Managing tasks

In the web interface of the program, users with the Senior security officer role can manage files and programs on hosts by creating and removing tasks.

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Global—Created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
• Local—Created on the SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.

The tasks Get file, Get process memory dump, Get NTFS metafiles, Get disk image, Get memory dump run only on the specified host, regardless of the program operating mode.

The maximum task execution time is 24 hours. If the task did not complete in this time, execution is paused.

Users with the Senior security officer role can manage all tasks for tenants to whose data they have access.

Users with the Security officer role do not have access to tasks.

Users with the Security auditor role can view the task table and information about the selected task.

Viewing the task table

The tasks table contains a list of created tasks and is in the Tasks section of the program web interface window. You can view all tasks or only tasks created by you (current user).

You can show or hide tasks created by you using the Only mine toggle switch in the upper right corner of the window. The display of tasks created by the current user is enabled by default.

The tasks table contains the following information:

• Time—Task creation date and time.
• Type is the type of the task depending on the operating mode of the program and the server on which the task was created.

  Tasks may be one of the following types:

  • Global—Created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
  • Local—Created on the SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
• Name—Task name.

  A task can have one of the following names:

  • Kill process.
  • Get forensics.
  • Start YARA scan.
  • Service management.
  • Get NTFS metafiles.
  • Get registry key.
  • Get process memory dump.
  • Run program.
  • Get file.
  • Delete file.
  • Quarantine file.
  • Restore file from quarantine.
  • Get disk image.
  • Get memory dump.

  Clicking the link with the name of the task type opens a list in which you can select one of the following actions:

  • Add to filter.
  • Exclude from filter.
  • Copy value to clipboard.
• Details—full path to the file or data stream for which the task was created, or the path to a shared network resource.

  Clicking the link containing information about the path to the file or data stream opens a list in which you can select one of the following actions:

  • Add to filter.
  • Exclude from filter.
  • Copy value to clipboard.
• Servers—Name of the server with the PCN or SCN role on which the task is run.

  This field is displayed only if you are using the distributed solution and multitenancy mode.

• Hosts—Name of the host on which the task is run.

  This field is displayed only if you are using a standalone Central Node server.

• Created by—Name of the user who created the task.

  If only tasks created by the current user are displayed, this column is not displayed.

• State—Task completion status.

  A task can have one of the following statuses:

  • Pending.
  • In process.
  • Completed.

Viewing information about a task

To view task details:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Select the task for which you want to view information.

This opens a window containing information about the task.

The window can contain the following information depending on the task type:

• State—Task completion status.
• Description—Task description.
• File path—Path to the file or data stream.
• Information type—Type of the collected data.
• Registry key—Path to the registry key that you want to get.
• Process ID—Process identifier.
• File mask—Mask of files that are included in the data list.
• Metafiles—NTFS metafiles that you want to get.
• Volume—Name of the drive from which you want to receive metafiles, disk image, or memory dump.
• Share path—Path to a shared network resource.
• Stored file—Link to the file received as a result of the task execution.
• Maximum nesting level—Maximum nesting level of folders which the program searches for files.
• Exclusions—Folders in which searching and scanning files is prohibited.
• Scan scope—Folders which are scanned by YARA rules.
• Action—Action that was performed for the service.

  The program supports the following operations with services:

  • Start.
  • Stop.
  • Pause.
  • Resume.
  • Delete.
  • Modify startup type.
• Maximum scan duration—Maximum task execution time, after which the scan is stopped.
• SHA256—SHA256 hash of the file that you want to receive.
• Run as—Option to run the program using the name of the local system.
• Created by—Name of the user who created the task.
• Tenant—Name of the tenant. Displayed only when you are using the distributed solution and multitenancy mode.
• Time created—Time when the task was created.
• Time completed—Task completion time.
• Report—Task result on selected hosts.

Creating a get file task

You can download a file from selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a get file task.

The file to be downloaded must not exceed 100 MB. If the file exceeds 100 MB, the task finishes with an error.

To create a get file task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select File in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. File path—Path to the file that you want to receive.

      If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.

