About response actions for commands of Detection and Response solutions

When integrated with the Kaspersky Endpoint Detection and Response (KATA) component and the Kaspersky Endpoint Detection and Response Optimum solution, Kaspersky Endpoint Security can perform response actions aimed at providing security functions.

The settings of Kaspersky Endpoint Detection and Response (KATA) component response actions and Kaspersky Endpoint Detection and Response Optimum solution response actions are not the same.

Kaspersky Endpoint Security can perform the following response actions:

• Quarantine files.

  The action is performed using the Quarantine file task.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), this task is configured in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can configure the Quarantine file task in the settings of the EDR Optimum component of the Kaspersky Endpoint Security application or on a device with Kaspersky Endpoint Security using quarantine management commands.

• Delete files from Quarantine.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, the action is performed in Kaspersky Security Center or on a device with Kaspersky Endpoint Security using quarantine management commands.

• Restore files from Quarantine.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, the action is performed in Kaspersky Security Center or on a device with Kaspersky Endpoint Security using quarantine management commands.

• Get files from Quarantine.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, the action is performed in Kaspersky Security Center.

• Get files from devices.

  This action is performed using the Get file task. For example, you can configure the application to get an event log file generated by a third-party program.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can configure the Receive file from device task in the settings of the EDR Optimum component of the Kaspersky Endpoint Security application.

• Delete files from devices.

  This action is performed using the Delete file task.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can configure the Delete file from device task in the settings of the EDR Optimum component of the Kaspersky Endpoint Security application.

• Remotely run processes on devices.

  This action is performed using the Run process task. For example, you can remotely run a utility that creates a device configuration file, and then retrieve the created file using the Get file task.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can configure the Start process task in the settings of the EDR Optimum component of the Kaspersky Endpoint Security application.

• Remotely terminate processes on devices.

  The action is performed using the Terminate process task. For example, you can remotely terminate an Internet speed test utility that was launched using the "Run process" task.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the action is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can configure the Terminate process task in the settings of the EDR Optimum component of the Kaspersky Endpoint Security application.

• Detect Indicators of Compromise on devices and perform threat response actions.

  An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), the IOC scan is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, an IOC Scan is performed using the IOC Scan task. You can configure the IOC Scan task in the settings of the EDR Optimum component of Kaspersky Endpoint Security or on the device running Kaspersky Endpoint Security using the IOC Scan management commands.

• Enable or disable network isolation of the device.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), you can:

  • Disable network isolation on the command line.
  • Enable or disable network isolation in the Kaspersky Endpoint Detection and Response (KATA) solution.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can:

  • Enable or disable network isolation in the Web Console.
  • Disable network isolation on the command line.
  • Configure automatic disabling of network isolation in the Web Console.
• Configure execution prevention rules for objects.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response (KATA), you can:

  • Start and stop the application of object execution prevention rules from the command line.
  • From the command line, view the list of object execution prevention rules received from the Kaspersky Endpoint Detection and Response (KATA) component.

  When Kaspersky Endpoint Security is integrated with Kaspersky Endpoint Detection and Response Optimum, you can:

  • Create and configure execution prevention rules for objects in the Web Console.
  • Start and stop the application of object execution prevention rules in the Web Console or from the command line.
  • From the command line, view the list of execution prevention rules received from Kaspersky Endpoint Detection and Response Optimum.

Page top