- Kaspersky Anti Targeted Attack Platform Help
- Kaspersky Anti Targeted Attack Platform
- What's new
- About Kaspersky Threat Intelligence Portal
- Distribution kit
- Hardware and software requirements
- Requirements for Kaspersky Endpoint Agent for Windows
- Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications
- Compatibility of Kaspersky Endpoint Agent for Windows versions with other applications
- Requirements for Kaspersky Endpoint Agent for Linux
- Compatibility of Kaspersky Endpoint Agent for Linux versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Agent for Linux versions with EPP applications
- Compatibility of Kaspersky Endpoint Agent for Linux versions with other applications
- Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Limitations of the current version of the application
- About data provision
- Service data of the program
- Data of the Central Node and Sensor components
- Sandbox component data
- Data transmitted between program components
- Data contained in trace files of the program
- Data of Kaspersky Endpoint Agent for Windows
- Data received from the Central Node component
- Data in fields of Windows Event Log events of Kaspersky Endpoint Agent
- Data in Kaspersky Endpoint Agent for Windows requests to Kaspersky Anti Targeted Attack Platform
- Service data of Kaspersky Endpoint Agent for Windows
- Data contained in Kaspersky Endpoint Agent for Windows trace files and dumps
- Data sent to Kaspersky if the KSN Statement was accepted
- Data in alerts and events
- Data contained in task completion reports
- Data on files that are blocked from starting
- Data related to the performance of tasks
- Data of Kaspersky Endpoint Agent for Linux
- Program licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the key
- About the key file
- Viewing information about the license and added keys
- Viewing the text of the End User License Agreement in the web interface of the Central Node
- Viewing the text of the Privacy Policy in the web interface of the Central Node
- Viewing information about the third-party code used in the program
- Viewing the text of the End User License Agreement in the web interface of the Sandbox
- Viewing the text of the End User License Agreement on a computer with Kaspersky Endpoint Agent
- Adding a key
- Replacing a key
- Removing a key
- Program modes based on the license
- Program architecture
- Operation of the program
- Distributed solution and multitenancy
- Distributed solution and multitenancy mode transition scenario
- Modifications of program settings for the distributed solution and multitenancy mode
- Assigning the PCN role to a server
- Assigning the SCN role to a server
- Processing SCN to PCN connection requests
- Viewing information about tenants, PCN and SCN servers
- Adding a tenant to the PCN server
- Deleting a tenant from the PCN server
- Renaming a tenant on the PCN server
- Disconnecting an SCN from PCN
- Modifications of program settings for disconnecting an SCN from PCN
- Decommissioning an SCN server
- Sizing Guide
- Installing and performing initial configuration of the program
- Preparing for installing program components
- Preparing the IT infrastructure for program components installation
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP
- Preparing the virtual machine for installing the Sandbox component
- Procedure for installing and configuring program components
- Installing the Sandbox component
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Sandbox component
- Step 3. Assigning the host name
- Step 4. Selecting the controlling network interface in the list
- Step 5. Assigning the address and network mask of the controlling interface
- Step 6. Adding DNS server addresses
- Step 7. Configuring a static network route
- Step 8. Configuring the minimum password length for the Sandbox administrator password
- Step 9. Creating the Sandbox administrator account
- Deploying the Central Node and Sensor components as a cluster
- Deploying a storage server
- Step 1. Selecting a server role
- Step 2. Selecting the deployment mode
- Step 3. Selecting a disk for installing the component
- Step 4. Viewing the End User License Agreement and Privacy Policy
- Step 5. Selecting a network mask for cluster server addressing
- Step 6. Selecting a network mask for directing program components
- Step 7. Selecting the cluster network interface
- Step 8. Selecting the external network interface
- Step 9. Selecting the method of obtaining IP addresses for network interfaces
- Step 10. Creating an administrator account and authenticating the server in the cluster
- Step 11. Adding DNS server addresses
- Step 12. Selecting disks for the Ceph storage
- Deploying the processing server
- Step 1. Selecting a server role
- Step 2. Selecting the deployment mode
- Step 3. Selecting a disk for installing the component
- Step 4. Viewing the End User License Agreement and Privacy Policy
- Step 5. Selecting a network mask for cluster server addressing
- Step 6. Selecting a network mask for directing program components
- Step 7. Selecting the cluster network interface
- Step 8. Selecting the external network interface
- Step 9. Selecting the method of obtaining IP addresses for network interfaces
