Kaspersky Endpoint Security for Windows includes a built-in agent for integration with Kaspersky Sandbox solution. The Sandbox component detects and automatically blocks advanced threats on computers. Sandbox analyzes object behavior to detect malicious activity and activity characteristic of targeted attacks on the IT infrastructure of the organization. Sandbox analyzes and scans objects on special servers with deployed virtual images of Microsoft Windows operating systems (the Sandbox servers). For details about the solution, please refer to the Kaspersky Sandbox Help and Kaspersky Anti Targeted Attack Platform Help.
Starting with version 12.7, Kaspersky Endpoint Security for Windows supports the Sandbox component that is part of the Kaspersky Anti Targeted Attack Platform solution. In contrast to the Kaspersky Sandbox solution, the KATA Sandbox component only allows scanning files manually from the file context menu.
KATA Sandbox requires Kaspersky Anti Targeted Attack Platform 7.0 or later to be deployed.
The component can be managed only using the Kaspersky Security Center Web Console. You cannot manage this component using the Administration Console (MMC).
Sandbox component settings
Parameter |
Description |
|---|---|
Integration mode |
|
Server TLS certificate |
To configure a trusted connection with the Sandbox server, you must prepare a TLS certificate. You must then add the certificate to the computer using a policy. You also need to add the certificate to the Sandbox server. If you selected the KATA Sandbox (manual file submission for scanning), type, you must add the certificate to the Central Node server. |
Server connection settings |
Timeout. Connection timeout for the Sandbox server. After the configured timeout elapses, Kaspersky Endpoint Security sends a request to the next server. You can increase the connection timeout for the server if your connection speed is low or if the connection is unstable. The recommended request timeout is 0.5 seconds or less. Request queue. Size of the request queue folder. When sending multiple objects for scanning in Sandbox, Kaspersky Endpoint Security creates a request queue. By default, the size of the request queue folder is limited to 100 MB. After the maximum size is reached, Sandbox stops adding new requests to the queue and sends the corresponding event to Kaspersky Security Center. You can configure the size of the request queue folder depending on your server configuration. Server TLS certificate. To configure a trusted connection with the Sandbox server, you must prepare a TLS certificate. You must then add the certificate to the computer using a policy. You also need to add the certificate to the Sandbox server. Use two-way authentication (only for KATA Sandbox). Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the Central Node server. To use two-way authentication, you need to enable two-way authentication in the Central Node server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring Sandbox server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container. |
Servers |
Sandbox server connection settings. The servers use deployed virtual images of Microsoft Windows operating systems to run objects that need to be scanned. You can enter an IP address (IPv4 or IPv6) or a fully qualified domain name. |
Action on threat detection |
Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine. Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors. Create IOC scan task. If this option is selected, Kaspersky Endpoint Security automatically creates the IOC Scan (autonomous IOC scan task). For this task, you can configure the run mode, scan scope, and action on IOC detection: delete object, run the Critical Areas Scan task. To modify other settings of the IOC Scan task, go to the task settings. |
IOC scan scope |
Critical file areas. If this option is selected, Kaspersky Endpoint Security does an IOC scan only in critical file areas of the computer: kernel memory and boot sectors. File areas on system drives of the computer. IF this option is selected, Kaspersky Endpoint Security does an IOC scan on the system drive of the computer. |
Run IOC scan task |
Manually. Run mode in which you can start the IOC Scan task manually at a time when it is convenient for you. After threat is detected. Run mode in which Kaspersky Endpoint Security runs the IOC Scan task automatically whenever a threat is detected. Run only when the computer is idle. Run mode in which Kaspersky Endpoint Security runs the IOC Scan task if the screensaver is active or the screen is locked. If the user unlocks the computer, Kaspersky Endpoint Security pauses the task. This means that the task can take several days to complete. |