Kaspersky Sandbox

Starting with version 11.7.0, Kaspersky Endpoint Security for Windows includes a built-in agent for integration with Kaspersky Sandbox solution. The Kaspersky Sandbox solution detects and automatically blocks advanced threats on computers. Kaspersky Sandbox analyzes object behavior to detect malicious activity and activity characteristic of targeted attacks on the IT infrastructure of the organization. Kaspersky Sandbox analyzes and scans objects on special servers with deployed virtual images of Microsoft Windows operating systems (Kaspersky Sandbox servers). For details about the solution, refer to the Kaspersky Sandbox Help.

The component can be managed only using the Kaspersky Security Center Web Console. You cannot manage this component using the Administration Console (MMC).

Kaspersky Sandbox component settings

Parameter

Description

Server TLS certificate

To configure a trusted connection with Kaspersky Sandbox servers, you must prepare a TLS certificate. Next you must add the certificate to Kaspersky Sandbox servers and the Kaspersky Endpoint Security policy. For details on preparing the certificate and adding the certificate to servers, refer to the Kaspersky Sandbox Help.

Timeout

Connection timeout for Kaspersky Sandbox server. After the configured timeout elapses, Kaspersky Endpoint Security sends a request to the next server. You can increase the connection timeout for Kaspersky Sandbox if your connection speed is low or if the connection is unstable. The recommended request timeout is 0.5 seconds or less.

Kaspersky Sandbox request queue

Size of the request queue folder. When an object is accessed on the computer (executable launched or document opened, for example in DOCX or PDF format), Kaspersky Endpoint Security can also send the object to be scanned by Kaspersky Sandbox. If there are multiple requests, Kaspersky Endpoint Security creates a request queue. By default, the size of the request queue folder is limited to 100 MB. After the maximum size is reached, Kaspersky Sandbox stops adding new requests to the queue and sends the corresponding event to Kaspersky Security Center. You can configure the size of the request queue folder depending on your server configuration.

Kaspersky Sandbox servers

Kaspersky Sandbox server connection settings. The servers use deployed virtual images of Microsoft Windows operating systems to run objects that need to be scanned. You can enter an IP address (IPv4 or IPv6) or a fully qualified domain name.

Action on threat detection

Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.

Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.

Create IOC scan task. If this option is selected, Kaspersky Endpoint Security automatically creates the IOC Scan task (autonomous IOC scan task). For this task, you can configure the run mode, scan scope, and action on IOC detection: delete object, run the Critical Areas Scan task. To modify other settings of the IOC Scan task, go to the task settings.

IOC scan scope

Critical file areas. If this option is selected, Kaspersky Endpoint Security does an IOC scan only in critical file areas of the computer: kernel memory and boot sectors.

File areas on system drives of the computer. IF this option is selected, Kaspersky Endpoint Security does an IOC scan on the system drive of the computer.

Run IOC scan task

Manually. Run mode in which you can start the IOC scan task manually at a time of your choosing.

After threat is detected. Run mode in which Kaspersky Endpoint Security runs the IOC Scan task automatically whenever a threat is detected.

Run only when the computer is idle. Run mode in which Kaspersky Endpoint Security runs the IOC Scan task if the screensaver is active or the screen is locked. If the user unlocks the computer, Kaspersky Endpoint Security pauses the task. This means that the task can take several days to complete.

Page top