to the Settings tab.
      2. In the Notifications field, click Settings.
      3. In the Store in the Administration Server database for (days) field, enter the number of days during which the Administration Server must store the results of the task.
      4. Click Save.
    • IOC scanning settings.
      1. Go to the Application settings tab.
      2. Select the IOC scan settings section.
      3. Select the Take response actions after an IOC is found.
      4. Select one or more Threat Response actions applied to IOC detections:
        • Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
        • Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
      5. Click Save.
    • IOC scanning task schedule.
      1. Go to the Schedule tab.
      2. In the Run on a schedule list, select one of the following option for running the task on a schedule:
        • Once.

          The task is run once at the specified date and time.

        • Every N minutes.

          The task is run regularly with the specified interval in minutes, starting with the specified time on the day when the task is created.

          By default, the task is run every 30 minutes starting from the current system time.

        • Every N hours.

          The task is run regularly with the specified interval in hours, starting with the specified date and time.

          By default, the task is run every six hours starting from the current system date and time.

        • Every N days.

          The task is run regularly with the specified interval in days. You can also specify the date and time when the task must be run for the first time.

          By default, the task is run every day starting from the current system date and time.

        • Weekly.

          The task is run weekly on the specified day of the week and at the specified time.

        • Monthly.

          The task is run regularly, on specified days of each month, at the specified time.

          By default, days of the month are not selected, and the default start time is 18:00:00.

      3. If you want to modify advanced settings of the schedule, in the Advanced task properties section, you can select the following check boxes:
        • If you want the application to run missed database update tasks at the earliest opportunity, select the Run missed tasks check box.
        • If you want to prevent many workstations connecting to the Administration Server at the same time by running tasks randomly within a certain time frame rather than on a schedule, select the Use automatically randomized delay for task starts check box.
        • If you want to prevent many workstations connecting to the Administration Server at the same time by running tasks randomly within a certain time frame rather than on a schedule:
          1. Select the Use random task start delay in the interval (min) check box.
          2. Enter the value of the interval.
      4. Click Save.
    • Viewing IOC scanning task results.
      1. Go to the Application settings tab.
      2. Select the IOC scanning results section.

        This opens the IOC scanning results table.

    • Kaspersky Security Center user account that you want to use to run the task.
      1. Go to the Settings tab.
      2. In the Account field, click Settings.
      3. Select an account for running the task.

        You can select the default account or create an account:

        • If you select the default account, the task is run under the same account that was used to install and run the application that runs the task.
        • If you choose to create an account, enter the credentials of the account to use for running the task. The account must have sufficient permissions to run the task.
      4. Click Save.
    • Excluding host groups from task scope.
      1. Go to the Settings tab.
      2. In the Exclusions from task scope field, click Settings.
      3. Select device groups to which the task will not be applied.

        You can only exclude groups that are subgroups of the administration group to which the task is applied.

  4. Save all changes.

The IOC scanning task is configured.

See also

About autonomous IOC scanning tasks

Viewing information about an IOC detection

Establishing a background connection between Kaspersky Security Center Web Console and the Administration Server

Page top

[Topic 222959]

Viewing information about an IOC detection

To view information about an IOC detection:

  1. in the main window of Web Console, go to the DevicesTasks section.
  2. This opens a window; in this window, select the IOC scanning task.
  3. Go to the Application settings tab.
  4. Select the IOC scanning results section.

    This opens the IOC scanning results table.

  5. In the Computer drop-down list, select workstations for which you want to view the results of the IOC scanning task.

    This displays a summary table of task results for selected workstations.

    If indicators of compromise are found on workstations, Results column displays IOC detected.

  6. If you want to view detailed information about detected indicators of compromise on a specific workstation:
    1. Click IOC detected in the row that contains the name of the relevant workstation.

      This opens the IOC Results window with the list of all IOC files used by the task. If the selected workstation contains an object that matches a certain indicator of compromise, the Status column displays Matched.

    2. Click Matched in the row with the name of the relevant IOC file.

      The Alert Details window opens.

The processing results window for the IOC detection contains the following information:

  • The Result section:
    • UUID is the ID of the IOC file from the IOC file structure header.
    • Description is the name of the IOC file from the IOC file structure header.

    The title of the section displays the ID of the IOC file.

  • The File section:
    • Full path is the full path to the file for which the Indicator of Compromise was triggered.
    • MD5 is the MD5 hash of the file for which the Indicator of Compromise was triggered.
    • SHA256 is the SHA256 hash of the file for which the Indicator of Compromise was triggered.
    • Size in bytes is the size of the file for which the Indicator of Compromise was triggered.
  • The IOC field displays the structure of the IOC file.
Page top

[Topic 223443]

Establishing a background connection between Kaspersky Security Center Web Console and the Administration Server

To let Kaspersky Sandbox work with the Administration Server via Kaspersky Security Center Web Console, you must establish a trusted connection, the background connection. For more information about the integration of Kaspersky Security Center with other Kaspersky solutions, see the Kaspersky Security Center Online Help. If the background connection between Kaspersky Security Center Web Console and the Administration Server does not exist, stand-alone IOC scanning tasks cannot be created when responding to threats.

To establish a background connection between Kaspersky Security Center Web Console and the Administration Server:

  1. In the main window of Web Console, select Console settingsIntegration.
  2. Go to the Inter-service integration.
  3. Turn on the Establish a background connection for inter-service integration toggle switch.
  4. Save your changes.

The background connection between Kaspersky Security Center Web Console and the Administrator Server is established.

Page top

[Topic 219798]

Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Kaspersky Endpoint Security can perform Threat Response actions in response to threats detected by Kaspersky Sandbox.

You can configure the following types of actions:

  • Local actions are performed on each workstation where the threat is detected.
  • Group actions are performed on all workstations in the administration group for which you are configuring the policy.

Local actions:

  • Move copy to Quarantine, delete object.

    If a threat is detected on a workstation, a copy of the object containing the threat is placed in Quarantine, and the object is deleted from the workstation.

  • Run Critical Areas Scan.

    If a threat is detected on a workstation, Kaspersky Endpoint Security scans critical areas of that workstation. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For details about configuring scan settings, see the Kaspersky Endpoint Security for Windows Online Help.

Group actions:

  • Create IOC scanning task.

    If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat.

  • If IOC is detected, move its copy to Quarantine and delete the object.

    If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. If Kaspersky Endpoint Security detects an object containing the threat on any workstations in this administration group, a copy of the object is placed in Quarantine, and the object is deleted from the workstations.

  • Run Critical Areas Scan on IOC detection.

    If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. For details about configuring scan settings, see the Kaspersky Endpoint Security for Windows Online Help.

To configure group Threat Response actions, you must configure permissions for Kaspersky Security Center Web Console users accounts that you want to use to manage IOC scanning tasks.

If you configure Threat Response actions, keep in mind that execution of some of the configured actions can result in the threatening object being deleted from the workstation where it was detected.

See also

Getting started with Kaspersky Endpoint Security

Configuring the proxy server connection

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Managing stand-alone IOC scanning tasks

Configuring Quarantine settings

Configuring data synchronization with the Administration Server

Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

In this Help section

Configuring Threat Response actions

Configuring the running of IOC scanning tasks

Page top

[Topic 221137]

Configuring Threat Response actions

To configure Threat Response actions:

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.

    This opens the policy properties window.

  3. Select the Application settings tab.
  4. Go to the Detection and ResponseKaspersky Sandbox section.
  5. Under Action on threat detection, select check boxes for the following settings:
    • Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
    • Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
    • Create IOC scanning task. If you select this option, Kaspersky Endpoint Security automatically creates an IOC scanning task (stand-alone IOC scanning task). You can configure the task running mode, the scanning area, and the action performed on IOC detection: delete object, run the Critical Areas Scan task. To edit other settings of the IOC scanning task, go to the task properties.

      If you want to disable Threat Response actions, clear check boxes for settings that you want to disable.

  6. To configure the actions that Kaspersky Endpoint Security performs when an IOC is detected, select check boxes for the following settings:
    • If IOC is detected, move its copy to Quarantine and delete the object.

      If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. If Kaspersky Endpoint Security detects an object containing the threat on any workstations in this administration group, a copy of the object is placed in Quarantine, and the object is deleted from the workstations.

    • Run Critical Areas Scan on IOC detection.

      If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat. For details about configuring scan settings, see the Kaspersky Endpoint Security for Windows 11.7 Online Help.

      If you want to disable Kaspersky Endpoint Security actions for detected IOCs, clear check boxes for settings that you want to disable.

Threat Response actions are configured.

See also

Configuring the running of IOC scanning tasks

Page top

[Topic 221140]

Configuring the running of IOC scanning tasks

If Kaspersky Sandbox detects a threat, Kaspersky Endpoint Security automatically creates IOC scanning tasks (MD5 hashes of objects in which the threat was found) for all workstations.

To view the task list in Web Console,

in the main window of Web Console, go to the DevicesTasks section.

A list of tasks appears.

You can configure the running of such tasks.

To configure the running of IOC scanning tasks:

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.

    This opens the policy properties window.

  3. Select the Application settings tab.
  4. Go to the Detection and ResponseKaspersky Sandbox section.
  5. Under Run IOC scanning task, select one of the following options for running IOC scanning tasks:
    • Manually. This mode lets you run the IOC scanning task manually at an arbitrary time.
    • After threat is detected. In this mode, Kaspersky Endpoint Security runs the IOC scanning task automatically when a threat is detected.
    • Run only when the computer is idle. In this mode, Kaspersky Endpoint Security runs the IOC scanning task when a screensaver is active or the computer is locked. If the user unlocks the computer, Kaspersky Endpoint Security pauses the task. Therefore, the application can run the task for several days.

      Kaspersky Endpoint Security can run the task for several days.

  6. Under IOC scanning area, select one of the following options for the IOC scanning area:
    • Critical file areas. If this option is selected, Kaspersky Endpoint Security performs an IOC scanning only in important file areas of the computer: the kernel memory and boot sectors.
    • File areas on system drives of the computer. If this option is selected, Kaspersky Endpoint performs an IOC scanning on the system disk of the computer.
  7. Save all changes.