- Step 10. Authenticating the server in the cluster
- Step 11. Configuring receipt of mirrored traffic from SPAN ports
- Step 12. Adding DNS server addresses
- Deploying a storage server
- Installing the Central Node and Sensor components on the server
- Step 1. Selecting a server role
- Step 2. Viewing the End User License Agreement and Privacy Policy
- Step 3. Selecting a disk for installing the component
- Step 4. Allocating the disk for the Targeted Attack Analyzer component's database
- Step 5. Selecting a network mask for cluster server addressing
- Step 6. Selecting the external network interface
- Step 7. Selecting the method of obtaining IP addresses for network interfaces
- Step 8. Creating the administrator account
- Step 9. Adding DNS server addresses
- Step 10. Configuring receipt of mirrored traffic from SPAN ports
- Step 11. Configuring time synchronization with an NTP server
- Installing the Sensor component on a standalone server
- Step 1. Selecting a server role
- Step 2. Viewing the End User License Agreement and Privacy Policy
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting the external network interface
- Step 5. Connecting to the server with the Central Node component
- Step 6. Creating the administrator account
- Preparing for installing program components
- Configuring the sizing settings of the program
- Configuring the integration of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
- Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
- Configuring the connection with the Central Node server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Sensor server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Central Node server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Sensor server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Downloading the TLS certificate of the Central Node server
- Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform.
- Uploading a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent
- Enabling the validation of the Kaspersky Endpoint Agent TLS certificate in the web interface of Kaspersky Anti Targeted Attack Platform
- Generating a TLS certificate of Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a cryptographic container
- Uploading an independently prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform.
- Viewing the table of Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Filtering and searching Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Deleting Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Configuring the validation of the Kaspersky Endpoint Agent TLS certificate by the Central Node server and uploading a cryptographic container to Kaspersky Endpoint Agent
- Configuring traffic redirection from Kaspersky Endpoint Agent to the Sensor server
- Generating a TLS certificate for the Sensor server in the administrator menu of the Sensor server
- Uploading an independently prepared TLS certificate for the Sensor server in the administrator menu of the Sensor server
- Downloading the TLS certificate of the Sensor server to your computer
- Configuring the integration and trusted connection with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side
- Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
- Getting started with the program
- Managing accounts of program administrators and users
- Creating an administrator account for the program web interface
- Creating a user account for the program web interface
- Configuring user account table display
- Viewing the user account table
- Filtering user accounts
- Resetting the account filter
- Changing access rights of a program web interface user account
- Enabling and disabling an administrator account or user account of the program web interface
- Changing the password of a program administrator or user account
- Changing the password of your account
- Authentication using domain accounts
- Participation in Kaspersky Security Network and use of Kaspersky Private Security Network
- Managing the Sandbox component through the web interface
- Updating the Sandbox component databases
- Configuring connection between the Sandbox and Central Node components
- Configuring the Sandbox component network interfaces
- Updating the Sandbox system
- Setting the Sandbox system date and time
- Installing and configuring images of operating systems and software required for the operation of the Sandbox component
- Downloading ISO images of operating systems and software required for the operation of the Sandbox component
- Creating virtual machines with images of operating systems and software required for the operation of the Sandbox component
- Installing virtual machines with images of operating systems and software required for the operation of the Sandbox component
- Deleting all pending virtual machines
- Setting the maximum number of simultaneously running virtual machines
- Downloading the Sandbox system log to the hard drive
- Exporting Sandbox settings
- Importing Sandbox settings
- Restarting the Sandbox server
- Powering off the Sandbox server
- Changing the Sandbox administrator account password
- For the administrator: Getting started in the program web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Monitoring program operation
