About response actions for commands of Detection and Response solutions

Kaspersky Endpoint Security can perform response actions aimed at providing security functions:

• When interacting with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform solution.
• When interacting with Kaspersky Endpoint Detection and Response Optimum.

The response action settings of Kaspersky Anti Targeted Attack Platform and Kaspersky Endpoint Detection and Response Optimum are different.

Kaspersky Endpoint Security can perform the following response actions:

• Get files from devices.

  This action is performed using the Get file task. For example, you can configure the application to get an event log file generated by a third-party program.

• Delete files from devices.

  This action is performed using the Delete file task.

• Remotely run processes on devices.

  This action is performed using the Run process task.

  For example, you can remotely run a utility that creates a device configuration file, and then fetch it with Get file.

• Remotely terminate processes on devices.

  The action is performed using the Terminate process task.

  For example, you can remotely terminate an Internet speed test utility that was launched using the "Run process" task.

• Detect Indicators of Compromise on devices and perform threat response actions.

  An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts.

  This action is performed using the IOC Scan task.

  The IOC Scan task checks for IOC terms (properties of IOC objects, for example, a file hash) only in the operating system's main namespace. The IOC Scan task does not calculate the hash of files larger than 200 MB.

• Enable or disable network isolation of the device.

  When Kaspersky Endpoint Security interacts with Kaspersky Endpoint Detection and Response Optimum, you can:

  • Enable or disable network isolation in the Web Console.
  • Disable network isolation in the command line.
  • Configure automatic disabling of network isolation in the Web Console.

  When Kaspersky Endpoint Security interacts with Kaspersky Endpoint Detection and Response (KATA), you can:

  • Disable network isolation in the command line.
  • Enable or disable network isolation in the Kaspersky Endpoint Detection and Response (KATA) solution.

    To read more, check out the Kaspersky Anti Targeted Attack Platform Help.

Network isolation limitations

When you use network isolation, we strongly recommended that you familiarize yourself with the limitations described below.

For network isolation to work, Kaspersky Endpoint Security must be running. If Kaspersky Endpoint Security malfunctions (and the application is not running), traffic blocking is not guaranteed when network isolation is enabled by Kaspersky Anti Targeted Attack Platform or Kaspersky Endpoint Detection and Response Optimum.

Transit traffic with network isolation enabled is supported with limitations and may be filtered.

DHCP and DNS are not automatically added to network isolation exclusions, so if the network address of a resource changes during network isolation, Kaspersky Endpoint Security cannot gain access to it. The same applies to the nodes of the fault-tolerant KATA server. We recommend to not change their addresses so that Kaspersky Endpoint Security does not lose contact with them.

The proxy server is also not added automatically to the network isolation exclusions, so you need to add it to the exclusions manually so that Kaspersky Endpoint Security does not lose contact with the KATA server.

Excluding processes from network isolation by name is not supported.

If Kaspersky Endpoint Security is used in standard mode, we recommend doing the following when using network isolation:

• Use a KSN proxy server to interact with Kaspersky Security Network.
• Use Kaspersky Security Center as a proxy server for application activation.

  If it is impossible to use Kaspersky Security Center as a proxy server, you must configure the proxy server that you want to use and add it to exclusions.

• Specify Kaspersky Security Center as the database update source.

These recommendations do not apply if Kaspersky Endpoint Security is used in Light Agent mode.

Page top