Running of IOC scanning task is configured.

See also

Configuring Threat Response actions

Page top

[Topic 221263]

Configuring Quarantine settings

One of the actions Kaspersky Endpoint Security can perform to respond to threats detected by Kaspersky Sandbox is sending the threatening objects to Quarantine.

Quarantine is a special repository for storing files that are probably infected with viruses and files that cannot be disinfected at the time when they are detected. Files in Quarantine are stored in encrypted form and do not pose a security threat to the workstation.

Kaspersky Security Center generates a common list of objects on workstations quarantined by Kaspersky Endpoint Security. Network Agents on workstations submit information about files in Quarantine to the Administration Server.

To make sure Kaspersky Endpoint Security sends information about quarantined objects to the Kaspersky Security Center Administration Server, you must turn on this option in Quarantine settings in the Kaspersky Endpoint Security policy.

How to enable data submission to the Administration Server in Web Console

  1. In the main window of Web Console, select the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.

    This opens the policy properties window.

  3. Select the Application settings tab.
  4. Go to the General settingsReports and Storage section.
  5. Under Data transfer to Administration Server, select the About Quarantine files.
  6. Save your changes.

You can use the Web Console to view properties of objects in Quarantine on workstations, initiate scanning of these objects, delete objects in Quarantine, and restore objects from Quarantine.

Web Console does not copy files from Quarantine to Administration Server. All objects are kept on workstations where Kaspersky Endpoint Security is installed. Objects are restored from Quarantine also on workstations.

Quarantine is created under the same system user account on the workstation under which the threatening object was detected.

To configure Kaspersky Endpoint Security Quarantine:

  1. In the main window of Web Console, go to the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.
  3. Go to the Application settings tab.
  4. Select the General settings section.
  5. Click Reports and Storage.
  6. Under Quarantine, do the following:
    1. If you want to set the maximum size of Quarantine, in the Limit the size of Quarantine to field, type the maximum size of Quarantine in MB or select it from the list.

      For example, you can limite Quarantine size to 200 MB.

    2. If you want to limit the usage of Quarantine, in the Notify when the Quarantine storage reaches field, enter the threshold value after which the application must send the corresponding notification.

      For example, you can set the threshold value of Quarantine to 50%.

      When Quarantine reaches the threshold value, Kaspersky Endpoint Security sends the corresponding event to Kaspersky Security Center and publishes the event in Windows Event Log. In the meantime, the application continues quarantining new objects.

  7. Save all changes.

Quarantine is configured.

You can also manage quarantined objects (for example, restore, delete, add). Objects can be restored on a computer with Kaspersky Endpoint Security locally using the command line.

See also

Getting started with Kaspersky Endpoint Security

Configuring the proxy server connection

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Managing stand-alone IOC scanning tasks

Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Configuring data synchronization with the Administration Server

Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

Page top

[Topic 221265]

Configuring data synchronization with the Administration Server

You can configure synchronization of information about the operation of Kaspersky Endpoint Security on workstations with the Kaspersky Security Center Administration Server.

To configure synchronization of information with the Administration Server:

  1. In the main window of Web Console, go to the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.
  3. Go to the Application settings tab.
  4. Select the General settings section.
  5. Click Reports and Storage.
  6. Under Data transfer to Administration Server, select check boxes next to data for which you want to configure synchronization with the Administration Server.

Synchronization of information with the Administration Server is configured.

See also

Getting started with Kaspersky Endpoint Security

Configuring the proxy server connection

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Managing stand-alone IOC scanning tasks

Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings

Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

Page top

[Topic 221634]

Monitoring the results of sending objects for scanning by Kaspersky Sandbox and running IOC scanning tasks

You can monitor the results of sending objects to be scanned by Kaspersky Sandbox and running IOC scanning tasks on hosts in the following ways:

  • Enable the logging of information about events that occur when sending objects to be scanned by Kaspersky Sandbox and running IOC scanning tasks in Microsoft Windows event logs and/or Kaspersky Endpoint Security event logs.
  • Enable sending event notifications.

To enable logging of event information in Microsoft Windows and/or Kaspersky Endpoint Security event logs and sending event notifications:

  1. In the main window of Web Console, go to the DevicesPolicies & profiles section.
  2. Click the name of the Kaspersky Endpoint Security policy.
  3. Go to the Application settings tab.
  4. Select the General settings section.
  5. Click Interface.
  6. This opens a window; in this window, in the Notifications section, click Notification settings.

    Events are grouped in sections in accordance with severity levels:

    • Critical
    • Functional failure
    • Warning
    • Informational message

    Each section displays a list of event types.

  7. If you want to enable the logging of information in event logs, select the Save in local report or Save in Windows Event Log check boxes.

    You can select both check boxes at the same time.

    Events that have the Save in local report check box selected are displayed in Applications and Services Logs in the Kaspersky Event Log section. Events that have the Save in Windows Event Log check box selected are displayed in Windows logs in the Application section.

    To open the Windows event logs, select StartControl PanelAdministrationEvent Viewer.

    To minimize the amount of records about repeating critical events, Kaspersky Endpoint Security logs every event the first time when it occurs and then every 25th event for the following event types: Error submitting scan task to Kaspersky Sandbox, An internal error occurred, Maximum load on Kaspersky Sandbox exceeded, The Kaspersky Sandbox node is unavailable.

  8. If you want to enable the sending of event notifications:
    • Select the Notify on screen check box if you want the information about selected events to be displayed on the screen as pop-up notifications in the notification area of the Microsoft Windows taskbar.
    • Select the Notify by email check box if you want the notifications to be delivered by email.

      You can select both check boxes at the same time.

      To have the notifications delivered to an email address, you must configure the email notification delivery.

      1. In the main window of Web Console, go to the DevicesPolicies & profiles section.
      2. Click the name of the Kaspersky Endpoint Security policy.
      3. Go to the Application settings tab.
      4. Select the General settings section.
      5. Click Notifications.
      6. This opens a window; in this window, in the Notifications section, click Email notification settings.
      7. Select the Send event notifications check box.
      8. Edit the notification settings.
      9. Save the settings.
  9. Save your changes.

The logging of event information in Microsoft Windows and/or Kaspersky Endpoint Security event logs and sending event notifications are enabled.

See also

Getting started with Kaspersky Endpoint Security

Configuring the proxy server connection

Configuring the integration of Kaspersky Endpoint Security with Kaspersky Sandbox

Managing stand-alone IOC scanning tasks

Configuring Threat Response actions of Kaspersky Endpoint Security to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings

Configuring data synchronization with the Administration Server

Page top

[Topic 188548]

Managing Kaspersky Endpoint Agent for Windows

Kaspersky Endpoint Agent provides interaction between

and Kaspersky Sandbox, as well as automatic Threat Response actions in response to threats detected by Kaspersky Sandbox.

In order to provide support in case of faulty operation of Kaspersky Endpoint Agent, Technical Support experts can ask you to do perform the following actions for debugging purposes:

  • Activate the advanced diagnostics feature.
  • Perform additional configuration on some application components that are not normally configurable via the user interface.
  • Modify the settings for storing and submitting collected diagnostic data.
  • Set up network traffic capturing and save it in a file.

All necessary information for performing the actions listed above (procedure, settings to be modified, configuration files, scripts, extra command line functionality, debugging modules, special utilities, etc), as well as the scope of data that is collected for debugging purposes, will be disclosed by Technical Support staff. Advanced debugging information is collected and stored on the user computer. Collected data is not automatically submitted to Kaspersky.

The actions listed above must only be performed under guidance of Technical Support staff and following instructions they provide. Unsupervised modification of application settings in ways not described in the documentation or recommendations of Technical Support staff can lead to slow-downs and faults of the operating system, reduction of computer security and integrity of processed data.

In this Help section

Getting started with Kaspersky Endpoint Agent

Configuring Kaspersky Endpoint Agent security settings

Configuring proxy server connection settings

Configuring the usage of Kaspersky Security Network

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings and restoration of objects from Quarantine

Configuring data synchronization with the Administration Server

Managing Kaspersky Endpoint Agent tasks

Page top

[Topic 236689]

Getting started with Kaspersky Endpoint Agent

After installing Kaspersky Endpoint Agent, you can edit basic settings of the application:

Page top

[Topic 189432]

Configuring user permissions

You can grant access to Kaspersky Endpoint Agent to individual users or groups of users. As a result, only specified users will be able to manage settings or services of the application.

To configure user permissions:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Application settings section select the Security settings subsection.
  5. Under User permissions, click Configure next to the name of the necessary setting.

    This opens the permissions window for the Kaspersky Endpoint Agent group.

  6. In the upper block of settings for groups or users, select the group or user to which you want to grant permissions.
  7. In the lower block of permission settings for groups or users, select check boxes in items with the required permissions.
  8. Click OK.
  9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  10. In the policy properties window, click OK.

User permissions for managing settings and/or services of the application are configured.

See also

Enabling Password protection

Enabling and disabling Self-Defense

Page top

[Topic 189433]

Enabling Password protection

Unrestricted access of users to the application and its settings can reduce the overall security level of the host. Password protection allows to limit user access to the application.

To enable password protection:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Application settings section select the Security settings subsection.
  5. In the Password protection group of settings select the Apply password protection check box.
  6. Enter a password and confirm it.
  7. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  8. Click OK.

Password protection is enabled. If a user attempts to perform a password protected action, the application prompts the user to enter the password.

The application does not check the strength of the specified password. We recommend that you use third-party tools to verify the strength of the password. The password is considered strong enough, if verification results confirm that the password cannot be guessed for at least 6 months.

The application does not prohibit from entering password after many attempts of entering incorrect password.

See also

Configuring user permissions

Enabling and disabling Self-Defense

Page top

[Topic 189434]

Enabling and disabling Self-Defense

The Self-Defense mechanism of Kaspersky Endpoint Agent provides protection from malware that tries to lock the application or delete it. The Self-Defense mechanism prevents alteration or deletion of application files on the hard drive, memory processes, and entries in the system registry.

To enable or disable Self-Defense:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Application settings section select the Security settings subsection.
  5. In the Self-defense group of settings, enable or disable the Enable self-defense for application modules in memory setting.

