If joint operation with EPP applications is configured in Kaspersky Industrial CyberSecurity for Networks, you can manually trigger the following response actions on devices:
After enabling network isolation of a device, the Endpoint Agent software component terminates all active TCP/IP network connections on the device and blocks all new ones, except for the following connections:
Device network isolation remains active until network isolation is disabled in Kaspersky Industrial CyberSecurity for Networks. If network isolation is not manually disabled, it will be disabled automatically 9,999 hours after it is enabled.
You can configure rules to block the launch of executable files and scripts, as well as the opening of office format files on selected devices. For example, you can block the launch of applications that you consider insecure on a selected device running the Endpoint Agent software component. The application identifies files by their file path or checksum using the MD5 and SHA256 hashing algorithms.
In the event of launch blocking, the user is notified about the triggered launch blocking rule. If the device user does not close the pop-up notification, it will close automatically 60 seconds after it appears.
Quarantine is a designated local storage on a device running the Endpoint Agent software component that stores files potentially infected with viruses or that were incurable at the time of detection. Quarantined files are stored encrypted and do not create a threat to the device security.
On the computer with Kaspersky Endpoint Agent, the local quarantine storage is located by default in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<version>\Quarantine folder. By default, objects restored from quarantine are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<version>\Restore folder.
Kaspersky Security Center generates a common list of quarantined objects on devices running Endpoint Agent. Device Network Agents transmit information on quarantined files to the Administration Server.
Kaspersky Security Center does not copy quarantined files to the Administration Server. All objects are located on protected devices running Endpoint Agent. Objects are restored from quarantine on protected devices.
Response actions allow preventing or minimizing the consequences of detected threats from devices in an industrial network.
The capability to trigger response actions is available for devices with the Endpoint Agent software component. When a response action is triggered, Kaspersky Industrial CyberSecurity for Networks transmits the information about it to Endpoint Agent. The Endpoint Agent software component executes the received command and sends a completion notification to Kaspersky Industrial CyberSecurity for Networks.
Once the triggered response action is completed and the threat from the device is eliminated, you can trigger the corresponding reverse action. For the listed response actions, the following reverse actions are available:
Kaspersky Industrial CyberSecurity for Networks registers triggered response actions and the corresponding reverse actions. The registered actions are displayed in the Events section on the Response actions tab.
You can trigger response actions by selecting the relevant events, devices or previous response actions that were registered and completed. The actions available to you depend on the selected object. For example, if you selected a device with the Endpoint Agent software component, you can only manage the network isolation of this device. Other response actions are available under other conditions (for example, actions Prevent run and Move to quarantine are available when selecting the event associated with this device if a threat development chain is built for the event in Endpoint Agent).
Only the users with the Administrator role can trigger response actions and corresponding reverse actions.