Configuring Threat Response actions

If Sandbox detects malicious activity, Kaspersky Endpoint Security performs a Threat Response action automatically (for example, it deletes the object and initiates a Critical Areas Scan).

To configure Threat Response actions:

  1. In the main window of the Web Console, select DevicesPolicies & profiles.
  2. Click the name of the Kaspersky Endpoint Security policy.

    The policy properties window opens.

  3. Select the Application settings tab.
  4. Go to Detection and ResponseSandbox.
  5. Select the relevant action in the Action on threat detection block:
    • Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
    • Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
    • Create IOC scan task. If this option is selected, Kaspersky Endpoint Security automatically creates the IOC Scan (autonomous IOC scan task). For this task, you can configure the run mode, scan scope, and action on IOC detection: delete object, run the Critical Areas Scan task. To modify other settings of the IOC Scan task, go to the task settings.
  6. If necessary, configure the IOC Scan task settings in the IOC scan scope block.
    • Critical file areas. If this option is selected, Kaspersky Endpoint Security does an IOC scan only in critical file areas of the computer: kernel memory and boot sectors.
    • File areas on system drives of the computer. IF this option is selected, Kaspersky Endpoint Security does an IOC scan on the system drive of the computer.
  7. If necessary, configure the IOC Scan task settings in the Run IOC scan task block.
    • Manually. Run mode in which you can start the IOC Scan task manually at a time when it is convenient for you.
    • After threat is detected. Run mode in which Kaspersky Endpoint Security runs the IOC Scan task automatically whenever a threat is detected.
    • Run only when the computer is idle. Run mode in which Kaspersky Endpoint Security runs the IOC Scan task if the screensaver is active or the screen is locked. If the user unlocks the computer, Kaspersky Endpoint Security pauses the task. This means that the task can take several days to complete.
  8. Configure advanced task settings for IOC Scan.
  9. Save your changes.
Page top