    The setting is enabled by default.

  6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  7. Click OK.

The Self-Defense mechanism is enabled or disabled.

See also

Configuring user permissions

Enabling Password protection

Page top

[Topic 190405]

Configuring proxy server connection settings

Proxy server connection settings are used for updating databases, activating the application, and external services.

If you use NGINX as a proxy server, configure the client_max_body_size setting: the value of the client_max_body_size setting must be equal to the maximum size of the object sent by Kaspersky Endpoint Agent for processing to Kaspersky Sandbox. Otherwise NGINX will block objects that go above the specified value. The default value is 1 MB.

To configure proxy server connection settings:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Application settings section select the General settings subsection.
  5. Select one of the following proxy service usage options:
    • Do not use proxy server
    • Automatically detect proxy server address
    • Use proxy server with specified settings
  6. If you select the Automatically detect proxy server address option, the proxy server for further telemetry transmission is detected automatically.
  7. If you select the Use proxy server with specified settings option, specify the address and port of the proxy server you want to connect to in the Server name or IP address and Port fields.

    The default port number is 8080.

  8. If you want to use NTLM authentication (NT LAN Manager Network Authentication Protocol) for connecting to the proxy server:
    1. Select the Use NTLM authentication by user name and password check box.
    2. In the User name field, enter the name of the user, whose account will be used for proxy server authentication.
    3. In the Password field, enter the password for connecting to the proxy server.

      You can make password characters visible by clicking Show to the right of the Password field.

  9. If you do not want to use the proxy server for internal addresses of your organization, select the Bypass proxy server for local addresses check box.
  10. Click Apply.

    As a result, you return to the policy properties window.

  11. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  12. Click OK.

Proxy server connection settings are configured.

See also

Getting started with Kaspersky Endpoint Agent

Configuring Kaspersky Endpoint Agent security settings

Configuring the usage of Kaspersky Security Network

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings and restoration of objects from Quarantine

Configuring data synchronization with the Administration Server

Managing Kaspersky Endpoint Agent tasks

Page top

[Topic 189421]

Configuring the usage of Kaspersky Security Network

To protect your computer more effectively, Kaspersky Endpoint Security uses data received from users around the globe. Kaspersky Security Network is designed to receive such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Sandbox to objects that are not yet listed in anti-virus application databases, improves the performance of some protection components, and reduces the likelihood of false positives.

Participation in Kaspersky Security Network allows Kaspersky to quickly acquire information about the types and sources of objects that are not yet listed in anti-virus application databases, develop methods for neutralizing such objects, and reduce the number of false positives.

When you use Kaspersky Security Network, certain statistical data collected while Kaspersky Endpoint Agent is running is automatically sent to Kaspersky. Files or their parts which may be exploited by intruders to harm the computer or data can be also sent to Kaspersky to be examined additionally.

No personal data is collected, processed, or stored. The types of data that Kaspersky Endpoint Agent sends to Kaspersky Security Network are described in the KSN Statement.

Participation in Kaspersky Security Network is voluntary. KSN usage is disabled by default. After enabling KSN usage, you can disable this option at any time.

To enable KSN usage:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. Select the Kaspersky Security Network section.
  5. Read the KSN Statement.
  6. If you agree with terms and conditions of the Statement, select the I confirm that I have fully read, understood, and accept the terms and conditions of this Kaspersky Security Network Statement check box.
  7. Select the Enable Kaspersky Security Network usage check box.
  8. If you want to use Kaspersky Security Center for telemetry transmission, select the check box.
  9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  10. Click OK.

KSN usage is enabled.

See also

Getting started with Kaspersky Endpoint Agent

Configuring Kaspersky Endpoint Agent security settings

Configuring proxy server connection settings

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings and restoration of objects from Quarantine

Configuring data synchronization with the Administration Server

Managing Kaspersky Endpoint Agent tasks

Page top

[Topic 190368]

Enabling and disabling integration with Kaspersky Sandbox

To enable or disable integration with Kaspersky Sandbox:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Kaspersky Sandbox integration settings subsection.
  5. Under Kaspersky Sandbox integration:
    1. Enable or disable the Enable Kaspersky Sandbox integration setting.
    2. Enable or disable the Connect using the proxy server if specified in the general settings option.

      This setting is disabled by default. The application connects to Kaspersky Sandbox server only directly and does not use the general proxy server connection settings. You can enable this option if you want the application to use the general proxy server connection settings when connecting to Kaspersky Sandbox server.

  6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  7. Click OK.

Integration with Kaspersky Sandbox is enabled or disabled.

See also

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Agent

Configuring the response timeout of Kaspersky Sandbox and request queue settings

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Agent list

Page top

[Topic 189621]

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Agent

You can configure a trusted connection between Kaspersky Sandbox and Kaspersky Endpoint Agent in the web interface of the Kaspersky Sandbox server.

Establishing and configuring a trusted connection between Kaspersky Sandbox and Kaspersky Endpoint Agent involves:

  1. Generating or uploading a TLS certificate for the connection with Kaspersky Endpoint Agent to the Kaspersky Sandbox server

    If the TLS certificate that you prepared yourself restricts the IP address or host name, you can configure a trusted connection of Kaspersky Endpoint Agent only with a single Kaspersky Sandbox server. You cannot configure a trusted connection of Kaspersky Endpoint Agent with a cluster of Kaspersky Sandbox servers with such a certificate.

  2. Creating a new cluster based on the server to which the certificate was uploaded
  3. Removing all servers that you want to add to the cluster that you created on the previous step, from clusters they currently belong to
  4. Adding all necessary servers to the new cluster.
  5. Adding all servers of the new Kaspersky Sandbox cluster to the Kaspersky Endpoint Agent list
  6. Configuring a trusted connection with Kaspersky Sandbox on the Kaspersky Endpoint Agent side

If you have already combined servers into a cluster, you must remove the server for which you want to configure a trusted connection with Kaspersky Endpoint Agent from the cluster then create a new cluster based on that server and add all servers intended for Kaspersky Sandbox to the new cluster.

If the servers you need are part of a different cluster, you must remove them from that cluster one by one and then add them to the new cluster.

In this case, establishing and configuring a trusted connection between Kaspersky Sandbox and Kaspersky Endpoint Agent involves the following steps:

  1. Removing a server from the cluster (if the server is currently part of the cluster).
  2. Generating or uploading a TLS certificate for the connection with Kaspersky Endpoint Agent to the Kaspersky Sandbox server
  3. Creating a new cluster based on the server to which the certificate was uploaded
  4. Removing all servers that you want to add to the cluster that you created on the previous step, from clusters they currently belong to
  5. Adding all necessary servers to the new cluster.
  6. Adding all servers of the new Kaspersky Sandbox cluster to the Kaspersky Endpoint Agent list
  7. Configuring a trusted connection with Kaspersky Sandbox on the Kaspersky Endpoint Agent side

See also

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Enabling and disabling integration with Kaspersky Sandbox

Configuring the response timeout of Kaspersky Sandbox and request queue settings

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Agent list

In this Help section

Configuring a trusted connection on the Kaspersky Sandbox server

Configuring a trusted connection on the Kaspersky Endpoint Agent side

Page top

[Topic 189628]

Configuring a trusted connection on the Kaspersky Sandbox server

To configure a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Agent, you must generate or upload a TLS certificate in Kaspersky Sandbox, save it on a computer, and then upload it to the Kaspersky Endpoint Agent application.

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for connection to the EPP application, click Generate.

    The action confirmation window opens.

  3. Click Yes.

Kaspersky Sandbox generates a new TLS certificate. The browser page is automatically reloaded.

You can prepare the TLS certificate and upload it via the Kaspersky Sandbox web interface.

The uploaded TLS certificate file must satisfy the following requirements:

  • The file must contain the certificate and a private encryption key for the connection.
  • The file must be in PEM format.
  • The private key length must be 2048 bits or longer.

For more details about preparing TLS certificates for import, see the Open SSL documentation.

To upload the TLS certificate via the Kaspersky Sandbox web interface:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for connection to the EPP application, click Upload.

    The file selection window opens.

  3. Select the TLS certificate file that you want to upload and click Open.

    The file selection window closes.

The TLS certificate is added to Kaspersky Sandbox.

To save the TLS certificate file for the connection with Kaspersky Endpoint Security on a computer:

  1. In the Kaspersky Sandbox web interface window, select the TLS certificates section.
  2. Under TLS certificate for connection to the EPP application, click Download.

    When downloading, the browser may display a notification saying that the file is potentially dangerous. This is a standard warning for .crt files. The TLS certificate file is not dangerous for the computer.

The TLS certificate file is saved in the downloads folder of the browser.

See also

Configuring a trusted connection on the Kaspersky Endpoint Agent side

Page top

[Topic 189492]

Configuring a trusted connection on the Kaspersky Endpoint Agent side

To configure a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Agent on the Kaspersky Endpoint Agent side:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Kaspersky Sandbox integration settings subsection.
  5. In the Kaspersky Sandbox integration settings group, enable the Use pinned certificate to protect connection option.
  6. Click Add new TLS certificate.
  7. Do one of the following to add a TLS certificate created on the Kaspersky Sandbox side:
    • Add a certificate file. To do so, click Browse, and in the window that is displayed, select the certificate file and click Open.
    • Copy and paste the contents of the certificate file to the Paste TLS certificate data field.

    Kaspersky Endpoint Agent can have only one TLS certificate of a Kaspersky Sandbox server. If you have added a TLS certificate before and are adding a TLS certificate again, only the last added certificate is used.

  8. Click Add.

    Information about the added TLS certificate is displayed in the Kaspersky Sandbox integration settings group.

  9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  10. Click OK.

Trusted connection to the Kaspersky Sandbox server is configured.

See also

Configuring a trusted connection on the Kaspersky Sandbox server

Page top

[Topic 189424]

Configuring the response timeout of Kaspersky Sandbox and request queue settings

To configure Kaspersky Sandbox response timeout and processing queue settings for objects that Kaspersky Endpoint Agent sends to Kaspersky Sandbox:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Kaspersky Sandbox advanced settings subsection.
  5. Under Timeout, enter the maximum server response timeout.

