Integration of the built-in agent with EDR Optimum

The Endpoint Detection and Response (KSC) and Endpoint Detection and Response Expert (on-premise) components are not compatible with each other.

The following conditions must be met for Kaspersky Industrial CyberSecurity for Nodes to work as part of EDR Optimum solution:

• Kaspersky Security Center version 14.2 or higher with Web Console installed.
• To enable interaction between the EDR Optimum solution and the Administration Server via Kaspersky Security Center Web Console, you must establish a new secure connection, a background connection.

  Establishing a background connection in Web Console

  1. In the main window of the Web Console, select Settings → Integration.
  2. Go to the Integration section.
  3. Turn on the Background connection for integration Enabled toggle.
  4. Save your changes.
• Kaspersky Endpoint Detection and Response management plug-in installed.
• The following components of Kaspersky Industrial CyberSecurity for Nodes that ensure the operation of Endpoint Detection and Response (KSC) are enabled and operational:
  • Real-Time File Protection.
  • Exploit Prevention.
  • Anti-Cryptor.
  • Remediation Engine.

Setting up EDR Optimum integration involves the following steps:

1. Installing the Endpoint Detection and Response (KSC) component

   In installation package settings or in the Setup Wizard, or by changing the set of application components in the Windows Control Panel, at the step when you must select application components for installation, select the following: Full functionality → Endpoint Agent → Endpoint Detection and Response (KSC).

   To finish changing the set of application components, you must restart the computer.

2. Kaspersky Endpoint Detection and Response Optimum activation

   For information about the licensing of the Endpoint Detection and Response (KSC) component, please refer to this article.

   Make sure that the Endpoint Detection and Response (KSC) functionality is included in the license.

3. Enabling and configuring the Endpoint Detection and Response (KSC) component

   How to enable and configure Endpoint Detection and Response (KSC) component in the Kaspersky Security Center Web Console

   1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
   2. Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Select the Telemetry collection servers section.
   5. In the Endpoint Detection and Response (Industrial CyberSecurity) block, click the Settings button.

      The Endpoint Detection and Response (Industrial CyberSecurity) window opens.

   6. Select the Enable Endpoint Detection and Response (Industrial CyberSecurity) check box.
   7. Configure Network isolation settings.
   8. Configure Execution prevention settings.
   9. If necessary, enable the counter for threats detected by Cloud Sandbox using the toggle with the same name.
   10. Save your changes.

   As a result, the Endpoint Detection and Response (KSC) component is enabled. Check the operating status of the component by viewing the Report on status of application components. You can also view the operating status of a component in the Application Console tree in the workspace of the Kaspersky Industrial CyberSecurity for Nodes node.

4. Enabling data transfer to Kaspersky Security Center Administration Server

   For correct operation of all features of EDR Optimum, data transfer must be enabled for the following types of data:

   • Quarantine file data.

     In Kaspersky Security Center Web Console you can download files from quarantine for analysis.

   • Threat development chain data.

     You can view alert details and take response actions in Web Console.

   How to enable data transfer to the Administration Server in Web Console

   1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
   2. Click the policy name you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
   4. Go to the Logs and notifications section.
   5. In the Interaction with Administration Server block, click the Settings button.
   6. In the window that opens, select the following check boxes:
      • About Quarantine files.
      • About a threat development chain.
   7. Save your changes.

Page top