About IOC Scan tasks in Kaspersky Endpoint Agent

Support

Support for business applications

Kaspersky Endpoint Agent

IOC Scan

About IOC Scan tasks in Kaspersky Endpoint Agent

November 17, 2023

ID 193613

When executing IOC Scan tasks, Kaspersky Endpoint Agent uses IOC files (indicators of compromise files of the OpenIOC open description standard) to search for these indicators on devices.

Kaspersky Endpoint Agent supports three types of IOC Scan tasks:

Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.
Autonomous IOC Scan tasks are group tasks that are created automatically in response to the threats detected by Kaspersky Sandbox. Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started. For more information about autonomous IOC Scan tasks, see Kaspersky Sandbox Help.
IOC scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface allows application users to use IOC files to search for signs of targeted attacks, as well as infected and probably infected objects in the event and detection database, and also to scan computers on which Kaspersky Endpoint Agent is installed.

Different tasks are managed in different ways and have different configurable settings and task scopes. A description of each type of IOC Scan task is provided in the table below.

IOC Scan task types

Task type	Task description	Task scope
Standard IOC Scan tasks	These tasks are created and configured manually in Kaspersky Security Center or using the command line interface, without integration with third-party systems. IOC files prepared by the user are used to run the tasks. The task settings do not depend on the policy settings. The Retrospective IOC Scan mode is available for tasks. Retrospective IOC Scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices. The Retrospective IOC Scan mode is available only for Standard IOC Scan tasks. You can specify the following actions as responses to detected IOCs (not available when running the tasks from the command line): Run on-demand scan tasks using EPP on the device. Enable network isolation of the device. Viewing reports is available both in the task execution results as a summary table and in the Detected IOC card. Detected IOC card contains information about objects that match the conditions of the processed IOC file, as well as the text of the matched branches or individual conditions from this IOC file. Viewing the Detected IOC card is not available for IOC files, for which no indicators of compromise were detected during scan.	Local or group
Autonomous IOC Scan tasks	These tasks are created automatically if, in the Kaspersky Endpoint Agent policy, the Run IOC Scan on a managed group of devices action is selected as a response to threats detected by Kaspersky Sandbox. Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported. Limited task management in Kaspersky Security Center is available to the user. In the policy settings, you can specify the task start schedule and the scan area for the task. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started. You can specify the following actions to respond to detected IOCs: Run on-demand scan tasks using EPP on the device. Quarantine the object and delete it from the device. Viewing reports is available both in the task execution results as a summary table and in the Detected IOC card.	Group
IOC Scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface	IOC files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure the IOC scan schedule for computers with Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform. Task management using Kaspersky Security Center or using the command line is not supported. No actions are automatically performed when an IOC is detected. Task settings do not depend on Kaspersky Endpoint Agent policies.	Not applicable

Task type

Task description

Task scope

Standard IOC Scan tasks

These tasks are created and configured manually in Kaspersky Security Center or using the command line interface, without integration with third-party systems.

IOC files prepared by the user are used to run the tasks.

The task settings do not depend on the policy settings.

The Retrospective IOC Scan mode is available for tasks.

You can specify the following actions as responses to detected IOCs (not available when running the tasks from the command line):

Run on-demand scan tasks using EPP on the device.
Enable network isolation of the device.
Viewing reports is available both in the task execution results as a summary table and in the Detected IOC card.

Detected IOC card contains information about objects that match the conditions of the processed IOC file, as well as the text of the matched branches or individual conditions from this IOC file.

Viewing the Detected IOC card is not available for IOC files, for which no indicators of compromise were detected during scan.

Local or group

Autonomous IOC Scan tasks

These tasks are created automatically if, in the Kaspersky Endpoint Agent policy, the Run IOC Scan on a managed group of devices action is selected as a response to threats detected by Kaspersky Sandbox.

Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported.

Limited task management in Kaspersky Security Center is available to the user.

In the policy settings, you can specify the task start schedule and the scan area for the task.

Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started.

You can specify the following actions to respond to detected IOCs:

Run on-demand scan tasks using EPP on the device.
Quarantine the object and delete it from the device.

Viewing reports is available both in the task execution results as a summary table and in the Detected IOC card.

Group

IOC Scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface

IOC files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure the IOC scan schedule for computers with Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform.

Task management using Kaspersky Security Center or using the command line is not supported.

No actions are automatically performed when an IOC is detected.

Task settings do not depend on Kaspersky Endpoint Agent policies.

Not applicable

The results of group IOC Scan tasks execution can be viewed in Kaspersky Security Center for 7 days after the task is executed, or until the task is removed.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.