    If the connection to the Kaspersky Sandbox server is not established within the specified time, the current connection attempt is aborted and Kaspersky Endpoint Agent repeats the attempt to connect to the server.

    The default value is 5 seconds.

  6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  7. Under Kaspersky Sandbox requests queue, in the Queue folder field, enter the path to the folder that will be used for storing information about requests sent to Kaspersky Sandbox.

    The default folder is %SOYUZAPPDATA%\Sandbox\Queue.

  8. In the Maximum queue size (MB) field, enter the maximum allowed size of the request queue in megabytes.

    The default value is 100 MB.

  9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  10. Click Apply button and then click OK.

The response timeout and the object processing queue are configured.

See also

Enabling and disabling integration with Kaspersky Sandbox

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Agent

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Agent list

Page top

[Topic 189423]

Adding Kaspersky Sandbox servers to the Kaspersky Endpoint Agent list

If you have enabled the integration with Kaspersky Sandbox, you can add Kaspersky Sandbox servers to the Kaspersky Endpoint Agent list.

You can add multiple Kaspersky Sandbox servers.

For a particular policy, add servers that are part of the same cluster. If servers belong to different clusters, the outcome is unpredictable.

All servers in the cluster are peers regardless of which server was used as the base for creating the cluster. Processing the same object on any server in the cluster will yield the same result.

The Kaspersky Sandbox application balances load among the servers. Objects that Kaspersky Endpoint Agent sends for processing in Kaspersky Sandbox are processed on the least busy server.

To let the Kaspersky Sandbox cluster process objects from Kaspersky Endpoint Agent, you must add at least one server from the cluster to Kaspersky Endpoint Agent when integrating Kaspersky Endpoint Agent with Kaspersky Sandbox.

Kaspersky Endpoint Agent application's list of Kaspersky Sandbox servers only displays the servers that you have added to the list. Nevertheless, objects can be processed by any server in the cluster thanks to load balancing. The current list of servers in the cluster is displayed in the web interface of Kaspersky Sandbox.

It is recommended to add all servers of the cluster to Kaspersky Endpoint Agent.

Kaspersky Endpoint Agent can connect to a different Kaspersky Sandbox server in the list if one of the following errors occurs:

  • Kaspersky Sandbox response timeout (connection timeout).
  • Kaspersky Sandbox unavailable (error code 503 or 504).
  • Self-diagnosis problem other than a license problem (error code 500).

When you delete a server from a cluster, the following object processing scenarios are possible:

  • If there is still at least one server from the cluster with a current IP address or FQDN in the list of Kaspersky Sandbox servers in the Kaspersky Endpoint Agent application, Kaspersky Sandbox continues to process objects from Kaspersky Endpoint Agent.
  • If no servers from the cluster remain in the list of Kaspersky Sandbox servers in the Kaspersky Endpoint Agent application, or if IP addresses or FQDNs of cluster servers are not current, Kaspersky Sandbox cannot receive and process objects from Kaspersky Endpoint Agent.

    For correct processing of objects, at least one server from the Kaspersky Sandbox cluster must be added to Kaspersky Endpoint Agent.

To add Kaspersky Sandbox servers to the Kaspersky Endpoint Agent list:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Kaspersky Sandbox integration settings subsection.
  5. In the Kaspersky Sandbox integration settings group of settings, enable the Enable Kaspersky Sandbox integration setting.
  6. Under Kaspersky Sandbox integration settings, turn on or off the Connect using the proxy server option if this is configured in general settings.

    This setting is disabled by default. The application connects to Kaspersky Sandbox only directly and does not use the general proxy server connection settings. You can enable this option if you want the application to use the general proxy server connection settings when connecting to Kaspersky Sandbox server.

  7. Under List of Kaspersky Sandbox servers, click Add.

    The Server properties window opens.

  8. Enter the IP address or fully qualified domain name of the Kaspersky Sandbox server and the port used for connecting to the server.
  9. Click Add.

    The added server is listed in the server table.

  10. Repeat the steps to add each Kaspersky Sandbox server to the list.
  11. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  12. Click Apply button and then click OK.

Kaspersky Sandbox servers are added to the Kaspersky Endpoint Agent list.

See also

Enabling and disabling integration with Kaspersky Sandbox

Configuring a trusted connection of Kaspersky Sandbox with Kaspersky Endpoint Agent

Configuring the response timeout of Kaspersky Sandbox and request queue settings

Page top

[Topic 189425]

Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Kaspersky Endpoint Agent can perform Threat Response actions in response to threats detected by Kaspersky Sandbox.

You can configure the following types of actions:

  • Local actions are performed on each workstation where the threat is detected.
  • Group actions are performed on all workstations in the administration group for which you are configuring the policy.

Local actions:

  • Quarantine and delete.

    If a threat is detected on a workstation, a copy of the object containing the threat is placed in Quarantine, and the object is deleted from the workstation.

  • Notify device user.

    If a threat is detected on a device, a notification about the detected threat is displayed to the user of the device.

    The notification is displayed if the same user account under which the threat was detected is currently logged in to the device. If the device is powered down or a different user account is logged in, the notification is not displayed.

  • Run Endpoint Protection Platform scan of critical areas on the device

    If a threat is detected on a Kaspersky Endpoint Agent host, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan, refer to the documentation of the EPP you are using.

Group actions:

  • Run IOC Scan on a managed group of devices.

    If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.

  • Quarantine and delete when IOC is found.

    If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.

  • Run Endpoint Protection Platform scan of critical areas on the device when IOC is found.

    If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group's devices where the object containing the threat was detected. For more details on configuring the scan, refer to the documentation of the EPP you are using.

To configure group Threat Response actions, you must configure permissions for Kaspersky Security Center Web Console users accounts that you want to use to manage IOC scanning tasks.

If you configure Threat Response actions, keep in mind that execution of some of the configured actions can result in the threatening object being deleted from the workstation where it was detected.

See also

Getting started with Kaspersky Endpoint Agent

Configuring Kaspersky Endpoint Agent security settings

Configuring proxy server connection settings

Configuring the usage of Kaspersky Security Network

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Configuring Quarantine settings and restoration of objects from Quarantine

Configuring data synchronization with the Administration Server

Managing Kaspersky Endpoint Agent tasks

In this Help section

Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox

Adding Threat Response actions to the action list of the current policy

Authentication for Threat Response group tasks at the Administration Server

Enabling detection of legitimate applications that can be used by cybercriminals

Configuring the running of IOC scanning tasks

Page top

[Topic 190469]

Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox

To enable or disable Threat Response actions for threats detected by Kaspersky Sandbox:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Threat response subsection.
  5. Under Actions:
    • Select the Take response actions on threats, detected by Kaspersky Sandbox check box to enable threat response actions.
    • Clear the Take response actions on threats, detected by Kaspersky Sandbox check box to disable threat response actions.
  6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  7. Click Apply and OK.

Threat Response actions for threats detected by Kaspersky Sandbox are enabled or disabled.

See also

Adding Threat Response actions to the action list of the current policy

Authentication for Threat Response group tasks at the Administration Server

Enabling detection of legitimate applications that can be used by cybercriminals

Configuring the running of IOC scanning tasks

Page top

[Topic 190470]

Adding Threat Response actions to the action list of the current policy

To add Threat Response actions to the list of actions of the current policy:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Threat response subsection.
  5. In the Actions group of settings, select the Take response actions on threats, detected by Kaspersky Sandbox check box, if it is not selected.
  6. Click Add and in the drop-down list, select one of the following actions:
    • Quarantine and delete.

      When a threat is detected on a device, a copy of the object containing the threat is quarantined, and the object is deleted from the device.

    • Notify device user.

      If a threat is detected on a device, a notification about the detected threat is displayed to the user of the device.

      The notification is displayed if the same user account under which the threat was detected is currently logged in to the device.

      If the device is powered down or a different user account is logged in, the notification is not displayed.

    • Run Endpoint Protection Platform scan of critical areas on the device.

      If a threat is detected on a device, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan, refer to the documentation of the EPP you are using.

    • Run IOC Scan on a managed group of devices.

      If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.

    • Quarantine and delete when IOC is found.

      If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.

    • Run Endpoint Protection Platform scan of critical areas on the device when IOC is found.

      If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group's devices where the object containing the threat was detected. For more details on configuring the scan, refer to the documentation of the EPP you are using.

    The action is added to the Selected actions list.

    If you configure Threat Response actions, keep in mind that execution of some of the configured actions can result in the threatening object being deleted from the workstation where it was detected.

  7. To remove an action, select it in the table and click Remove.
  8. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  9. Click Apply and OK.

Threat Response actions are added to the action list of the current policy.

See also

Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox

Authentication for Threat Response group tasks at the Administration Server

Enabling detection of legitimate applications that can be used by cybercriminals

Configuring the running of IOC scanning tasks

Page top

[Topic 190471]

Authentication for Threat Response group tasks at the Administration Server

If you want Kaspersky Endpoint Agent to create autonomous IOC Scan tasks when responding to threats, you must configure authentication on the Administration Server.

The application uses a special Administration Server user account, which has limited permissions and is intended only for creating Autonomous IOC Scan tasks.

The special account can only be created in the Threat Response window in Kaspersky Endpoint Agent policy properties or in the application properties of an individual device. The special account must be created on the Administration Server only once and its password must be used to configure Threat Response settings in the properties of other devices or other policies of the same Administration Server.

It is not possible to change the password of the special account created for Autonomous IOC Scan tasks. If you forget the password of this account, delete it using standard Kaspersky Security Center tools and create it again in the Threat response window.