      You can also specify the path to an

      alternate data stream

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      of this file. In this case, you receive only the files of the specified stream.

      When creating a task, the program does not check if the specified path to the file that you want to receive is valid.

   2. MD5/SHA256—MD5- or SHA256 hash of the file that you want to receive. This field is optional.
   3. If you do not want to scan the file, clear the Send for scanning check box.

      The check box is selected by default.

   4. Description—Task description. This field is optional.
   5. Host is the name or IP address of the host.

      You can specify only one host.

4. Click Add.

The get file task will be created. The task runs automatically after it is created.

A file received through this task will be placed in Storage. If the get file task completed successfully, you can download the received file to your local computer.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.

You can also download the file from the task report window.

To download the file from the task report window:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Open the get file task that you want to download.
3. In the Report section, click the name or IP address of the host.

   This opens a window containing information about the file.

4. Click Download.

The file will be saved to your local computer in the browser's downloads folder.

Users with the Security auditor role cannot create get file tasks.

Users with the Security officer role do not have access to tasks.

Creating a forensic collection task

You can get lists of files, processes, and autorun points from selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a forensic collection task.

To create a forensic collection task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select Forensics in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
      • Processes list if you want to get a list of processes running on the host at the time of the task execution.
      • Autorun points list if you want to get a list of autorun points.

        The autorun points list includes information about programs added to the startup folder or registered in the Run keys of the registry, as well as programs that are automatically run at startup of a Kaspersky Endpoint Agent host and when a user logs in to the operating system on the specified hosts.

        List of supported autorun points

        Kaspersky Endpoint Agent supports gathering data for the following autorun points:

        • Logon.
        • Run.
        • Explorer.
        • Shell.
        • Office.
        • Internet Explorer.
        • Tasks.
        • Services.
        • Drivers.
        • Telephony.
        • Cryptography.
        • Debuggers.
        • COM.
        • Session Manager.
        • Network.
        • LSA.
        • Applications.
        • Codecs.
        • Shellex.
        • WMI.
        • Unspecified.
      • File list if you want to get a list of files stored in the selected folder or in all host folders at the time of the task execution.
   2. If you have selected the File list check box, in the Source type group of settings, select one of the following options:
      • All local disks if you want the list of files to include files stored in all folders on local disks at the time of the task execution.
      • Directory if you want the file list to include files stored in the specified folder and its subfolders at the time when the task is run.
   3. If you selected Directory, in the Start directory field, specify the path to the folder from which the file search should start.

      You can use the following prefixes:

      • System environment variables.
      • User-defined environment variables.

        When using user-defined environment variables, the list of files includes information about files in folders of all users who have set the specified environment variables. If user-defined environment variables override system environment variables, the list of files includes information about files in folders based on the values of system environment variables.

   4. In the Hosts field, enter the IP address or name of the host to which you want to assign the task.

      You can specify multiple hosts.

      The data collection task can only be assigned to hosts with the Kaspersky Endpoint Agent for Windows program version 3.10 or later. Getting a list of autorun points is only supported on hosts with Kaspersky Endpoint Agent for Windows 3.12 or later.

      If necessary, you can specify the following search criteria for files in folders:

      • File mask is the mask of files to be included in the list of files.
      • Alternative data streams is the check box that enables recording information about alternate data streams in the file list.

        If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.

        The check box is selected by default.

      • Maximum nesting level is the maximum nesting level of folders in which the program searches for files.
      • Exclusions is the path to the folders in which you want to prohibit the search for information about files.
      • Description is the task description.
4. Click Add.

The forensic collection task is created. The task runs automatically after it is created.

Upon completion of the task, the program places the ZIP-archive which contains file with the selected data into the Storage. If the task completed successfully, you can download the archive to your local computer.

Users with the Security auditor role cannot create forensic collection tasks.

Users with the Security officer role do not have access to tasks.

Creating a registry key retrieval task

You can get a registry key from selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a registry key retrieval task.

To create a registry key retrieval task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select Registry key in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Registry key is the registry key that you want to get.

