Kaspersky Security for Virtualization 6.3 Light Agent has the following new features and improvements:
SVM images of version 6.3 do not include Kaspersky Security Center Network Agent. Network Agent is installed on SVMs during SVM deployment using a distribution package prepared by the user.
Some limitations are involved in installing and operating of the solution in virtual infrastructures on the Yandex Cloud Platform, Gorizont-VS virtualization management platform and HOSTVM Virtualization platform. Please refer to the Knowledge Base for details.
The possibilities of activating the Kaspersky Managed Detection and Response functionality available in Light Agents have been expanded:
You can activate the functionality of Light Agent for Linux integration with Kaspersky Managed Detection and Response under a license by adding a license key to the SVM using a key file or an activation code. Previously, activation under a license was not possible; for activation, you had to upload an MDR BLOB file to the device.
To activate the functionality of Light Agent for Windows integration with Kaspersky Managed Detection and Response, you can use a key file. Previously, activation was only possible with an activation code or by uploading an MDR BLOB file to the device.
The role of the Light Agent for Windows in the solution is fulfilled by Kaspersky Endpoint Security 12.10 for Windows or Kaspersky Endpoint Security 12.11 for Windows.
Kaspersky Endpoint Security 12.10 for Windows introduces the following features and improvements:
For the BadUSB Attack Protection component, you can authorize barcode scanners by reading a barcode from the screen. You no longer need to enter a code using the on-screen keyboard to authorize barcode scanners.
When Kaspersky Endpoint Security for Windows is integrated with Kaspersky Detection and Response solutions, the following new features are available:
User account management in alert details. Now you can block a user account in the Kaspersky Security Center console, make a user change the account password, add users to an Active Directory group, or remove users from a group. You can also make a user take a Kaspersky information security course.
Management of device network isolation in alert details. In the alert details, you can also configure the duration of network isolation for a device or add exclusions.
Populating alert details with new information. Alert details now contain more information about the threat, including what the application does when responding to the threat.
The new features are available in Kaspersky Security Center 15.4 and later.
Improved interaction with IOC files. Now you can view and edit the contents of IOC files in Kaspersky Security Center Web Console. After uploading an IOC file, the application displays a report on how the IOC terms were applied.
Improved threat response to detected IOCs. You can now quarantine files detected by the IOC Scan task directly in the IOC detection results in the task properties. You can also isolate devices from the network in the task properties.
You can create IOC files directly in the properties of the IOC Scan task. To create an IOC file, you need to prepare a TXT file with a list of indicators of compromise. You can add file hashes, IP addresses, or DNS names as indicators of compromise.
The scan scope for the IOC Scan task has been expanded. Now you can configure the IOC Scan scope in the registry (Windows Registry - RegistryItem). In previous versions of the application, you could only use the predefined IOC Scan scope for the registry.
Added new Password protection permission, Export settings. By default, only the KLAdmin user can create a configuration file with Kaspersky Endpoint Security for Windows settings in the application interface. If you want other users to have access, you need to grant the corresponding permission.
Kaspersky Endpoint Security 12.11 for Windows introduces the following features and improvements:
Settings of control components are now checked before saving. The check covers the Application Control, Device Control, System Integrity Monitoring components. The application now displays a warning for the user if the current settings of the control component can cause increased load on the device or system malfunction. For example, if you configure blocking of all application other than allowed ones and do not add any allow rules, the application displays a warning because such a configuration may cause the system to malfunction.
Files can be automatically sent for scanning to KATA Sandbox. KATA Sandbox is a component of the Kaspersky Anti Targeted Attack Platform that runs files in virtual images of operating systems. Sandbox analyzes the behavior of objects to identify malicious activity and indicators of targeted attack on the corporate IT infrastructure. Sandbox analyzes and scans objects on dedicated servers with deployed virtual images of Microsoft Windows operating systems (the Sandbox servers). To use KATA Sandbox in automatic mode, the Kaspersky Anti Targeted Attack Platform solution version 8.0 or later must be deployed.
The EDR telemetry has been optimized. Now you can set a maximum packet length.
Improved Kaspersky Security Network connection troubleshooting. Kaspersky Security Network connection errors are more detailed to help you identify any problems.
Now you can configure lists of events for sending to Kaspersky Unified Monitoring and Analysis Platform (KUMA). Now, in addition to predefined event lists in KUMA, you can manually add events to telemetry or exclude events by ID in the Windows event log.
Restyled policy interface in the Web Console. The design is now modern and stylish. The new structure of sections in the policy allows finding the necessary functions quicker.
The solution uses Kaspersky Endpoint Security for Linux 12.3 as the Light Agent for Linux. The new version of the application has the following new features and improvements:
The Device Control component has been improved:
Now you can configure the list of users or user groups for which the added devices will be trusted.
Now you can grant read-only access to storage devices.
Improved notification of users using events: new events, event texts clarified and made more uniform in plug-ins and on the command line.
More functionality when integrating with Kaspersky Managed Detection and Response:
Network isolation of devices is now possible.
You can quarantine files and restore files from quarantine.
A process can be started or stopped.
The Behavior Detection component has been improved. Now you can exclude a process from scanning by the MDR and EDR (KATA) components.
Now you can configure proxy server exclusions. Now you can specify the Kaspersky Endpoint Security for Linux components that must bypass the proxy server, and create a list of addresses for which the proxy server is bypassed.
Now you can configure traffic interception exclusions. Now you can use application management plug-ins and the command line to specify connections that the application must exclude from traffic interception.
Now you can temporarily exclude database log files from scanning to optimize their scanning by File Threat Protection. If a database log file is reused by the same process within 10 minutes of the last scan, the application does not scan that log file.
Now you can enable the merging of exclusion list items in parent and child policies when inheriting the settings of the parent policy.
You can now use the application management plug-in to export and import exclusion lists in the policy and tasks.
Now you can configure initial configuration settings of Kaspersky Endpoint Security for Linux in the Administration Console of Kaspersky Security Center when creating an installation package or in the properties of the installation package.
Now you can configure the cancellation of scheduled tasks on a device running on battery power.
On the command line, you can use a new command to display a list of application functions, information about their statuses (used or not used), and Linux technologies that are used to implement these application functions.
Now you can output information about the policy applied on the device and policy profiles to the command line.
You can install the application using the command line on a device that does not have a Perl interpreter.
Traffic interception has been improved. Now local traffic (traffic between processes on the same device) is not intercepted.
You can transfer telemetry settings when integrating with Kaspersky Managed Detection and Response without using the KPSN configuration file. If you are using the Kaspersky Security Network infrastructure solution or you only have a root tenant, you do not need to use a KPSN configuration file to integrate Kaspersky Endpoint Security for Linux with Kaspersky Managed Detection and Response.
Optimized storage of a large number of events in the application event log. The communication with the event database is faster when opening and closing the database or receiving events.
Actions applied to infected objects in the File Threat Protection settings and scan tasks have been renamed.
An alternative mechanism for obtaining system telemetry has been added in the Behavior Detection component on 64-bit operating systems (kernel 5.3 and later with eBPF support), which allows freeing up the resources of the audit.d kernel audit subsystem. The application uses eBPF automatically if the operating system satisfies the requirements.