To authenticate at the Administration Server:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Threat response subsection.
  5. To check for availability of a special account for Autonomous IOC Scan tasks, or to create such account:
    1. In the Authentication on Administration Server group of settings, click the Check for the user button.
    2. The settings in the Authentication on Administration Server group are editable only if the Run IOC Scan for a managed group of devices option is selected in the Selected actions list.
    3. In the window that opens, in the Connection to Administration Server group of settings, enter the data for connecting to the Administration Server, as well as login and password of the Administration Server account having the permissions to create new users.
    4. Click the Connect and check for the user button.
    5. In the pop-up window, review the information on availability of a special account and close it.
    6. If the account does not exist and you want to create it, in the Password field of the Creating special user for Autonomous IOC Scan tasks group of settings, specify a password with the length of 8–16 characters and click the Create special user button.
    7. The Creating special user for Autonomous IOC Scan tasks group of settings becomes editable only after existence of a special account is checked.
    8. Click Exit to close the Administration Server user for Autonomous IOC Scan tasks window.
  6. In the Administration Server user name field of the Authentication on Administration Server group of settings, enter the password for the special account created for the Autonomous IOC Scan tasks.
  7. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  8. Click OK.

Authentication on the Administration Server for Autonomous IOC Scan tasks is configured.

See also

Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox

Adding Threat Response actions to the action list of the current policy

Enabling detection of legitimate applications that can be used by cybercriminals

Configuring the running of IOC scanning tasks

Page top

[Topic 190953]

Enabling detection of legitimate applications that can be used by cybercriminals

You can enable detection of legitimate applications, which can be exploited by adversaries to cause harm to your corporate LAN. Kaspersky Endpoint Agent considers such applications a threat and subjects them to Threat Response actions.

Legitimate applications are applications that may be installed and used on workstations and are intended for performing user tasks. However, certain types of legitimate applications can be exploited by hackers to harm the workstation or the corporate LAN. If adversaries gain access to these applications, or if they plant them on the workstation, they can use some of the features to compromise the security of the workstation or the corporate LAN.

These applications include IRC clients, auto-dialers, file downloaders, computer system activity monitors, password management utilities, and web servers for FTP, HTTP, or Telnet services.

If you want to enable detection of such applications:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Kaspersky Sandbox integration section select the Threat response subsection.
  5. Under Additional, select the Enable detection of legitimate applications that can be exploited by adversaries check box.
  6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  7. Click Apply button and then click OK.

Detection of legitimate applications, which can be exploited by adversaries to cause harm to your corporate LAN, is enabled.

See also

Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox

Adding Threat Response actions to the action list of the current policy

Authentication for Threat Response group tasks at the Administration Server

Configuring the running of IOC scanning tasks

Page top

[Topic 190956]

Configuring the running of IOC scanning tasks

To configure the running of IOC scanning tasks:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the right part of the screen, under Scanning scope, select one of the following scopes where Kaspersky Endpoint Agent will search for IOCs:
    • File areas on system drives of the device.
    • Critical file areas on the device.
  5. Under Configure IOC scanning, select one of the following options for running IOC scanning tasks:
    • Manually.

      IOC scanning tasks are created automatically but are not run. You can run each task or all tasks manually.

    • Immediately after threat detection by Kaspersky Sandbox.

      IOC scanning tasks are automatically created and run.

    • Start within the specified period.

      IOC scanning tasks are created automatically and run during the specified period. For example, during out-of-office hours from 8 p.m. to 7 a.m..

      If you select the Start within the specified period option, specify the start and end of the period in the Period start time (hh:mm) and Period end time (hh:mm) fields.

      All IOC scanning tasks automatically created before the specified start time of the period are run at an arbitrary time during the specified period.

      All IOC scanning tasks automatically created during the specified period are run immediately.

      All IOC scanning tasks automatically created after the specified start time of the period are run the following day.

    Example:

    You configured to run the tasks during the specified period from 8:00 p.m. to 7:00 a.m.:

    Tasks automatically created at 19:00 are launched at an arbitrary time from 8:00 p.m. to 7:00 a.m.

    Tasks automatically created at 9:00 p.m. are run at 9:00 p.m.

    Tasks automatically created at 10:00 p.m. are run on the following day from 8:00 p.m. to 7:00 a.m.

  6. Click OK.
  7. If you are configuring policy settings, in the upper right corner of the group of settings, move the switch from Underined to Enforce.
  8. Click OK.
  9. In the policy properties window, click Save.

Running of IOC scanning task is configured.

See also

Enabling and disabling Threat Response actions for threats detected by Kaspersky Sandbox

Adding Threat Response actions to the action list of the current policy

Authentication for Threat Response group tasks at the Administration Server

Enabling detection of legitimate applications that can be used by cybercriminals

Page top

[Topic 190415]

Configuring Quarantine settings and restoration of objects from Quarantine

Quarantine is a special local repository on a device with Kaspersky Endpoint Agent installed which is intended for storing files that are probably infected by viruses or cannot be disinfected at the time when they are detected. Quarantined files are stored in an encrypted form and therefore do not compromise your device's security.

By default, the local quarantine is located in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Quarantine folder. By default, the objects restored from quarantine are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Restored folder.

Kaspersky Security Center generates a common list of quarantined objects on devices with Kaspersky Endpoint Agent installed. Network Agents on the devices submit information about quarantined files to the Administration Server.

Kaspersky Security Center does not copy files from Quarantine to Administration Server. All objects are stored on protected devices with Kaspersky Endpoint Agent installed. Objects are also restored from Quarantine on protected devices.

To configure Kaspersky Endpoint Agent Quarantine settings:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Repositories section select the Quarantine subsection.
  5. In the Quarantine settings section configure the quarantine settings:
    1. In the Quarantine folder field, enter the path to where you want to create the Quarantine folder on the devices or click Browse and select the path.

      The default path is %SOYUZAPPDATA%\Quarantine\. The Quarantine folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

      The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed. For example, if Kaspersky Endpoint Agent is installed on drive C, the path to the Quarantine folder is C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Quarantine.

    2. To configure the maximum quarantine size, select the Maximum Quarantine size (MB) check box and type the maximum size of quarantine in MB or select it from the list.

      For example, you can set the maximum Quarantine size to 200 MB.

      When the maximum quarantine size is reached, Kaspersky Endpoint Agent publishes the corresponding event on Kaspersky Security Center server and in the Windows Event Log, but does not stop quarantining new objects.

    3. To specify the quarantine threshold (the space in quarantine remaining until the maximum quarantine size is reached), select the Threshold value for space available (MB) check box.

      For example, you can set the threshold value of Quarantine to 50 MB.

      When the quarantine threshold is reached, Kaspersky Endpoint Agent publishes the corresponding event on Kaspersky Security Center server and in the Windows Event Log, but does not stop quarantining new objects.

  6. In the Restoring objects from Quarantine section, in the Target folder for restored objects field, enter the path where you want to create the folder for objects restored from Quarantine.

    The default path is %SOYUZAPPDATA%\Restored\. The Restored folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

    The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed. For example, if Kaspersky Endpoint Agent is installed on drive C, the path to the folder with the objects restored from quarantine is C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Restored.

  7. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  8. Click Apply button and then click OK.

Settings of Quarantine and restoring objects from Quarantine are configured.

See also

Getting started with Kaspersky Endpoint Agent

Configuring Kaspersky Endpoint Agent security settings

Configuring proxy server connection settings

Configuring the usage of Kaspersky Security Network

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Configuring data synchronization with the Administration Server

Managing Kaspersky Endpoint Agent tasks

Page top

[Topic 190452]

Configuring data synchronization with the Administration Server

You can configure synchronization of information about the operation of the Kaspersky Endpoint Agent application on workstations with the Kaspersky Security Center Administration Server.

To configure synchronization of information with the Administration Server:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Policies folder.
  3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
    • Double-click the policy name.
    • Select Properties in the policy context menu.
    • Select the Configure policy settings item in the right part of the window.
  4. In the Repositories section select the Synchronization with Administration Server subsection.
  5. In the Settings section in the Send the following data to the Administration Server subsection, select the Data about objects, quarantined on managed devices check box.
  6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
  7. Click Apply button and then click OK.

Synchronization of information with the Administration Server is configured.

See also

Getting started with Kaspersky Endpoint Agent

Configuring Kaspersky Endpoint Agent security settings

Configuring proxy server connection settings

Configuring the usage of Kaspersky Security Network

Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox

Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

Configuring Quarantine settings and restoration of objects from Quarantine

Managing Kaspersky Endpoint Agent tasks

Page top

[Topic 190473]

Viewing the task list

To view the list of tasks on the Kaspersky Security Center server:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

A list of task appears.

See also

Removing tasks from the list

Running tasks manually

Viewing task results

Modifying the task result storage time on the Administration Server

Managing database update tasks

Managing IOC scanning tasks

Page top

[Topic 190958]

Removing tasks from the list

To remove tasks from the task list on the Kaspersky Security Center server:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.
  3. From the task list, select the tasks that you want to delete.

    A window opens with the list of actions that you can perform with the tasks.

  4. Select the Delete action.

    The action confirmation window opens.

  5. Click Yes.

Selected tasks are removed from the list.

See also

Viewing the task list

Running tasks manually

Viewing task results

Modifying the task result storage time on the Administration Server

Managing database update tasks

Managing IOC scanning tasks

Page top

[Topic 190970]

Running tasks manually

  1. You can run database update tasks and IOC scanning tasks manually.

To run a single task manually:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Select the task in the list and right-click to open the task action menu.
  4. Choose the Run action.

The task is run.

To run all tasks manually:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Select any task in the list and right-click to open the task action menu.
  4. Choose the All tasks item and the Run action.

All tasks are run.

See also

Viewing the task list

Removing tasks from the list

Viewing task results

Modifying the task result storage time on the Administration Server

Managing database update tasks

Managing IOC scanning tasks

Page top

[Topic 190973]

Viewing task results

You can view task results until the task result storage period expires.

You can modify the storage duration of task results.

It is not recommended to shorten the storage period of IOC scanning task results.

To view a task result:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Select the task in the list and right-click to open the task action menu.
  4. Select the Results menu item.

This opens the Task result window.

See also

Viewing the task list

Removing tasks from the list

Running tasks manually

Modifying the task result storage time on the Administration Server

Managing database update tasks

Managing IOC scanning tasks

Page top

[Topic 191179]

Modifying the task result storage time on the Administration Server

By default, the task results are stored on the Administration Server for 7 days.

To modify the task result storage period on the Administration Server:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Select the task in the list and right-click to open the task action menu.
  4. Select the Properties menu item.

    This opens the task properties window.

  5. In the left part of the window, select the Notification section.
  6. Under Save result information, make sure the On Administration Server for (days) check box is selected and enter the number of days you want the task result to be stored.
  7. Click Apply and OK.

It is not recommended to shorten the storage period of IOC scanning task results.

See also

Viewing the task list

Removing tasks from the list

Running tasks manually

Viewing task results

Managing database update tasks

Managing IOC scanning tasks

Page top

[Topic 190510]

Creating a database update task

To create a Kaspersky Endpoint Agent database update task in Kaspersky Security Center:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.
  3. Click New task.

    The task creation wizard starts.

  4. Select the Kaspersky Endpoint Agent task type block and the Databases and Modules Update task type.
  5. Click Next.

    The wizard for creating the database update task is started.

The database update task creation wizard consists of the following steps:

  1. Selecting a database update source

    Do the following:

    1. Under Database update source, select a database update source:
      • Kaspersky Security Center Administration Server
      • Kaspersky update servers
      • Custom HTTP or FTP servers or network folders
    2. If required, select the Use Kaspersky update servers if specified servers are not available check box.
    3. If you select Kaspersky update servers as the database update source and want to use a proxy server for database updates, under Update source connection, select the Use proxy server settings to connect to Kaspersky update servers check box.
    4. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:
      1. Click the Custom HTTP or FTP servers or network folders link.
      2. Add update servers to the list:
        1. Click the Update servers button.
        2. In the new line, enter the address of the update server (HTTP or FTP), or the path to the network or local folder containing the update files.
        3. If you want to use the server for updating the databases, select the check box next to its IP address. You can also add servers to the list and clear the check boxes next to IP addresses of servers that you do not want to use right now but plan to use in the future.

          Do the same to add each server.

        4. Click OK.
        5. The Update servers window closes.
      3. To use a proxy server to connect to update servers, select the Use proxy server settings to connect to other servers check box in the Update source connection settings section.

  2. Configuring the application modules update settings

    Do the following:

    1. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
      • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
      • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
      • Download and install critical application module updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
    2. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.

  3. Configuring the database update schedule

    Do the following:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, 1 time per day or 2 times per week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to run missed database update tasks at the earliest opportunity, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task start time within the interval check box and specify the start interval in minutes.
    6. Click OK.

      Click OK.

  4. Selecting devices to which the task is assigned

    This opens the device selection window; in that window, select devices to which you want to assign the task and click Next.

    For example, you can select the Assign the task to an administration group option and select an administration group from the list.

  5. Selecting the Kaspersky Security Center user account that you want to use to run the task

    In the Selecting an account to run the task window, do one of the following:

    • Select the default account and click Next.
    • Enter the user name and password to be used to run the task and click Next.

  6. Assigning a name to the task

    In the Set the task name window, in the Name field, enter the task name and click Next.

  7. Running the task immediately after it is created

    If you want the task to run immediately after it is created, select the Run task after the wizard finishes check box and click Finish.

See also

Configuring database update task settings

Page top

[Topic 190981]

Configuring database update task settings

You can configure database update task settings after the task is created.

To modify task settings:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. In the Update databases section, select the task in the list and right-click it to open the task action menu.
  4. Select the Properties menu item.

    This opens the task properties window.

  5. In the left part of the window, select the section of settings that you want to configure.
  6. In the right part of the window, make the necessary modifications and click Apply and OK.

You can configure the following task settings:

  1. Task name

    Do the following:

    1. Select the General section.
    2. Edit the name of the task in the top row.

  2. Devices to which the task is assigned

    The right part of the window displays current devices to which the task is assigned. If you want to add devices:

    1. Click Add.

      A window opens with a list of managed devices.

    2. Select check boxes next to devices that you want to add.
    3. If you want to add devices that are not in the list, click Add in the right part of the window and follow the steps to add devices.

      For example, you can enter the addresses of devices manually or import them from a list.

      You can specify NetBIOS names, DNS names, IP addresses, and ranges of IP addresses of devices to which you want to assign the task.

    For details on working with managed devices, refer to Kaspersky Security Center Help.

  3. Database update source

    Do the following:

    1. Under Database update source, select a database update source:
      • Kaspersky Security Center Administration Server
      • Kaspersky update servers
      • Custom HTTP or FTP servers or network folders
    2. If required, select the Use Kaspersky update servers if specified servers are not available check box.
    3. If you select Kaspersky update servers as the database update source and want to use a proxy server for database updates, under Update source connection, select the Use proxy server settings to connect to Kaspersky update servers check box.
    4. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:
      1. Click the Custom HTTP or FTP servers or network folders link.
      2. Add update servers to the list:
        1. Click the Update servers button.
        2. In the new line, enter the address of the update server (HTTP or FTP), or the path to the network or local folder containing the update files.
        3. If you want to use the server for updating the databases, select the check box next to its IP address. You can also add servers to the list and clear the check boxes next to IP addresses of servers that you do not want to use right now but plan to use in the future.

          Do the same to add each server.

        4. Click OK.
        5. The Update servers window closes.
      3. To use a proxy server to connect to update servers, select the Use proxy server settings to connect to other servers check box in the Update source connection settings section.

  4. Configuring additional database update settings

    Do the following:

    1. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
      • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
      • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
      • Download and install critical application module updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
    2. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.

  5. Database update schedule

    Do the following:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, 1 time per day or 2 times per week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to run missed database update tasks at the earliest opportunity, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task start time within the interval check box and specify the start interval in minutes.
    6. Click OK.

      Click OK.

  6. Kaspersky Security Center user account that you want to use to run the task

    In the Selecting an account to run the task window, do one of the following:

    • Select the default account and click Next.
    • Enter the name and password of the user account that you want to use for running the task.

  7. Storage duration of task results on the Administration Server

    Do the following:

    1. Select the Notification section.
    2. Under Save result information, make sure the On Administration Server for (days) check box is selected and enter the number of days you want the task result to be stored.

      By default, the task result is stored on the Administration Server for 7 days.

See also

Creating a database update task

Page top

[Topic 190511]

About autonomous IOC scanning tasks

Autonomous IOC Scan tasks are group tasks that are created automatically in response to the threats detected by Kaspersky Sandbox. Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

Autonomous IOC scanning tasks are automatically created on the Kaspersky Security Center server if the Run IOC Scan on a managed group of devices Threat Response action is configured in Kaspersky Endpoint Security policies.

You can configure the IOC scaning task, view task results, export a file with IOC rules (IOC collection).

By default, autonomous IOC scanning tasks are stored on the Kaspersky Security Center server for 7 days after last run. If the number of tasks exceeds 100, the tasks are rotated.

Kaspersky Endpoint Agent deletes the autonomous IOC scanning task regardless of which workstation the object was first detected on and whether the Threat Response action was executed. The deleted task becomes unavailable for all workstations in the administration group.

Unused autonomous IOC scanning tasks are deleted automatically. The user cannot configure settings of automatic IOC scanning task deletion.

If autonomous IOC scanning task deletion works incorrectly or you want to modify the behavior of the application, contact Kaspersky Technical Support.

By default, the autonomous IOC scanning task stores all types of events resulting from running group tasks. By default, IOC scanning task results are stored for 7 days.

See also

Configuring user permissions to manage IOC Scan tasks

Configuring an autonomous IOC scanning task

IOC collection export

Viewing IOC scanning task results

Page top

[Topic 191707]

Configuring user permissions to manage IOC Scan tasks

You must configure the permissions of the KSC user account that you want to use to manage IOC scanning tasks.

To configure permissions of a KSC user account for managing IOC scanning tasks:

  1. Open the KSC console.
  2. Select the Administration Server and right-click to open the Administration Server action menu.
  3. Select the Properties menu item.

    The property window for the Administration Server.

  4. In the left part of the window, select the Security section.
  5. Select the KSC user account that you want to use to manage IOC scanning tasks.

    The lower part of the window displays a list of permissions of the selected user, grouped by application that the user can manage using the KSC.

  6. In the Kaspersky Endpoint Agent group of permissions expand the Host Intrusion Prevention section.
  7. Select the check boxes in the Allow column for the following types of permissions: Modify, Execute, and Perform actions on device selections.
  8. Click Apply and OK.

See also

About autonomous IOC scanning tasks

Configuring an autonomous IOC scanning task

IOC collection export

Viewing IOC scanning task results

Page top

[Topic 191489]

Configuring an autonomous IOC scanning task

To configure IOC scanning task settings:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Under Run IOC scan, select the task in the list and right-click to open the task action menu.
  4. Select the Properties menu item.

    This opens the task properties window.

  5. In the left part of the window, select the section of settings that you want to modify.
  6. In the right part of the window, make the necessary modifications and click Apply and OK.

You can configure the following task settings:

  1. Task name

    Do the following:

    1. Select the General section.
    2. Edit the name of the task in the top row.

  2. Storage duration of task results on the Administration Server

    Do the following:

    1. Select the Notification section.
    2. Under Save result information, make sure the On Administration Server for (days) check box is selected and enter the number of days you want the task result to be stored.

      By default, the task result is stored on the Administration Server for 7 days.

  3. Application actions on IOC detection

    To configure the application actions on IOC detection:

    1. Select the IOC Scan settings section.
    2. In the Actions group of settings, select the Take response actions when indicator of compromise is found check box.
    3. Select the Quarantine and delete check box to quarantine the detected object and remove it from the device.
    4. Select the Send a command to Endpoint Protection Platform to scan the critical areas check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which the object is detected.
    5. Click Apply.

  4. IOC scanning task schedule

    Do the following:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, 1 time per day or 2 times per week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to run missed database update tasks at the earliest opportunity, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task start time within the interval check box and specify the start interval in minutes.
    6. Click OK.

      Click OK.

  5. Selecting the Kaspersky Security Center user account that you want to use to run the task

    In the Selecting an account to run the task window, do one of the following:

    • Select the default account and click Next.
    • Enter the name and password of the user account that you want to use for running the task.

  6. Excluding host groups from task scope

    To exclude groups of devices from the task scope, in the Exclusions from task scope section, select the groups of devices to which the task will not be applied.

    You can only exclude groups that are subgroups of the administration group to which the task is applied.