- About widgets and layouts
- Selecting a tenant and a server to manage in the Dashboard section
- Adding a widget to the current layout
- Moving a widget in the current layout
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Monitoring the receipt and processing of incoming data
- Monitoring the queues for data processing by program modules and components
- Monitoring the processing of data by the Sandbox component
- Viewing the working condition of modules and components of the program
- Managing Central Node, PCN, or SCN servers using the program web interface
- Configuring the date and time on the server
- Generating or uploading a TLS certificate of the server
- Downloading the TLS certificate of the server
- Assigning a server DNS name
- Configuring DNS settings
- Configuring settings of the network interface
- Configuring the default network route
- Configuring proxy server connection settings
- Configuring the mail server connection
- Selecting operating systems to use when scanning objects in Sandbox
- Managing the Sensor component
- Viewing the table of servers with the Sensor component
- Processing a connection request from the Sensor component
- Configuring the maximum size of a scanned file
- Configuring receipt of mirrored traffic from SPAN ports
- Configuring integration with a mail server via SMTP
- Configuring TLS encryption of connections with a mail server via SMTP
- Enabling integration with a proxy server via ICAP
- Configuring integration with a mail server via POP3
- Managing the cluster
- Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers
- Configuring the SNMP protocol connection
- Managing Kaspersky Endpoint Agent host information
- Selecting a tenant to manage in the Endpoint Agents section
- Viewing the Kaspersky Endpoint Agent host table on a standalone Central Node server
- Viewing the Kaspersky Endpoint Agent host table in distributed solution and multitenancy mode
- Viewing information about a host
- Filtering and searching hosts with Kaspersky Endpoint Agent by host name
- Filtering and searching hosts with Kaspersky Endpoint Agent that have been isolated from the network
- Filtering and searching hosts with Kaspersky Endpoint Agent by PCN and SCN server names
- Filtering and searching hosts with Kaspersky Endpoint Agent by computer IP address
- Filtering and searching hosts with Kaspersky Endpoint Agent by operating system version on the computer
- Filtering and searching hosts with Kaspersky Endpoint Agent by Kaspersky Endpoint Agent version
- Filtering and searching hosts with Kaspersky Endpoint Agent based on their activity
- Quickly creating a filter for hosts with Kaspersky Endpoint Agent
- Resetting the hosts with Kaspersky Endpoint Agent filter
- Configuring activity indicators of Kaspersky Endpoint Agent
- Supported interpreters and processes
- Configuring integration with the Sandbox component
- Configuring integration with external systems
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring integration with an SIEM system
- Managing the activity log
- Database Update
- Creating a list of passwords for archives
- For a security officer: Getting started with the program web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting a tenant to manage in the web interface of the program
- Monitoring program operation
- About widgets and layouts
- Adding a widget to the current layout
- Moving a widget in the current layout
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Configuring the widget display scale
- Basics of managing "Alerts" type widgets
- Viewing the working condition of modules and components of the program
- Viewing the alert table
- Configuring the alert table display
- Filtering, sorting, and searching alerts
- Filtering alerts by VIP status
- Filtering and searching alerts by time
- Filtering alerts by level of importance
- Filtering and searching alerts by categories of objects detected
- Filtering and searching alerts by obtained information
- Filtering and searching alerts by source address
- Filtering and searching alerts by destination address
- Filtering and searching alerts by server name
- Filtering and searching alerts by technology name
- Filtering and searching alerts by the status of their processing by the user
- Sorting alerts in the table
- Quickly creating an alert filter
- Clearing an alert filter
- Viewing alerts
- Viewing alert details
- General information about an alert of any type
- Information in the Object information section
- Information in the Alert information section
- Information in the Scan results section
- Information in the IDS rule section
- Information in the Network event section
- Scan results in Sandbox
- IOC scan results
- Information in the Hosts section
- Information in the Change log section
- Sending alert data
- Recommendations for processing alerts
- User actions performed on alerts
- Events database threat hunting
- Searching events in source code mode
- Searching events in design mode
- Sorting events in the table
- Changing the event search conditions
- Searching events by processing results in EPP programs
- Uploading an IOC file and searching for events based on conditions defined in the IOC file
