Significantly updated user interface of the Application Console and the plug-ins for managing the application using Kaspersky Security Center.
Support for Windows 11 24H2.
Now you can change the port that the Application Console uses to connect to a computer with the application installed.
In the Trusted zone, you can:
Edit exclusion profiles for industrial applications when installing the application and creating an application management policy using Kaspersky Security Center.
Configure trusted processes in a more granular way.
Use the trusted certificate store.
New settings for user and group rights to manage the application.
New Anti-Rootkit component. By default, the component is enabled if Real-Time File Protection is enabled. You can disable the component while installing the application, using the Change application components of Kaspersky Industrial CyberSecurity for Nodes task, or in the properties of the application installation package.
In Exploit Prevention settings, the application can now automatically identify protected processes.
New Remediation Engine component.
The Anti-Cryptor component monitors shared folders as well as local folders.
Reworked Applications Launch Control component:
Significant changes in the structure of component settings.
To specify Applications Launch Control rule triggering conditions and exclusions, you can now use the drive type, KL categories, KSN groups.
Reworked Device Control component:
By default, the Device Control component is configured to allow connection of all devices.
Wi-Fi Control is no longer a separate component and is now part of Device Control.
The possibility to control connected devices depending on the connection bus has been added.
Migration of settings for access to removable drives when upgrading from previous versions of the application to version 4.3 has been added.
The Firewall Management component has been reworked into the Firewall component, which, in addition to interfacing with the Windows firewall, now additionally functions as a firewall.
The functionality of the File Integrity Monitor and Registry Access Monitoring components has been merged into the new System Integrity Monitoring component. This improvement lets you efficiently track changes in the file system and Windows registry, increasing the protection against unauthorized modification of data.
Kaspersky Endpoint Agent functionality is now integrated into the application as the built-in Endpoint Agent (Detection and Response).
The configuration of events for sending to SIEM has been expanded. Now Kaspersky Industrial CyberSecurity for Nodes supports sending Windows Event Log events.
The application does not support scheduling individual components. If the components are enabled, they keep running while the application is running.
Kaspersky Security Center Windows 15.1 is now supported.
Group tasks added:
To implement the functionality of Kaspersky Endpoint Agent: Security Audit, Run process, Terminate process, IOC Scan, Get file, Move file to Quarantine, Delete file.
Other tasks:
Administration Server connection protection
Change Kaspersky Industrial CyberSecurity for Nodes components
Baseline System Integrity Monitor instead of Baseline File Integrity Monitor
Update instead of Copying Updates, Application Database Update and Software Modules Update
Update rollback instead of Rollback of Application Database Update
Remove key
Network communication events of level L2 sent to Kaspersky Industrial CyberSecurity for Networks now include the IPv4 address of the network interface through which the traffic passes (the adapter.address field).
Facilitated integration with Kaspersky Industrial CyberSecurity for Networks solution. Starting with version 4.5 of Kaspersky Industrial CyberSecurity for Nodes, the following types of configurations are supported:
ARP table
routing table
password policy
security audit policy
extended audit policy
Kaspersky Industrial CyberSecurity for Networks integration settings now allow configuring the promiscuous mode for the application and network interfaces of the host that allows sending extended telemetry to Kaspersky Industrial CyberSecurity for Networks.
Information about file operations (reading, writing, deletion) in shared folders and on devices connected to the local host can now be sent to the Kaspersky Industrial CyberSecurity for Networks server. To get information about file operations, you need a collection of corresponding Sigma rules. Kaspersky Industrial CyberSecurity for Networks can use the received information to detect instances of files being copied between network shares of computers running Kaspersky Industrial CyberSecurity for Nodes, or files being copied from network shares to devices connected to computers running Kaspersky Industrial CyberSecurity for Nodes.
In Kaspersky Security Center Web Console, in the properties of the host on which the application is installed, in the Detection and Response section, you can now view the threat response history of Kaspersky Industrial CyberSecurity for Nodes together with the response history of other solutions that are managing the host.