See also

About autonomous IOC scanning tasks

Configuring user permissions to manage IOC Scan tasks

IOC collection export

Viewing IOC scanning task results

Page top

[Topic 236239]

IOC collection export

To export an IOC collection:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Under Run IOC scan, select the task in the list and right-click to open the task action menu.
  4. Select the Properties menu item.

    This opens the task properties window.

  5. Select the IOC Scan settings section.
  6. In the IOC collection section, click Export.
  7. In the window that opens, specify the name of the file and select the folder where you want to save it.
  8. Click Save.

The application creates a ZIP file in the folder you specified.

Page top

[Topic 236247]

Viewing IOC scanning task results

To view the IOC Scan task results:

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select the Tasks folder.

    A list of task appears.

  3. Open the settings of the required task in one of the following ways:
    • Double-click the task name.
    • Open the policy context menu and select Properties.
    • Select a task and click Configure task in the right part of the window.
  4. This opens the Properties: <Task name> window.
  5. Select the Results section.
  6. In the Show task results for the device list, select the devices for which you want to view the results of IOC Scan tasks.
  7. To view detailed information for a specific task, double-click to expand it.
  8. To view detailed information about the detected indicator of compromise, click the Show card button.

The IOC detections card contains information about objects that matched the conditions of the IOC file, as well as the text of matched branches or individual conditions of that IOC file.

Viewing the IOC detections card is not available for IOC files that had no indicators of compromise when scanned.

Page top

[Topic 189732]

Interaction with external systems using the API

You can configure integration of Kaspersky Sandbox with external systems to scan files stored in such systems, and to provide access to scan results to the external systems. The application analyzes and evaluates file behavior in an isolated environment but does not establish whether the files contain malicious objects. As a result of the scan, the user of the external system is informed whether the behavior of the file appears suspicious. The user must make an independent decision on subsequent actions with regard to the file.

Interaction of external systems with Kaspersky Sandbox is enabled by a REST API interface. To connect the server to external systems, you must allow incoming connections for the Kaspersky Endpoint Security server on TCP port 443.

The application analyzes the header of the file and determines the format of the file, which does not necessarily match the extension of the file. For example, an attacker can send a virus or other malware in an executable file renamed to have the txt extension.

Objects from external systems are scanned only in Windows 7.

In this Help section

List of supported file formats

Scanning objects

Viewing scan results

Page top

[Topic 190979]

List of supported file formats

The following file formats can be scanned:

  • PE_EXE.
  • DOC.
  • DOCX.
  • DOTX.
  • DOCM.
  • DOTM.
  • XLS.
  • XLSX.
  • XLTX.
  • XLSM.
  • XLTM.
  • XLAM.
  • XLSB.
  • PPT.
  • PPTX.
  • POTX.
  • PPTM.
  • POTM.
  • PPSX.
  • PPSM.
  • RTF.
  • PDF.
Page top

[Topic 189762]

Scanning objects

Objects are scanned using the POST method.

Syntax

POST "sample=<path to the object> <URL of the Sandbox server>/sandbox/v1/tasks"

Example

curl -X POST https://api.example.com/sandbox/v1/tasks -F "sample=@/path/to/file.ext"

Returned value

Return code

Description

200

This file has already been scanned.

Possible values:

  • Not found: signs of malicious objects were not detected.
  • Found: signs of malicious objects were detected.

201

File successfully submitted for scanning. Identifier assigned to the task: task_id.

400

Invalid request.

500

Could not submit the file for scanning due to one of the following reasons:

  • No license key installed.
  • File size limit exceeded (60 MB).
  • File format not supported.
  • Request queue full.
  • Unknown error.

503

Server unavailable. Try to connect to a different server or try again later.

504

Server timeout. Try to connect to a different server or try again later.

Page top

[Topic 189763]

Viewing scan results

Scan results are viewed using the GET method.

Syntax

GET "<URI of the Sandbox server>/sandbox/v1/tasks/<task_id>"

Example

curl GET "https://api.example.com/sandbox/v1/tasks/c0999b05aca8ffd5692d4a13ad16281b"

Parameters

Parameter

Type

Description

task_id

string

Unique identifier of the task assigned when the object is submitted for scanning.

Returned value

Return code

Description

200

Scan result received. The following values are possible:

  • Processing: the scan is in progress.
  • Found: signs of malicious objects were detected.
  • Not found: signs of malicious objects were not detected.
  • Error: an error occurred during the scan.

400

Invalid request.

404

Scan results for the specified identifier not found.

500

Error while receiving scan results. The following reasons are possible:

  • No license key installed.
  • Unknown error.

503

Server unavailable. Try to connect to a different server or try again later.

504

Server timeout. Try to connect to a different server or try again later.

Page top

[Topic 222476]

Multitenancy

Multitenancy is a mode in which the solution is used to protect the infrastructures of multiple organizations or branches of the same organization at the same time.

You can use Kaspersky Sandbox to simultaneously protect the infrastructure of multiple organizations or branches of the same organization (hereinafter also referred to as "tenants") using Kaspersky Security Center. To do so, you must create virtual Administration Servers for tenants that you want to protect with Kaspersky Sandbox within a physical Administration Server of the service provider. For more details about creating virtual Administration Servers, see Kaspersky Security Center Online Help. By configuring the structure of Administration Servers, you can use one of the following arrangements to integrate EPP applications, Kaspersky Security Center, and Kaspersky Sandbox:

The administrator of the physical Administration Server can manage all Kaspersky Sandbox servers and Kaspersky Endpoint Agent or Kaspersky Endpoint Security hosts. You can create tasks and policies that can be applied to hosts connected to virtual Administration Servers, manage quarantined files centrally, view information about objects being sent for scanning, and create threat reports on all Administration Servers. You can also manage the Kaspersky Sandbox server and hosts that are connected to it as part of a virtual Administration Server. In this case, all operations listed above are applied only to the selected server and Kaspersky Endpoint Agent or Kaspersky Endpoint Security hosts that connect to it.

The administrator of the virtual Administration Server can manage the Kaspersky Sandbox server only for the specific server that is administered by that administrator.

You can use Kaspersky Sandbox in multitenancy mode only using Kaspersky Security Center and following the integration arrangements outlined above. Kaspersky Sandbox web interface does not support enabling, disabling, or configuring the multitenancy mode. Kaspersky Sandbox features do not change in multitenancy mode.

In multitenancy mode, the administrator of the physical Administration Server can centrally manage the following functional areas of the solution:

  • Kaspersky Sandbox:
    • Tasks

      You can manage the tasks for adding a license key to Kaspersky Sandbox servers.

    • Reports

      You can view reports about the health of the application and detections.

    You can manage Kaspersky Sandbox in multitenancy mode only using Kaspersky Security Center Web Console.

  • Kaspersky Endpoint Agent or Kaspersky Endpoint Security:
    • Tasks

      You can manage database update tasks and IOC scanning tasks on hosts.

    • Policies

      You can use policies to manage the Kaspersky Sandbox integration settings, as well as Quarantine settings.

    • Reports

      You can view reports about the health of the application and detections.

    • Quarantine

      You can manage files quarantined as a result of the IOC scanning task.

    You can manage Kaspersky Endpoint Security in multitenancy mode only using Kaspersky Security Center Web Console.

Page top

[Topic 70331]

Contacting the Technical Support Service

This section describes the ways to get technical support and the terms on which it is available.

In this Help section

How to obtain Technical Support

Technical Support via Kaspersky CompanyAccount

Page top

[Topic 68247]

How to obtain Technical Support

If you cannot find a solution to your problem in the application documentation or in one of the sources of information about Kaspersky Sandbox, we recommend that you contact Technical Support. Technical Support will answer your questions about installing and using Kaspersky Sandbox.

Kaspersky supports Kaspersky Sandbox throughout its life cycle (see the application life cycle page). Before contacting Technical Support, please read the technical support rules.

You can contact Technical Support in one of the following ways:

Page top

[Topic 68417]

Technical Support via Kaspersky CompanyAccount

Kaspersky CompanyAccount is a portal for companies that use Kaspersky applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky specialists via online requests. The Kaspersky CompanyAccount portal lets you monitor the progress of electronic request processing by Kaspersky specialists and store a history of electronic requests.

You can register all of your organization's employees under a single account on Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also manage the privileges of these employees via Kaspersky CompanyAccount.

The portal Kaspersky CompanyAccount is available in the following languages:

  • English
  • Spanish
  • Italian
  • German
  • Polish
  • Portuguese
  • Russian
  • French
  • Japanese

To learn more about Kaspersky CompanyAccount, visit the Technical Support website.

Page top

[Topic 90]

Glossary

Kaspersky applications installed on workstations or servers in the organization's IT infrastructure to protect these devices from viruses and other information security threats. Hereinafter also referred to as "EPP".

Dump

Contents of the working memory of a process or the entire RAM of the operating system at a specific point of time.

End User License Agreement

A binding agreement between you and AO Kaspersky Lab that stipulates the terms on which you may use the application.

IOC

Indicator of Compromise. A set of data about a malicious object or activity.

IOC file

An IOC file contains a collection of Indicators of Compromise.

IOC scanning

Kaspersky Endpoint Security Threat Response action for responding to threats detected by Kaspersky Sandbox. It is configured in Kaspersky Security Center policies.

If a threat is detected on any of the workstations in an administration group for which you are configuring the policy, Kaspersky Endpoint Security scans all workstations in the administration group, looking for objects that contain the detected threat.

Kaspersky Endpoint Security

The application as part of the Kaspersky Sandbox solution. It is installed on workstations and servers on your corporate LAN and provides comprehensive protection of workstations from various threats, network and fraud attacks, as well as performs Automatic Threat Response actions configured in Kaspersky Security Center policies.

Kaspersky Endpoint Security policies

A collection of Kaspersky Endpoint Security settings. Configured in Kaspersky Security Center for workstations that are part of an administration group.

Kaspersky Sandbox

Solution that detects and automatically blocks advanced threats on client devices (workstations, computers, servers).

