Scan for indicators of compromise (stand-alone task)

An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the computer and taking threat response measures.

Kaspersky Endpoint Security searches for indicators of compromise using IOC files. IOC files are files containing the sets of indicators that the application tries to match to count a detection. IOC files must conform to the OpenIOC standard. Kaspersky Endpoint Security automatically generates IOC files for Kaspersky Sandbox.

IOC Scan task run mode

The application creates stand-alone IOC scan tasks for Kaspersky Sandbox. Stand-alone IOC scan task is a group task that is automatically created when reacting to a threat detected by Kaspersky Sandbox. Kaspersky Endpoint Security automatically generates the IOC file. Custom IOC files are not supported. Tasks are automatically deleted 30 days after the creation time. For more details about stand-alone IOC scan tasks, refer to the Kaspersky Sandbox Help.

IOC Scan task settings

Kaspersky Sandbox may create and run IOC Scan tasks automatically when reacting to threats.

You can configure the settings only in the Web Console.

You need Kaspersky Security Center 13.2 for stand-alone IOC scan tasks of Kaspersky Sandbox to work.

To change the settings of the IOC Scan task:

  1. In the main window of the Web Console, select Assets (Devices)Tasks.

    The list of tasks opens.

  2. Click the IOC Scan task of Kaspersky Endpoint Security.

    The task properties window opens.

  3. Select the Application settings tab.
  4. Go to the IOC Scan settings section.
  5. Configure actions on IOC detection:
    • Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
    • Run Critical Areas Scan. On threat detection. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
    • Run only when the computer is idle. Postponed start of the task when computer resources are busy. Kaspersky Endpoint Security starts the scan task if the computer is locked or if the screen saver is on. If you have interrupted the execution of the task, for example by unlocking the computer, Kaspersky Endpoint Security automatically runs the task, continuing from the point where it was interrupted. This schedule option lets you conserve computer resources when the computer is being used.
  6. Save your changes.

You can view the results of the task in task properties in the Results section. You can view the information about detected indicators of compromise in the task properties: Application settingsIOC Scan results.

IOC scan results are kept for 30 days. After this period, Kaspersky Endpoint Security automatically deletes the oldest entries.

Page top