      You can enter the registry key in one of the following formats:

      • Relative to the root key.

        For example, \REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.

      • Relative with full name of the root key.

        For example, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.

      • Relative with an abbreviation instead of the full name of the root key.

        For example, HKLM\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.

      If you want to get data from HKEY_CURRENT_USER, you must specify HKEY_USERS and the SID of the user: HKEY_USERS\<SID of the user>.

   2. Description—Task description. This field is optional.
   3. In the Hosts field, enter the name or IP address of the host to which you want to assign the task.

      You can specify multiple hosts.

      The registry key retrieval task can only be assigned to hosts with the Kaspersky Endpoint Agent for Windows program version 3.13 or later.

4. Click Add.

The registry key retrieval task is created. The task runs automatically after it is created.

As a result of the task, the program places a ZIP archive in Storage; the archive contains a .reg file, which contains a list of all registry keys and values under the key that was specified when creating the task. You can download the archive to your local computer.

If the task results in an error, the archive file contains the description of the error.

Users with the Security auditor role cannot create this task.

Users with the Security officer role do not have access to tasks.

Creating an NTFS metafile retrieval task

You can get NTFS metafiles from selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create an NTFS metafile retrieval task.

To create an NTFS metafile retrieval task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select NTFS metafiles in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Metafiles is the list of metafiles that you can get using the task. Select the relevant metafile by selecting the corresponding check box.

      You can select multiple metafiles.

   2. Volume is the name of the disk from which you want to get metafiles.

      By default, the system disk is specified. You can enter the path to a different disk in the <drive letter>:format.

   3. Description—Task description. This field is optional.
   4. Hostis the name or IP address of the host to which you want to assign the task.

      You can specify only one host.

      The NTFS metafile retrieval task can only be assigned to hosts with the Kaspersky Endpoint Agent for Windows program version 3.13 or later.

4. Click Add.

The NTFS metafile creation task is created. The task runs automatically after it is created.

When the task finishes, the program places a ZIP archive containing the selected metafiles in Storage. You can download the archive to your local computer.

If the task results in an error, the archive file contains the description of the error.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.

If downloading selected metafiles exhausts Storage capacity, objects in Storage will be rotated. If a metafile is larger than total Storage capacity, it is not downloaded

Users with the Security auditor role cannot create this task. Users with the Security officer role do not have access to tasks.

Creating a process memory dump retrieval task

You can get a process memory dump file from the selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a process memory dump retrieval task.

To create a process memory dump retrieval task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select Process memory dump in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Process ID is the ID of the process for which you want to get a memory dump.
   2. MD5/SHA256 is the MD5 or SHA256 hash of the file of the process of which you want to get a memory dump. This field is optional.
   3. Description—Task description. This field is optional.
   4. Hostis the name or IP address of the host to which you want to assign the task.

      You can specify only one host.

      The process memory dump task can only be assigned to hosts with Kaspersky Endpoint Agent for Windows version 3.13 or later.

4. Click Add.

The process memory dump retrieval task is created. The task runs automatically after it is created.

The task creates a ZIP archive in Storage, which contains a file with information about the process and a process memory dump file. You can download the archive to your local computer.

If the task results in an error, the archive file contains the description of the error.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.

Users with the Security auditor role cannot create this task.

Users with the Security officer role do not have access to tasks.

Creating a disk image retrieval task

You can get the NTFS disk image from selected Kaspersky Endpoint Agent for Windows host. To do so, you must create an NTFS disk image retrieval task.

The resulting file can be saved only to a shared network resource.

To create a disk image retrieval task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select Disk image in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Share path—path to a shared network resource.

      You need to specify the path in the Universal Naming Convention (UNC) format: \\server\share\path.

      If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.

   2. User name—user name of the account used to access the shared network resource.
   3. Password—password of the account used to access the shared network resource.
   4. Under Disk type, select one of the following options:
      • Logical.
      • Physical.
   5. If you selected Logical, enter a% SystemDrive% variable or a drive letter without the colon and slash in the Volume field.
   6. If you selected Physical, enter the disk number in the Physical drive field.
   7. Select the Split file into parts check box if you want the file to be divided into multiple parts when saved.
   8. If you selected the check box, in the Part size, GB field, specify the minimum size of one part of the saved file.