Also the application that forms part of the Kaspersky Sandbox solution and is responsible for the server part of the solution. It is installed on one or more servers in your corporate LAN. Servers can be combined into a cluster. On Kaspersky Sandbox servers, virtual images of Microsoft Windows operating systems are deployed for running the objects that need to be scanned. Kaspersky Sandbox analyzes the behavior of the objects to detect malicious activity and advanced threats in the corporate IT infrastructure.

Kaspersky Security Network (KSN)

An infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

OpenIOC

Open XML-based standard for describing Indicators of Compromise (IOC) that contains over 500 various indicators of compromise.

Tracing

Running an application for debug purposes involving stopping execution after each instruction and displaying the result of that step.

Page top

[Topic 190324]

Network Agent

Interaction between the Administration Server and devices is provided by the Network Agent, which is a component of Kaspersky Endpoint Security. Network Agent must be installed on all devices on which Kaspersky Security Center is used to manage Kaspersky Endpoint Security.

Network Agent is installed to a device as a service with the following set of attributes:

  • Uses the "Kaspersky Security Center <version of Kaspersky Security Center> Network Agent" name (for example, "Kaspersky Security Center 12 Network Agent").
  • Set to automatically start when the operating system starts.
  • Uses the LocalSystem account.

The device on which the Network Agent is installed is called a managed device.

You can install the Network Agent for managing the Kaspersky Endpoint Security application on Windows devices.

You do not need to install the Network Agent on devices that have Administration Server installed because the server version of the Network Agent is automatically installed with the Administration Server.

The name of the process that starts the Network Agent is klnagent.exe.

Network Agent synchronizes managed devices with the Administration Server. The recommended value for synchronization period (periodic signal) is 15 minutes per 10,000 managed devices.

See also

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Managed device

Scope of the task

Management plug-in

Policies

Policy profile

Administration Server

Tenant

Page top

[Topic 223821]

Virtual Administration Server

Kaspersky Security Center application component designed for managing the network protection system for a client organization.

The Virtual Administration Server is a special case of a secondary Administration Server that has the following set of most important limitations compared to a physical Administration Server:

  • A Virtual Administration Server can only function as part of the primary Administration Server.
  • A Virtual Administration Server uses the main database of the Administration Server. A Virtual Administration Server does not support backup and restore tasks as well as update download and scan tasks.
  • A Virtual Server does not support creating secondary Administration Servers (including virtual servers).
Page top

[Topic 190325]

Administration group

An administration group is a set of client devices combined on the basis of a specific trait for the purpose of managing the grouped devices as a single unit.

All client devices within a group are configured to do the following:

  • Use the same application settings, which are defined in group policies.
  • Use the same operating mode for all applications by creating group tasks with certain settings. Examples of group tasks include creating and installing the same installation package, updating databases and application modules, on-demand scan of a device, and enabling real-time protection.

A client device can be included in only one administration group.

You can create hierarchies with arbitrary nesting depth for Administration Servers and administration groups. A single hierarchy level can include secondary and virtual Administration Servers, groups, and client devices. You can move devices between groups without relocating them physically. For example, if an employee moves from accounting to a developer position, you can move this person's computer from "Accountants" administration group to the "Developers" administration group. Application settings necessary for the developer role are automatically sent to the computer.

See also

Network Agent

Virtual Administration Server

Tasks

Administration Console

Multitenancy

Managed device

Scope of the task

Management plug-in

Policies

Policy profile

Administration Server

Tenant

Page top

[Topic 190334]

Tasks

Kaspersky Security Center manages Kaspersky applications installed on devices by creating and running tasks. Tasks are required for installing, launching, and stopping applications, scanning files, updating databases and software modules, and taking other actions on applications.

You can create a task for an application only if a management plug-in is installed for that application.

Tasks can be performed on the Administration Server and on devices.

The following tasks are performed on the Administration Server:

  • Automatic delivery of reports.
  • Downloading updates to the repository of the Administration Server.
  • Backup of Administration Server data.
  • Maintenance of the database.
  • Windows Update synchronization.
  • Creation of an installation package based on the OS image of a reference device.

The following types of tasks are performed on devices:

  • Local tasks are tasks that are performed on a specific device.

    Local tasks can be modified either by the administrator using the Administration Console, or by the user of a remote device (for example, through the security application interface). If a local task has been simultaneously modified by the administrator and the user of a managed device, the changes made by the administrator will take effect as they have a higher priority.

  • Group tasks are tasks that are performed on all devices of the specified group.

    If not otherwise specified in the task properties, the group task also applies to subgroups of the specified group. Group tasks also apply (optionally) to devices that are connected to secondary and virtual Administration Server in that group and subgroups.

  • Global tasks are tasks that are performed on selected devices regardless of whether they are included in any administration groups.

For each application, you can create any number of group tasks, tasks for specific devices, or local tasks.

You can make changes to the settings of tasks, view the tasks' progress, and copy, export, import, and delete them.

Tasks are started on a device only if the application for which the task was created is running.

Results of completed tasks are saved in the event logs of Microsoft Windows and Kaspersky Security Center, both centrally on the Administration Server and locally on each device.

Do not use private data in task settings. For example, avoid specifying the domain administrator password.

See also

Network Agent

Virtual Administration Server

Administration group

Administration Console

Multitenancy

Managed device

Scope of the task

Management plug-in

Policies

Policy profile

Administration Server

Tenant

Page top

[Topic 190340]

Administration Console

The Administration Console (also referred to as the "KSC Console") is Kaspersky Security Center application component that provides user interface for the administration services of the Administration Server and the Network Agent.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Multitenancy

Managed device

Scope of the task

Management plug-in

Policies

Policy profile

Administration Server

Tenant

Multitenancy

A mode in which Kaspersky Sandbox is used to protect the infrastructures of multiple organizations or branches of the same organization at the same time.

Page top

[Topic 190326]

Managed device

A managed device is a Windows device (workstation, computer, server) that has the Network Agent installed. You can manage such devices using tasks and policies for Kaspersky applications installed on the devices. You can also generate reports for managed devices.

You can configure a managed device to work as a distribution point and connection gateway.

A device can only be managed by a single Administration Server. One Administration Server can support up to 100,000 devices.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Scope of the task

Management plug-in

Policies

Policy profile

Administration Server

Tenant

Page top

[Topic 190335]

Scope of the task

Scope of the task is the subset of devices on which the task is performed. There are the following types of task scope:

  • Local task. The scope of the task is the device itself.
  • Administration Server task. The scope of the task is the Administration Server.
  • Group task. The scope of the task is the list of devices belonging to the group.
  • Global task. The scope of the task can be configured using various methods, for details see the Kaspersky Security Center Help.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Managed device

Management plug-in

Policies

Policy profile

Administration Server

Tenant

Page top

[Topic 190327]

Management plug-in

Kaspersky applications are managed through Administration Console by using management plug-ins. Each Kaspersky application that can be managed through Kaspersky Security Center includes a management plug-in.

Using the application management plug-in, you can perform the following actions in Administration Console:

  • Creating and editing application policies and settings, as well as the settings of application tasks.
  • Obtaining information about application tasks, application events, as well as application operation statistics received from client devices.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Managed device

Scope of the task

Policies

Policy profile

Administration Server

Tenant

Page top

[Topic 190328]

Policies

A policy is a collection of application settings that are defined for an administration group. The policy does not define all application settings.

For an application, you can configure several policies with different values. However, at any particular moment, only one policy can be active for an application in the administration group.

You can enable a disabled policy when a certain event occurs. It means for example that during virus epidemics, you can enable settings for stronger anti-virus protection.

An application can run under different settings for different administration groups. Each group can have its own policy for an application.

The application settings are defined by the policy settings and the task settings.

Nested groups and secondary Administration Servers inherit the tasks from groups that belong to higher hierarchy levels.

You can find the Inherit settings from parent policy setting in the inherited policy properties window in the Settings inheritance group under the General section. You can disable inheritance from parent policy at any time if this ability is not locked by a higher-level policy.

In the Application settings section, you can lock settings that may not be modified in child policies. Each setting in a policy has a "lock" attribute: KSC_lock_open or KSC_lock_closed. The lock icon shows whether you can modify policy settings for nested groups and subordinate Administration Servers.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Managed device

Scope of the task

Management plug-in

Policy profile

Administration Server

Tenant

Page top

[Topic 190329]

Policy profile

You may need to create several copies of a policy for different administration groups; you may also need to modify settings of these policies in a centralized way. These copies can differ by one or two settings. For example, all accountants in the organization are governed by the same policy, but senior accountants are allowed to use USB drives, and junior accountants are not allowed to. In this case, applying policies to devices solely through the administration group hierarchy might prove inconvenient.

To avoid creating several copies of the same policy, Kaspersky Security Center allows to create policy profiles. Policy profiles are necessary for devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset of settings is applied to devices with the policy and supplements the policy if a certain condition is fulfilled; this condition is called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. When the profile is activated, the settings of the "basic" policy governing the device are amended. Those settings take values that have been specified in the profile.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Managed device

Scope of the task

Management plug-in

Policies

Administration Server

Tenant

Page top

[Topic 190323]

Administration Server

The component of Kaspersky Security Center that is responsible for centralized storage of information about Kaspersky applications installed on the company network. These applications can also be managed by Administration Server.

See also

Network Agent

Virtual Administration Server

Administration group

Tasks

Administration Console

Multitenancy

Managed device

Scope of the task

Management plug-in

Policies

Policy profile

Tenant

Tenant

An individual organization or branch of an organization to which Kaspersky Sandbox is being provided.

Page top

[Topic 223740]

Information about third-party code

Information about third-party code is listed in the legal_notices.txt file that you can find on the drive with the installed Kaspersky Sandbox application in the opt\kaspersky\apt-core\share folder.

Page top

[Topic 189501]

Trademark notices

Registered trademarks and service marks are the property of their respective owners.

Adobe is either a registered trademark or a trademark of Adobe in the United States and/or other countries.

AMD is a trademark or registered trademark of Advanced Micro Devices, Inc.

Android is a trademark of Google LLC.

Microsoft, Windows, and Windows Server are trademarks of the Microsoft group of companies.

CentOS is a trademark of Red Hat, Inc.

VMware ESXi is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.

Page top