Using the application in Endpoint Detection and Response Agent mode

Kaspersky Endpoint Security in Endpoint Detection and Response Agent mode lets you use the functionality of Kaspersky Detection and Response solutions to protect devices on which third-party anti-virus applications are installed.

In Endpoint Detection and Response Agent mode, the standard protection and control components of Kaspersky Endpoint Security are not used to protect the device. A third-party anti-virus application provides the standard device protection. Kaspersky Endpoint Security in Endpoint Detection and Response Agent mode continuously monitors processes running on the device, open network connections, and files being modified, and provides integration with the following Detection and Response solutions:

Kaspersky Endpoint Security 12.4 for Linux can work together with the Dr. Web anti-virus application. You can install Kaspersky Endpoint Security in Endpoint Detection and Response Agent mode on a device with the Dr. Web anti-virus application.

The applications must be installed in the following order: first, the third-party anti-virus application, then Kaspersky Security Center Network Agent, then the Kaspersky Endpoint Security application in the Endpoint Detection and Response Agent mode. This is important because the installer of a third-party application might identify Kaspersky applications as incompatible software and remove them. After updating a third-party application on the device, we recommend confirming that Kaspersky Endpoint Security and Network Agent are operating normally, because the installer of the third-party application re-checks the device for incompatible software and may remove Kaspersky applications.

Configuring the application in Endpoint Detection and Response Agent mode

If you want to use Kaspersky Endpoint Security in Endpoint Detection and Response Agent mode, you need to do the following:

  1. Install Kaspersky Endpoint Security in Endpoint Detection and Response Agent mode on each virtual machine that you want to protect.

    You can query the information about the application mode on the command line by running the kesl-control --app-info command.

  2. Activate the application. You need to add a separate license key to the application, "Kaspersky Endpoint Detection and Response Expert (on-premise) Add-on" (hereinafter also referred to as the "EDR Expert (on-premise) key").

    To activate the application in Endpoint Detection and Response Agent mode, you only need the key for additional functionality. You do not need to add the main license key to the application.

  3. Enable integration with the Detection and Response solutions that you want to use to protect the device:

    You can check the status of the EDR Expert (on-premise) and NDR (KATA) components:

    • In the device properties in the Web Console (Assets (Devices) → Managed devices → <device name> link → Applications → <name of the Kaspersky Endpoint Security application> link → General → Components).
    • On the command line by running the following command: kesl-control --app-info.

Special considerations involved in using the application in Endpoint Detection and Response Agent mode

If Kaspersky Endpoint Security is being used in Endpoint Detection and Response Agent mode, only a limited subset of application component and tasks is available. After installation, the application settings are as follows:

When integrated with Kaspersky Endpoint Detection and Response Expert (on-premise) or with Kaspersky Endpoint Detection and Response (KATA), as part of a threat response action, Kaspersky Endpoint Security can control the launch of executable files and scripts on the device. The functionality of Execution prevention for objects is available with the following limitations:

Page top