Kaspersky Security for Virtualization 6.4 Light Agent has the following new features and improvements:
The Linux-based Integration Server can now interact with Kaspersky Security Center. The Linux-based Integration Server can transmit its events and status information to the Kaspersky Security Center Administration Server. You can configure the export of events from Kaspersky Security Center to external SIEM systems (for details, see the Kaspersky Security Center Help). If you are using the solution under an Enterprise license, the Integration Server can log a greater variety of events.
The solution uses Kaspersky Endpoint Security 12.12 for Windows as the Light Agent for Windows. The new version of the application has the following new features and improvements:
Protection of shared folders from external encryption, which used to be part of the Behavior Detection component, has been split off into a separate component called Anti-Cryptor.
The Kerberos protocol is now supported for authenticating the application through a proxy server for internet access.
Now yo can specify a file hash for a trusted application, and not just a full path.
For users of Endpoint Detection and Response solutions, the functionality of the IOC Scan task has been expanded. A retrospective IOC Scan function is now available. Retrospective IOC Scan is a mode of the IOC Scan task in which Kaspersky Endpoint Security for Windows looks for indicators of compromise (IOC) in data received over a certain time interval. The mode is designed for finding indicators of compromise in network activity data of a device. Kaspersky Endpoint Security for Windows analyzes data in the logs of the operating system and browsers on the device.
Users of Endpoint Detection and Response solutions can now remove the quarantine size limit. This may be necessary for YARA scanning because the application may need to save a large memory dump. Now the entirety of free disk space can be used for the quarantine.
HTTPS compression is now supported for optimization of event export to Kaspersky Unified Monitoring and Analysis Platform (KUMA). This helps reduce outbound traffic.
The solution uses Kaspersky Endpoint Security for Linux 12.4 as the Light Agent for Linux. The new version of the application has the following new features and improvements:
The functionality of the application in Light Agent mode have been expanded:
A system event interception mechanism based on an updatable kernel module is now available. Using the updatable kernel module allows optimizing the interception of file operations and starting processes by Kaspersky Endpoint Security for Linux.
The Exploit Prevention component is now available.
The level of threat detection has been improved.
Introducing a new component, Mail Threat Protection. This component scans the attachments of incoming and outgoing email messages for viruses and other applications that may pose a threat.
Introducing a new component, BadUSB Attack Prevention. This component allows preventing the connection of malicious USB devices that imitate a keyboard to the protected device.
The Device Control component has been improved. Now you can grant temporary access to blocked devices upon user request.
The Exploit Prevention component has been improved. Now you can configure exclusions from scanning by the component for objects.
The updatable kernel module has been improved:
The updatable kernel module now allows optimizing the interception of file operations. Application performance is improved by using a cache of files and processes that do not need to be scanned.
Now, when using the updatable kernel module, you can fine-tune global exclusions. If using the interception mechanism based on the fanotify technology, specified mount points are excluded from the file operation interception in their entirety. Using the updatable kernel module allows excluding specific local or remote directories mounted on the device.
Now you can set up integration with Kaspersky Endpoint Detection and Response Expert (on-premise), an enterprise cybersecurity solution that allows defending against most cyber risks and cover the main threat propagation scenarios.
Now you can create application trace files when starting the application for the first time after installation. Now you can enable the generation of trace files when starting the application for the first time in the Web Console, the Administration Console, or in the settings of the initial configuration file.
The policy interface in the Web Console has been updated. The new structure of sections in the policy allows finding the necessary functions quicker.
Now you can select the traffic interception mode that the application uses: the eBPF technology or the iptables tool.
Now you can select the telemetry source (only eBPF or eBPF and auditd). For auditd, you can also select a mode (exclusive or multicast).
You can select how you want files and directories to be sent for scanning in Sandbox: manually, only automatically, or automatically and manually.
The alternative mechanism for getting system telemetry has been improved in the Behavior Detection component on 64-bit operating systems (kernel 4.18 and later with eBPF support), which allows freeing up the resources of the auditd kernel audit subsystem.
Now you can include the following information in telemetry data when integrated with Kaspersky Managed Detection and Response: