Managing the Sensor component

The Sensor component receives data from network traffic and mail traffic.

You can install the Sensor and Central Node components on the same server or on separate servers. If the Sensor component is installed on a standalone server, you must connect it to the server with the Central Node component.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Viewing the table of servers with the Sensor component

The table of servers with the Sensor component is located in the Sensor servers section of the program web interface window. The table contains the following information:

• IP/name—IP address or domain name of the server with the Sensor component.
• Type—Type of Sensor component. Possible values:
  • Central Node—The Sensor component is installed on the same server as the Central Node component.
  • Remote—The Sensor component is installed on a different server or a mail sensor is used as the Sensor component.
• Certificate fingerprint—Fingerprint of the TLS certificate used to establish an encrypted connection between servers with the Sensor and Central Node components.
• KSN/KPSN—Status of the connection to the KSN/KPSN reputation databases.
• SPAN—Status of SPAN traffic processing.
• SMTP—Status of integration with a mail server via SMTP.
• ICAP—Status of integration with a proxy server via ICAP.
• POP3—Status of integration with a mail server via POP3.
• State—Status of the connection request.

Processing a connection request from the Sensor component

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can accept, decline, or revoke a previously accepted connection request from the Sensor component.

To process a connection request from the Sensor component:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table displays the already connected Sensor components, and connection requests.

2. In the line containing the connection request of the Sensor component, perform one of the following actions:
   • If you want to connect the Sensor component, click the Accept button.
   • If you do not want to connect the Sensor component, click the Reject button.
3. In the confirmation window, click Yes.

The connection request from the Sensor component will be processed.

Configuring the maximum size of a scanned file

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the maximum size of a scanned file:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the maximum size of a scanned file.

   This opens the Sensor component settings page.

3. Select the General settings section.
4. If you want the program to scan files of any size, select the Unlimited check box.
5. If you want to set a maximum size for files that the program will scan:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a file.
   3. In the drop-down list to the right of the field, select the unit of measurement.
6. Click Apply.

The maximum size of a scanned file will be configured.

Configuring receipt of mirrored traffic from SPAN ports

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure receipt of mirrored traffic from SPAN ports:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the receipt of mirrored traffic from SPAN ports.

   This opens the Sensor component settings page.

3. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

4. In the row of the network interface from which you want to configure the receipt of mirrored traffic, set the toggle switch in the SPAN traffic scanning column to Enabled.
5. In the Capture thread drop-down list, select the stream that will process this network interface.
6. In the Select CPU drop-down list, select the processor that will process the network traffic.
7. Click Apply.

The receipt of mirrored traffic from SPAN ports will be configured.

Configuring integration with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over SMTP:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via SMTP.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled.
5. In the Destination domains field, specify the name of the mail domain or subdomain. The program will scan email messages sent to mailboxes of the specified domains.

   To disable a domain or subdomain, enclose it in the !domain.tld form.

   If you leave the mail domain name blank, the program will receive messages sent to any email address.

6. In the Clients field, specify the IP addresses of hosts and/or masks of subnets (in CIDR notation) with which the program is allowed to interact over the SMTP protocol.

   To disable a host or subnet, enclose the address in the !host form.

   If you leave this field blank, the program will receive the following messages:

   • From any email addresses if you specified email domains in the Destination domains field.
   • From a mail server in the same subnet as the server with the Sensor component if no domain is indicated in the Destination domains field.
7. If you want the program to receive messages of any size, in the Message size limit settings group, select the Unlimited check box.
8. If you want to set a maximum allowed size of incoming messages:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a message.
   3. In the drop-down list to the right of the field, select the unit of measurement.
9. Click Apply.

Integration with a mail server via SMTP will be configured. The program will scan email messages received over the SMTP protocol according to the defined settings.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with the mail server.

To configure fault-tolerant integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Configuring TLS encryption of connections with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure TLS encryption of connections with the mail server over SMTP:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure TLS encryption of connections with the mail server over the SMTP protocol.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled if it is disabled.
5. In the Client TLS security level settings group, select one of the following options:
   • No TLS encryption.

     The program will not employ TLS encryption of connections with a mail server.

   • Attempt TLS encryption for incoming messages.

     The program will support TLS encryption of the connection, but encryption will not be mandatory.

   • Require TLS encryption for incoming messages.

     The program will receive messages only over encrypted channels.

6. Click the Download TLS certificate button to save the TLS certificate of the server with the Sensor component on the computer in the browser's downloads folder.

   This certificate is required for authentication on the mail server.

7. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request.

     The program will not verify the TLS certificate of the mail server.

   • Request.

     The program will request a TLS certificate from the mail server, if one is available.

   • Require.

     The program will receive messages only from those mail servers that have a TLS certificate.

8. Click Apply.

TLS encryption of connections with the mail server over the SMTP protocol will be configured.

Enabling integration with a proxy server via ICAP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

When a standalone proxy server is used, Kaspersky Anti Targeted Attack Platform does not provide encryption of ICAP traffic or authentication of ICAP clients by default. The program administrator must independently ensure a secure network connection between your proxy server and Kaspersky Anti Targeted Attack Platform by using traffic tunneling or iptables.

To enable integration with a proxy server over ICAP:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with a proxy server over the ICAP protocol.

   This opens the Sensor component settings page.

3. Select the ICAP integration with proxy server section.
4. In the State field, set the toggle switch to Enabled.

   The Host field displays the URL of the Response Modification (RESPMOD) service that processes inbound traffic.

   Use this URL to configure integration with Kaspersky Anti Targeted Attack Platform via ICAP on a proxy server that is used in your organization.

5. Click Apply.

Integration with a proxy server over the ICAP protocol will be enabled.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with a proxy server.

To configure the fault-tolerant integration with the proxy server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the proxy server settings.

Integration with the proxy server will be configured based on the domain name. The proxy server will communicate with a random server in the cluster. If this server fails, the proxy server will communicate with another healthy server in the cluster.

Configuring integration with a mail server via POP3

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over POP3:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via POP3.

   This opens the Sensor component settings page.

3. Select the POP3 integration section.
4. Set the toggle switch next to the State parameter to Enabled.
5. In the Mail server field, specify the IP address of the mail server with which you want to configure integration.
6. In the Port field, specify the port for connecting to the mail server.
7. In the Receive every field, specify the mail server connection frequency (in seconds).
8. If you want to use TLS encryption of connections with the mail server via POP3, select the Use TLS encryption check box.
9. In the User name field, specify the account name used for accessing the mail server.
10. In the Password field, specify the password for accessing the mail server.

    The mail server must support Basic Authentication.

11. In the TLS certificate drop-down list, select one of the following options:
    • Accept any.
    • Accept untrusted self-signed.
    • Accept only trusted.

    When establishing a connection with an external mail server, it is recommended to configure the acceptance of only trusted TLS certificates. If you accept untrusted TLS certificates, protection of the connection against

    MITM attacks

    Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.

    cannot be guaranteed. Even though the acceptance of trusted TLS certificates also cannot guarantee protection of the connection against MITM attacks, it is the most secure of the supported methods for integration with a mail server over the POP3 protocol.

12. If necessary, in the Cipher suite field, modify the OpenSSL settings used when establishing a connection with the mail server via POP3.

    You can view reference information on OpenSSL by clicking the Help link.

13. Click Apply.

Integration with the mail server via POP3 will be configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with the mail server.

To configure fault-tolerant integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.