The following features and improvements are available to users of Endpoint Detection and Response (EDR) solutions by Kaspersky.
Filling of alert details with new information. Now the alert details contain more information about the threat, including how the application behaves when responding to EDR threats.
Now you can manage Network Isolation in alert details. Additionally, in the alert details you can specify the computer Network Isolation time period and add exclusions.
Improved management of IOC files. Now you can view and edit the contents of IOC files in the interface of Kaspersky Security Center Web Console. After loading an IOC file, the application displays a report on the IOC terms application.
Improved response to detected IOCs. Now you can quarantine files detected by the IOC Scan task directly in IOC detection results in task properties. You can also isolate computers from the network in the task properties.
You can create IOC files directly in the properties of the IOC Scan task based on a TXT file with lists of file hashes, IP addresses, or DNS names.
The scan scope for the IOC Scan has been expanded. Now you can define the IOC scan scope in the Registry (Windows Registry – RegistryItem). In earlier versions of the application you could only use the predefined IOC Scan scope in the registry.
The Network Threat Protection component can monitor network traffic to detect port scanning and high-intensity network requests.
In the Application console, in the Telemetry collection servers section, you can now configure the following integrations:
Integration with Kaspersky Endpoint Detection and Response Expert (on-premise)
Integration with KICS for Networks
SIEM Integration
As part of the integration with KICS for Networks, you can send telemetry to an MQTT broker server built into a software data diode.
Support for Allen-Bradley ControlLogix PLCs has been added to the PLC Project Integrity Check task.
Introducing the Performance Analyzer. Performance Analyzer is a task that collects and analyzes information about access to files and applications on the device. This information can help you define a trusted zone to minimize the impact of the application on the performance of industrial software.
For the Anomaly Detection using Sigma rules component, the following new collections are now available:
Collection of user activity monitoring rules using Windows logs. This collection allows registering events when new users are added, user privileges are elevated, users log in to the system and others.
Collection of rules for the detection of suspicious activity when using SIMATIC PCS7, Siemens STEP7, Siemens TIA Portal, Siemens WinCC software.
Collection of rules for the detection of suspicious activity when using Yokogawa CENTUM VP, ProSafe-RS systems.
The application checks the configuration of control components before saving the settings. The check was added for the Applications Launch Control, Device Control, System Integrity Monitoring components. The application now displays a warning if the current settings of the control component may increase the load on the computer or cause system failures. For example, in the case of Applications Launch Control, if you selected the mode that blocks all applications except allowed ones, and you did not add any allow rule, the application displays a warning because such a configuration may cause system failures.
Added new components:
Managed Detection and Response for ICS. This component facilitates interaction with the solution known as Kaspersky Managed Detection and Response for Industrial Control Systems. The Kaspersky Managed Detection and Response (MDR) solution automatically detects and analyzes security incidents in the industrial infrastructure. To do so, MDR uses telemetry data received from endpoints and machine learning. MDR sends incident data to Kaspersky experts. The experts can then process the incident and, for example, add a new entry to Anti-Virus databases.
BadUSB Attack Prevention. The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting to the computer. When an USB device that the operating system identifies as a keyboard is connected to the computer, the application prompts the user to type a code on this keyboard to authorize the keyboard.
BitLocker Full Disk Encryption. BitLocker is an encryption technology built into Windows operating systems. Kaspersky Industrial CyberSecurity for Nodes allows you to control and manage Bitlocker using Kaspersky Security Center.
Support of the OPC UA protocol for sending data to a SCADA system through the Kaspersky Security Gateway. In addition to the IEC 60870-5-104 and OPC DA protocols, the application now supports the OPC UA protocol, providing cross-platform compatibility.
Windows XP and Windows XP SP1 support for the Portable Scanner. The Portable Scanner can scan isolated devices for viruses and other threats.
The PLC Project Investigation task now supports authentication on Siemens SIMATIC S7-1200 / 1500 controllers. Now you can enter a password for the connections to these PLC models in the task properties.