Endpoint Detection and Response

for Windows, macOS, and Linux

Kaspersky Endpoint Security includes a built-in agent for the Kaspersky Endpoint Detection and Response Optimum solution (hereinafter also "EDR Optimum"). Kaspersky Endpoint Detection and Response is a range of solutions for protecting the corporate IT infrastructure from advanced cyber threats. The functionality of the solutions combines automatic detection of threats with the ability to react to these threats to counteract advanced attacks including new exploits, ransomware, fileless attacks, as well as methods using legitimate system tools.

Kaspersky Endpoint Detection and Response analyzes potentially dangerous activity on user devices and provides Security officers or the Administrator with information about the possible attack to take timely response actions or automatically applies configured response actions.

You must enable the following components for Endpoint Detection and Response to work:

File Threat Protection.
Web Threat Protection.
Mail Threat Protection.
Exploit Prevention.
Behavior Detection.
Host Intrusion Prevention.
Remediation Engine.

Adaptive Anomaly Control.

Endpoint Detection and Response component settings

Settings	OS	Description
Enable advanced system activity logging	`Windows` `macOS` `Linux`	This setting helps ensure the correctness of the Retrospective IOC Scan task. It is associated with significant computer resource usage.
Network Isolation	`Windows` `macOS` `Linux`	Automatic isolation of the computer from the network in response to detected threats. When network isolation is turned on, the application severs all active connections and blocks all new TCP/IP connections on the computer. The application leaves only the following connections active: Connections listed in Network isolation exclusions. Connections initiated by Kaspersky Endpoint Security services. Connections initiated by the Kaspersky Security Center Network Agent.
Automatically unlock isolated device in (hours)	`Windows` `macOS` `Linux`	Network isolation can be turned off automatically after a specified time or manually. By default, Kaspersky Endpoint Security turns off Network isolation 2 hours after the start of the isolation.
Network isolation exclusions	`Windows` `macOS` `Linux`	List of rules for exclusions from network isolation. Network connections that match the rules are not blocked on computers when Network isolation is turned on. To configure Network isolation exclusions, you can use a list of standard network profiles. By default, exclusions include network profiles containing rules that ensure uninterrupted operation of devices with the DNS/DHCP server and DNS/DHCP client roles. You can also modify the settings of standard network profiles or define exclusions manually. Exclusions specified in policy properties are applied only if Network isolation is turned on automatically in response to a detected threat. Exclusions specified in computer properties are applied only if Network isolation is turned on manually in computer properties in the Kaspersky Security Center console or in alert details.
Execution Prevention	`Windows` `macOS` `Linux`	Control the execution of executable files and scripts and opening of office format files. For example, you can prevent the execution of applications that are considered insecure on the selected computer. Execution prevention supports a set of office file extensions and a set of script interpreters. To use Execution prevention component, you need to add execution prevention rules.
Action on execution or opening of forbidden object	`Windows` `macOS` `Linux`	Block and add to event log. In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Windows event log and Kaspersky Security Center event log. Add to event log. In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center, but does not block the attempt to run or open the object or document. This mode is selected by default.
Execution prevention rules	`Windows` `macOS` `Linux`	Execution prevention rule is a set of criteria that the application takes into account when reacting to an object execution, for example when blocking object execution. The application identifies files by their paths or checksums calculated using MD5 and SHA256 hashing algorithms.
Use case-sensitive path	`Linux`	If this check box is selected, the application will treat rule creation as case-sensitive when creating execution prevention rules.
Cloud Sandbox	`Windows` `macOS` `Linux`	Cloud Sandbox is a technology that lets you detect advanced threats on a computer. Kaspersky Endpoint Security automatically forwards detected files to Cloud Sandbox for analysis. Cloud Sandbox runs these files in an isolated environment to identify malicious activity and decides on their reputation. Data on these files is then sent to Kaspersky Security Network. Therefore, if Cloud Sandbox has detected a malicious file, Kaspersky Endpoint Security will perform the appropriate action to eliminate this threat on all computers where this file is detected. A KSN connection is necessary to get information about the objects being analyzed.

Page top