Searching for indicators of compromise in the Web Console

You can scan for indicators of compromise using the IOC Scan task in Web Console only when integrated with Kaspersky Endpoint Detection and Response Optimum. When integrated with Kaspersky Endpoint Detection and Response (KATA), the IOC scan is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.

You can create and run the IoC Scan task, as well as edit its settings in the Web Console.

For the IOC Scan task, the Wake-on-LAN feature is not available in the schedule settings. For the task to run, make sure the device is powered on.

You can change the main settings of the IOC Scan task in the task properties on the Application settings tab → IOC Scan settings.

IOC Scan task settings

Setting	Description
Redefine IOC files	This button opens the Redefine IOC files panel. Clicking the Add IOC files button located in the Redefine IOC files panel opens a window where you can select and download the IOC files on the device that are necessary to search for indicators of compromise. After uploading the IOC files, you can view a list of indicators from the IOC files.
Export IOC collection	Clicking this button downloads IOC files to the device.
Apply response actions when an IOC is detected	This check box enables or disables the application of response actions when indicators of compromise are detected. If the check box is selected, then when indicators of compromise are detected, the application performs the actions you selected: Start critical areas scan. If this check box is selected, then when indicators of compromise are detected, the application starts the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, boot sectors, and other critical areas. /lib/systemd /lib/udev /lib/dbus-1.0 /usr/local/lib/systemd/user /usr/share/dbus-1 /usr/share/gdm/autostart /usr/share/gnome/autostart /var/spool/at /var/spool/at/spool /var/spool/anacron /var/spool/cron /boot /bin /sbin /lib /lib32 /lib64 /libx32 /usr/lib /usr/lib32 /usr/lib64 /usr/libx32 ~/.config/autostart ~/.config/autostart-scripts ~/.config/plasma-workspace/env ~/.config/plasma-workspace/shutdown ~/.config/lxsession ~/.fluxbox/startup ~/.kde/Autostart /etc Quarantine a copy, delete the object. If the check box is selected, when indicators of compromise are detected, the application quarantines a copy of the object and deletes the original object. Isolate device from the network. If this check box is selected, then when indicators of compromise are detected, the application isolates the device from the network to prevent the spread of the threat. You can configure the isolation duration. If the policy applies to an isolated device, the Automatically disable isolation after a specified period and Network isolation exclusions settings specified in the policy properties are applied. If the policy does not apply to the isolated device, the settings specified in the device properties are applied. If the check box is cleared, the application does not perform any response actions when indicators of compromise are detected. Information about detected indicators of compromise is displayed in the window with alert details and in the task properties.

Setting

Description

Redefine IOC files

This button opens the Redefine IOC files panel.

Clicking the Add IOC files button located in the Redefine IOC files panel opens a window where you can select and download the IOC files on the device that are necessary to search for indicators of compromise. After uploading the IOC files, you can view a list of indicators from the IOC files.

Export IOC collection

Clicking this button downloads IOC files to the device.

Apply response actions when an IOC is detected

This check box enables or disables the application of response actions when indicators of compromise are detected.

If the check box is selected, then when indicators of compromise are detected, the application performs the actions you selected:

Start critical areas scan.
If this check box is selected, then when indicators of compromise are detected, the application starts the Critical Areas Scan task.

By default, Kaspersky Endpoint Security scans the kernel memory, running processes, boot sectors, and other critical areas.
- /lib/systemd
- /lib/udev
- /lib/dbus-1.0
- /usr/local/lib/systemd/user
- /usr/share/dbus-1
- /usr/share/gdm/autostart
- /usr/share/gnome/autostart
- /var/spool/at
- /var/spool/at/spool
- /var/spool/anacron
- /var/spool/cron
- /boot
- /bin
- /sbin
- /lib
- /lib32
- /lib64
- /libx32
- /usr/lib
- /usr/lib32
- /usr/lib64
- /usr/libx32
- ~/.config/autostart
- ~/.config/autostart-scripts
- ~/.config/plasma-workspace/env
- ~/.config/plasma-workspace/shutdown
- ~/.config/lxsession
- ~/.fluxbox/startup
- ~/.kde/Autostart
- /etc
Quarantine a copy, delete the object.
If the check box is selected, when indicators of compromise are detected, the application quarantines a copy of the object and deletes the original object.
Isolate device from the network.
If this check box is selected, then when indicators of compromise are detected, the application isolates the device from the network to prevent the spread of the threat. You can configure the isolation duration.

If the policy applies to an isolated device, the Automatically disable isolation after a specified period and Network isolation exclusions settings specified in the policy properties are applied. If the policy does not apply to the isolated device, the settings specified in the device properties are applied.

If the check box is cleared, the application does not perform any response actions when indicators of compromise are detected. Information about detected indicators of compromise is displayed in the window with alert details and in the task properties.

You can change the additional settings of the IOC Scan task in the task properties on the Application settings tab → Additional.

The Additional section can be edited if you have loaded an IOC file in the Redefine IOC files panel.

Additional settings of the IOC Scan task

Setting	Description
Data types (IOC documents) to analyze during IOC Scan	The check boxes in the Additional section include the following data types (IOC documents) in the analysis during an IOC scan: Processes - ProcessItem. Files - FileItem. IOC documents. The IOC documents link is available if you have loaded an IOC file in the Redefine IOC files panel. This link takes you to the File Scan settings – FileItem window, where you can add scan scopes. ARP tables - ArpEntryItem. Network ports - PortItem. User accounts - UserItem. System objects - SystemItem.
Search for IOCs in the following areas	This check box enables or disables the scanning of the following scopes. Files on all drives of the device. Files on system drives of the device. Critical areas on the device. This option is selected by default. Do not scan predefined areas.
Scan custom areas	The check box adds the scopes listed in the table under the check box to the list of scan scopes. You can add a path to the scope you want to scan by clicking the Add button. In the window that opens, enter the path to the scope in the Scope field and save the changes. You can remove a scope from the table by select the check box next to the scope you want to remove and then clicking the Remove button. You cannot clear this check box if in the Search for IOCs in the following areas list, the Do not scan predefined areas option is selected.

Setting

Description

Data types (IOC documents) to analyze during IOC Scan

The check boxes in the Additional section include the following data types (IOC documents) in the analysis during an IOC scan:

Processes - ProcessItem.
Files - FileItem.
- IOC documents.
The IOC documents link is available if you have loaded an IOC file in the Redefine IOC files panel. This link takes you to the File Scan settings – FileItem window, where you can add scan scopes.
ARP tables - ArpEntryItem.
Network ports - PortItem.
User accounts - UserItem.
System objects - SystemItem.

Search for IOCs in the following areas

This check box enables or disables the scanning of the following scopes.

Files on all drives of the device.
Files on system drives of the device.
Critical areas on the device. This option is selected by default.
Do not scan predefined areas.

Scan custom areas

The check box adds the scopes listed in the table under the check box to the list of scan scopes.

You can add a path to the scope you want to scan by clicking the Add button. In the window that opens, enter the path to the scope in the Scope field and save the changes.

You can remove a scope from the table by select the check box next to the scope you want to remove and then clicking the Remove button.

You cannot clear this check box if in the Search for IOCs in the following areas list, the Do not scan predefined areas option is selected.

We do not recommend adding or deleting IOC files after starting this task. This may result in incorrect display of IOC scan results for previous runs of the task. We recommend creating a new task to run an IOC scan based on new IOC files.

You can view the result of the IOC Scan task in the task properties in the Web Console under Application settings → IOC Scan results. The table displays a list of devices on which the IOC Scan task has been run, as well as the results of the task. In the Device drop-down list, you can choose to display task results for all managed devices on which the task has run, or for a specific device.

The table contains the following information:

Status – Status of indicator of compromise detection, displayed as an icon.
Device – Name of the device on which the task was started
Time – Date and time when the task was performed
Results – Information about the result of the IOC Scan task. One of the following statuses may be displayed:
- IOCs detected –– This status is displayed as a link; clicking the link opens a window with the alert details.
- No IOCs detected.

IOC Scan results are stored for 30 days. After this time expires, Kaspersky Endpoint Security automatically deletes old entries.

Page top