- Creating a TAA (IOA) rule based on event search conditions
- Event information
- Viewing the table of events
- Configuring the event table display
- Viewing information about an event
- Information about events in the tree of events
- Recommendations for processing events
- Information about the "Process started" event
- Information about the "Process terminated" event
- Information about the "Module loaded" event
- Information about the "Remote connection" event
- Information about the "Prevention rule" event
- Information about the "Document blocked" event
- Information about the "File modified" event
- Information about the "System event log" event
- Information about the "Changes in the registry" event
- Information about the "Port listened" event
- Information about the "Driver loaded" event
- Information about the "Alert" event
- Information about the "Alert processing result" event
- Information about the "Interpreted file run" event
- Information about the "AMSI scan" event
- Information about the "Interactive command input at the console" event
- Managing Kaspersky Endpoint Agent host information
- Viewing the Kaspersky Endpoint Agent host table on a standalone Central Node server
- Configuring the Kaspersky Endpoint Agent host table display
- Viewing information about a host
- Filtering and searching hosts with Kaspersky Endpoint Agent by host name
- Filtering and searching hosts with Kaspersky Endpoint Agent that have been isolated from the network
- Filtering and searching hosts with Kaspersky Endpoint Agent by PCN and SCN server names
- Filtering and searching hosts with Kaspersky Endpoint Agent by computer IP address
- Filtering and searching hosts with Kaspersky Endpoint Agent by operating system version on the computer
- Filtering and searching hosts with Kaspersky Endpoint Agent by Kaspersky Endpoint Agent version
- Filtering and searching hosts with Kaspersky Endpoint Agent based on their activity
- Quickly creating a filter for hosts with Kaspersky Endpoint Agent
- Resetting the hosts with Kaspersky Endpoint Agent filter
- Configuring activity indicators of Kaspersky Endpoint Agent
- Supported interpreters and processes
- Network isolation of Kaspersky Endpoint Agent hosts
- Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
- Managing tasks
- Viewing the task table
- Viewing information about a task
- Creating a get file task
- Creating a forensic collection task
- Creating a registry key retrieval task
- Creating an NTFS metafile retrieval task
- Creating a process memory dump retrieval task
- Creating a disk image retrieval task
- Creating a RAM dump retrieval task
- Creating a process termination task
- Creating a task to scan hosts using YARA rules
- Creating a service management task
- Creating a program execution task
- Creating a file deletion task
- Creating a file quarantine task
- Creating a quarantined file recovery task
- Creating a copy of a task
- Deleting tasks
- Filtering tasks by creation time
- Filtering tasks by type
- Filtering tasks by name
- Filtering tasks by file name and path
- Filtering tasks by description
- Filtering tasks by server name
- Filtering tasks based on the name of the user that created the task
- Filtering tasks by processing status
- Clearing a task filter
- Managing policies (prevention rules)
- Viewing the prevention rule table
- Configuring prevention rule table display
- Viewing a prevention rule
- Creating a prevention rule
- Importing prevention rules
- Enabling and disabling a prevention rule
- Enabling and disabling presets
- Deleting prevention rules
- Filtering prevention rules by name
- Filtering prevention rules by type
- Filtering prevention rules by file hash
- Filtering prevention rules by server name
- Clearing a prevention rule filter
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning hosts
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for events using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Creating a TAA (IOA) rule based on event search conditions
- Importing a TAA (IOA) rule
- Viewing custom TAA (IOA) rule details
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Enabling and disabling TAA (IOA) rules
- Modifying a TAA (IOA) rule
- Deleting TAA (IOA) rules
- Managing user-defined IDS rules
- Importing a user-defined IDS rule
- Viewing the information of a user-defined IDS rule
- Enabling and disabling the use of an IDS rule when scanning events
- Configuring the importance of alerts generated by the user-defined IDS rule
- Replacing a user-defined IDS rule
- Downloading a user-defined IDS rule file to the computer
- Deleting a user-defined IDS rule
- Managing user-defined YARA rules
- Managing objects in Storage and Quarantine
- Viewing the table of objects that were placed in Storage
- Viewing information about an object manually placed in Storage using the web interface
- Viewing information about an object placed in Storage by a get file task
- Viewing information about an object placed in Storage by a get data task
- Downloading objects from Storage
- Uploading objects to Storage
- Sending objects in Storage for scanning
- Deleting objects from Storage
- Filtering objects in Storage by object type
- Filtering objects in Storage by object description
- Filtering objects in Storage based on scan results
- Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
- Filtering objects in Storage by object source
- Filtering objects based on the time they were placed in Storage
- Clearing a Storage objects filter
- Viewing the table of objects quarantined on computers with Kaspersky Endpoint Agent
- Viewing information about a quarantined object
- Restoring an object from Quarantine
- Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
- Removing information about the quarantined object from the table
- Filtering information about quarantined objects by object type
- Filtering information about quarantined objects by object description
- Filtering information about quarantined objects by host name
- Filtering information about quarantined objects by time
- Resetting the filter for information about quarantined objects
- Managing reports
- Viewing the table of templates and reports
- Creating a template
- Creating a report based on a template
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Managing rules for assigning the VIP status to alerts
- Viewing the table of VIP status assignment rules
- Creating a VIP status assignment rule
- Deleting a VIP status assignment rule
- Modifying a VIP status assignment rule
- Importing a list of VIP status assignment rules
- Exporting a list of VIP status assignment rules
- Filtering and searching by type of VIP status assignment rule
- Filtering and searching by value of VIP status assignment rule
- Filtering and searching by description of VIP status assignment rule
- Clearing a VIP status assignment rule filter
- Managing the list of scan exclusions
- Viewing the table of data excluded from the scan
- Adding a scan exclusion rule
- Deleting a scan exclusion rule
- Editing a rule added to scan exclusions
- Exporting the list of data excluded from the scan
- Filtering rules in the scan exclusion list by criterion
- Searching rules in the scan exclusion list by value
- Resetting the rule filter in the scan exclusion list
- Managing IDS exclusions
- Managing TAA exclusions
- Creating a list of passwords for archives
- Viewing server settings
- Viewing the table of servers with the Sandbox component
- Viewing the table of servers with the Sensor component
- Viewing the table of external systems
- Sending notifications
- Viewing the table of rules for sending notifications
- Creating a rule for sending notifications about alerts
- Creating a rule for sending notifications about the operation of program components
- Enabling and disabling a rule for sending notifications
- Modifying a rule for sending notifications
- Deleting a rule for sending notifications
- Filtering and searching notification forwarding rules by rule type
- Filtering and searching notification forwarding rules based on the notification subject
- Filtering and searching notification forwarding rules by email address
- Filtering and searching notification forwarding rules based on their status
- Clearing a notification forwarding rule filter
- Managing Kaspersky Endpoint Agent for Windows
- Installing and uninstalling Kaspersky Endpoint Agent
- Preparing for Kaspersky Endpoint Agent installation
- Installing Kaspersky Endpoint Agent
- Installing and uninstalling Kaspersky Endpoint Agent locally
- Installing Kaspersky Endpoint Agent using Kaspersky Security Center
- Installing Kaspersky Endpoint Agent administration tools
- Updating Kaspersky Endpoint Agent from the previous version
- Repairing Kaspersky Endpoint Agent
- Changes in the system after Kaspersky Endpoint Agent installation
- Kaspersky Endpoint Agent activation
- Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console
- Managing Kaspersky Endpoint Agent policies
- Configuring Kaspersky Endpoint Agent settings
- Opening Kaspersky Endpoint Agent settings window
- Configuring Kaspersky Endpoint Agent security settings
- Configuring Kaspersky Endpoint Agent connection settings to a proxy server
- Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation
- Configuring KSN usage in Kaspersky Endpoint Agent
- Configuring integration between Kaspersky Endpoint Agent and KATA Central Node
- Configuring EDR telemetry settings
- Configuring storage settings in Kaspersky Endpoint Agent
- Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response
- Configuring failure diagnosis
- Managing Kaspersky Endpoint Agent tasks
- Creating a local task
- Creating a group task
- Viewing the table of tasks
- Deleting a task from the list
- Starting tasks manually
- Starting tasks by schedule
- Viewing task execution results
- Configuring the storage time for the task execution results on the Administration Server
- Creating Kaspersky Endpoint Agent activation task
- Managing Kaspersky Endpoint Agent database and module update tasks
- Managing IOC Scan tasks in Kaspersky Endpoint Agent
- Managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console
- Managing Kaspersky Endpoint Agent policies
- Configuring Kaspersky Endpoint Agent settings
- Opening Kaspersky Endpoint Agent settings window
- Configuring Kaspersky Endpoint Agent security settings
- Configuring Kaspersky Endpoint Agent connection settings to a proxy server
- Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation
- Configuring Kaspersky Endpoint Agent policy type
- Configuring KSN usage in Kaspersky Endpoint Agent
- Configuring integration between Kaspersky Endpoint Agent and KATA Central Node
- Configuring EDR telemetry settings
- Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response
- Configuring storage settings in Kaspersky Endpoint Agent
- Configuring failure diagnosis
- Managing Kaspersky Endpoint Agent tasks
- Creating tasks
- Viewing the table of tasks
- Deleting a task from the list
- Configuring task schedule settings
- Starting tasks manually
- Creating Kaspersky Endpoint Agent activation tasks
- Configuring Database and application module update task
- Managing Standard IOC Scan tasks
- Configuring the Quarantine file task
- Configuring the Delete file task
- Configuring the Run process task
- Configuring the Terminate process task
- Managing Kaspersky Endpoint Agent using the command line interface
- Managing Kaspersky Endpoint Agent activation
- Managing Kaspersky Endpoint Agent authentication
- Configuring tracing
- Configuring creating a dump of Kaspersky Endpoint Agent processes
- Viewing information about quarantine settings and quarantined objects
- Actions on quarantined objects
- Managing integration settings with KATA Central Node component
- Running Kaspersky Endpoint Agent database and module update
- Starting, stopping and viewing the current application status
- Protecting the application with password
- Protecting application services with PPL technology
- Managing self-defense settings
- Managing event filtering
- Managing Standard IOC Scan tasks
- Managing scanning of files and processes according to YARA rules
- Managing scanning of autorun point objects according to YARA rules
- Creating a memory dump
- Creating a disk dump
- Installing and uninstalling Kaspersky Endpoint Agent
- Managing Kaspersky Endpoint Agent for Linux
- Installing and removing Kaspersky Endpoint Agent for Linux
- Preparing to install Kaspersky Endpoint Agent for Linux
- Installing Kaspersky Endpoint Agent for Linux using Kaspersky Security Center Administration Console
- Installing Kaspersky Endpoint Agent for Linux using Kaspersky Security Center Web Console
- Local installation of Kaspersky Endpoint Agent for Linux
- Updating and restoring Kaspersky Endpoint Agent for Linux
- Removing Kaspersky Endpoint Agent for Linux
- Managing Kaspersky Endpoint Agent for Linux policies using Kaspersky Security Center Administration Console
- Managing Kaspersky Endpoint Agent for Linux using Kaspersky Security Center Web Console
- Managing Kaspersky Endpoint Agent for Linux using the command line
- Verifying the integrity of Kaspersky Endpoint Agent for Linux components
- Installing and removing Kaspersky Endpoint Agent for Linux
- Creating a backup copy and restoring the program from backup
- Creating a backup copy of Central Node server settings from the program administrator menu
- Downloading a file containing a backup copy of server settings from the Central Node or PCN server to the hard drive of the computer
- Uploading a file containing a backup copy of server settings from your computer to the Central Node server
- Restoring server settings from a backup copy using the program administrator menu
- Creating a backup copy of the program in Technical Support Mode
- Restoring the program from a backup copy in Technical Support Mode
- Updating Kaspersky Anti Targeted Attack Platform
- Interaction with external systems via API
- Integrating an external system with Kaspersky Anti Targeted Attack Platform
- API for scanning objects of external systems
- API for sending alert information to external systems
- API for managing Threat Response actions
- Sources of information about the program
- Contacting the Technical Support Service
- Glossary
- Advanced persistent threat (APT)
- Alternate data stream
- Anti-Malware Engine
- Backdoor program
- Central Node
- Communication channel bandwidth
- CSRF attack
- Distributed solution
- Dump
- End User License Agreement
- ICAP data
- Intrusion Detection System
- IOA
- IOC
- IOC file
- Kaspersky Anti Targeted Attack Platform
- Kaspersky Endpoint Agent
- Kaspersky Private Security Network
- Kaspersky Secure Mail Gateway
- Kaspersky Security Network (KSN)
- Kaspersky Threat Intelligence Portal
- KATA
- KEDR
- Kerberos authentication
- Keytab file
- Local reputation database of KPSN
- Malicious web addresses
- MIB (Management Information Base)
- Mirrored traffic
- MITM attack
- MITRE technique
- Multitenancy
- New generation threats
- NTP server
- OpenIOC
- Phishing URL addresses
- Sandbox
- Sensor
- Service principal name (SPN)
- SIEM system
- Signature
- SPAN
- Syslog
- TAA (IOA) rule
- Targeted attack
- Targeted Attack Analyzer
- Tenant
- TLS encryption
- Tracing
- VIP status
- YARA
- YARA rules
- Zero-day attack
- Zero-day vulnerability
- Information about third-party code
- Trademark notices
Kaspersky Anti Targeted Attack Platform
Kaspersky Anti Targeted Attack Platform
Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the program") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The program is developed for corporate users.
