If joint operation with EPP applications is configured in Kaspersky Industrial CyberSecurity for Networks, you can trigger the response actions on devices. Response actions allow preventing or minimizing the consequences of detected threats from devices in an industrial network. Each response action is triggered manually when working with the corresponding object in the application.
The capability to trigger response actions is available for devices with the Endpoint Agent software component. When a response action is triggered, Kaspersky Industrial CyberSecurity for Networks transmits the information about it to Endpoint Agent. The Endpoint Agent software component executes the received command and sends a completion notification to Kaspersky Industrial CyberSecurity for Networks.
Depending on the nature of the threats detected on devices, you can trigger the following response actions:
After enabling network isolation of a device, the Endpoint Agent software component terminates all active TCP/IP network connections on the device and blocks all new ones, except for the following connections:
Device network isolation remains active until network isolation is disabled in Kaspersky Industrial CyberSecurity for Networks. If network isolation is not manually disabled, it will be disabled automatically 9,999 hours after it is enabled.
You can configure rules to block the launch of executable files and scripts, as well as the opening of office format files on selected devices. For example, you can block the launch of applications that you consider insecure on a selected device running the Endpoint Agent software component. The application identifies files by their file path or checksum using the MD5 and SHA256 hashing algorithms.
In the event of launch blocking, the user is notified about the triggered launch blocking rule. If the device user does not close the pop-up notification, it will close automatically 60 seconds after it appears.
Quarantine is a designated local storage on a device running the Endpoint Agent software component that stores files potentially infected with viruses or that were incurable at the time of detection. Quarantined files are stored encrypted and do not create a threat to the device security.
Kaspersky Security Center generates a common list of quarantined objects on devices running Endpoint Agent. Device Network Agents transmit information on quarantined files to the Administration Server.
Kaspersky Security Center Network Agent does not copy quarantined files to the Administration Server. All objects are located on protected devices running Endpoint Agent. Objects are restored from quarantine on protected devices.
System-critical objects (SCOs) cannot be deleted. SCOs are files that are required for proper operation of the operating system and the EPP application.
Deletion of a file from the device file system may be postponed until the device is restarted (for example, if the file is being used by other processes). If file deletion is postponed until the device is restarted, the EPP application notifies Kaspersky Industrial CyberSecurity for Networks about this. In this case, after the response action is triggered, Kaspersky Industrial CyberSecurity for Networks displays a warning about the postponed file deletion. It is recommended to check whether the file was successfully deleted after the device is restarted.
You can remotely terminate processes running on the device. The EPP application terminates the process that is started from the file at the file path specified for the response action. The characters in the process name are case sensitive (the process name must fully match the file name in the response action).
System-critical objects (SCOs) cannot be terminated.
The device may have multiple processes running at the file path specified for the response action. In this case, the EPP application tries to terminate all such processes, taking into account the limit on the number of processes that can be terminated (if such a limit is specified in the application). Therefore, if there is a large number of processes running from a single executable file, the EPP application may not be able to terminate some of these processes.
On the device, you can remotely run processes of executable files (including processes that were terminated via the Terminate process response action), scripts, utilities, and applications. To start a process, you must specify the start command. You can also specify command-line arguments and the path to the working directory. Note that to start a process using the Kaspersky Industrial CyberSecurity for Linux Nodes EPP application on the device, you may need to configure the SELinux system.
After the command is executed, the Endpoint Agent software component sends text files containing data from the standard output and error streams to Kaspersky Industrial CyberSecurity for Networks when the process is started (no more than 100 KB of data in each file).
For the Isolate device from the network, Prevent run and Move to quarantine response actions, you can trigger the corresponding reverse actions in Kaspersky Industrial CyberSecurity for Networks. This capability allows you to restore normal device functionality after a triggered response action has been completed and the threat has been eliminated from the device. The following reverse actions are available:
Kaspersky Industrial CyberSecurity for Networks registers triggered response actions and the corresponding reverse actions. The registered actions are displayed in the Events section on the Response actions tab.
You can trigger response actions by selecting the relevant events, executable files or devices. You can also trigger new response actions by using ones that were registered and completed as long as the selected action allows triggering reverse actions.
The actions available to you depend on the selected object. For example, if you selected a device with the Endpoint Agent software component, you can only manage the network isolation of this device and the startup of processes. All other response actions are available under other conditions.
Only users with the Administrator or Security Officer role can trigger response actions and corresponding reverse actions.