Kaspersky Anti Targeted Attack Platform includes two functional blocks:
- Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
- Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.
The program can receive and process data in the following ways:
- Integrate into the local area network, receive and process mirrored SPAN, ERSPAN and RSPAN traffic, and extract objects and metadata from the HTTP, FTP, SMTP, and DNS protocols.
A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.
- Connect to the proxy server via the ICAP protocol, receive and process data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
- Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
- Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.
For detailed information on Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, please refer to the documentation on these programs.
- Integrate with Kaspersky Endpoint Agent and receive data from individual computers running Microsoft Windows and Linux operating systems in the corporate IT infrastructure. Kaspersky Endpoint Agent continuously monitors processes running, active network connections, and files that are being modified on those computers.
- Integrate with external systems with the use of the REST API interface and scan files on these systems.
The program uses the following means of Threat Intelligence:
- Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky programs to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
- Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
- Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
- The Kaspersky Threats database.
The program can provide the user with the results of its performance and Threat Intelligence in the following ways:
- Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
- Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
- Integrate with external systems via the REST API and send information on detects to external systems on demand.
- Publish information on Sandbox component alerts in the local reputation database of Kaspersky Private Security Network.
Database of the reputations of objects (files or URLs) that is stored on the Kaspersky Private Security Network server but not on Kaspersky Security Network servers. Local reputation databases are managed by the KPSN administrator.
Users with the Senior security officer or Security officer role can perform the following actions in the program:
- Monitor program performance.
- View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
- Look through the table of events occurring on computers and servers of the corporate IT infrastructure, search for threats, filter, view and manage each event, follow recommendations for evaluating and investigating incidents.
- Run tasks on hosts with Kaspersky Endpoint Agent: run programs and stop processes, download and delete files, quarantine objects on Kaspersky Endpoint Agent workstations, place copies of files in Storage, and restore files from quarantine.
- Set up policies for preventing the running of files that they consider to be unsafe on selected hosts with Kaspersky Endpoint Agent.
- Isolate separate hosts with Kaspersky Endpoint Agent from the network.
- Work with TAA (IOA) rules to classify and analyze events.
- Manage user-defined Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA rules — upload rules to be used for scanning events and creating alerts.
- Work with OpenIOC compliant files (IOC files) to search for signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Agent component and in the Alerts database.
- Exclude TAA (IOA) rules and IDS rules defined by Kaspersky from scanning.
- Manage objects in quarantine and copies of objects in Storage.
- Manage reports on the program performance and on detects.
- Configure forwarding of notifications about alerts and about program operation problems to one or multiple email addresses.
- Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.
Users with the Security auditor role can perform the following actions in the program:
- Monitor program performance.
- View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
- Look through the table of events occurring on the computers and servers of the enterprise IT infrastructure, search for threats, filter and view each event.
- View the list of hosts with the Endpoint Agent component and information about selected hosts.
- View the custom rules for Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA.
- View the scan-excluded TAA (IOA) rules and IDS rules defined by Kaspersky experts.
- View reports on program performance and reports on alerts.
- View the list of VIP alerts and the list of data excluded from the scan.
- Monitor program performance.
- View all settings made in the program web interface.
Users with the Local administrator or Administrator role can perform the following actions in the program:
- Configure program operation settings.
- Configure servers for the distributed solution and multitenancy mode.
- Administer integration of the program with other programs and systems.
- Manage TLS certificates and set up trusted connections between Central Node and Sandbox servers and between Kaspersky Anti Targeted Attack Platform servers and Kaspersky Endpoint Agent as well as external systems.
- Manage accounts of program users.
- Monitor program performance.
The program detects the following events occurring within the corporate IT infrastructure and notifies the user accordingly:
- A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
- A file has been sent to the email address of a user on the corporate LAN.
- A website link was opened on a corporate LAN computer.
- Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
- Processes have been started on a corporate LAN computer.
Kaspersky Anti Targeted Attack Platform evaluates events and advises the user to direct attention to each detected event (alert) according to the impact that this alert may have on computer or corporate LAN security based on Kaspersky experience.
The Kaspersky Anti Targeted Attack Platform user independently makes a decision about further actions in response to alerts.
Article ID: 194459, Last review: Mar 6, 2023