      The minimum part size must be more than one gigabyte.

   9. Description—Task description. This field is optional.
   10. Host—the IP address or name of the host to which you want to assign the task.
4. Click Add.

The disk image retrieval task will be created. The task runs automatically after it is created.

The application places an archive containing a file or files in the EWF format to a shared network resource.

You can assign the task only to hosts with Kaspersky Endpoint Agent for Windows 3.14 or later.

Users with the Security auditor role cannot create tasks.

Users with the Security officer role do not have access to tasks.

Creating a RAM dump retrieval task

You can get a RAM dump file from selected Kaspersky Endpoint Agent for Windows host. To do so, you must create a memory dump retrieval task.

The resulting file can be saved only to a shared network resource.

To create a memory dump retrieval task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Add button and select Memory dump in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Share path—path to a shared network resource.

      You need to specify the path in the Universal Naming Convention (UNC) format: \\server\share\path.

      If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.

   2. User name—user name of the account used to access the shared network resource.
   3. Password—password of the account used to access the shared network resource.
   4. Description—Task description. This field is optional.
   5. Host—the IP address or name of the host to which you want to assign the task.
4. Click Add.

The RAM dump retrieval task is created. The task runs automatically after it is created.

The application places an archive containing a file or files in the EWF format to a shared network resource.

You can assign the task only to hosts with Kaspersky Endpoint Agent for Windows 3.14 or later.

Users with the Security auditor role cannot create tasks.

Users with the Security officer role do not have access to tasks.

Creating a process termination task

If you believe that a process running on the computer could threaten the security of the computer or the corporate LAN, you can terminate the process.

To create a process termination task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Kill process.

   This opens the task creation window.

3. Configure the following settings:
   1. File path—Path to the file of the process that you want to terminate.

      You can also specify the path to an alternate data stream of this file. In this case, only processes of the specified data stream will be terminated. The processes of the other streams of this file will be executed.

   2. MD5/SHA256—MD5- or SHA256 hash of the file of the process that you want to terminate. This field is optional.
   3. Description—Task description. This field is optional.
   4. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
4. Click Add.

The process termination task will be created. The task runs automatically after it is created.

Users with the Security auditor role cannot create process termination tasks.

Users with the Security officer role do not have access to tasks.

Creating a task to scan hosts using YARA rules

You can scan Kaspersky Endpoint Agent for Windows hosts using YARA rules. To do so, you must create a Start YARA scan task. You can create the task:

• In the Tasks section.

  In this case, when creating the task, you must select YARA rules that you want to use to scan hosts.

• In the Custom rules section, YARA subsection.

  In this case, a task is created to scan hosts using selected YARA rules.

To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Tasks section:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Start YARA scan.

   This opens the task creation window.

3. Configure the following settings:
   1. Select rules is the name of the rule. You can enter the name of the rule or a sequence of characters from the name of the rule, then select the rule in the list.

      You can add multiple rules.

   2. Scan is the scan scope. Select one of the following options:
      • RAM if you want to scan processes that are running at the time of the task execution.

        The program does not scan processes with a low priority.

      • Autorun points if you want to scan autorun points obtained from the Get forensics task.

        Only available when integrated with Kaspersky Endpoint Agent 3.13 or later.

        To have autorun points scanned, you must specify hosts for which the Get forensics was previously run.

      • Specified directories if you want to scan files that are located in a specified folder and all its nested folders at the time of the task execution.
      • All local disks if you want to scan files stored in all folders on local disks at the time of the task execution.

        Scanning all local disks can cause high load on the host.

   3. If you selected RAM, if necessary, do the following:
      • In the Processes field, enter short names of processes or a mask of files that you want to scan.

        The program scans all processes with identical names that are running on the host.

        If the Processes field is left blank, the program scans all processes that were running at the time of the task execution, except processes with PID under 10 and processes listed in the Exclusions field.

      • In the Exclusions field, enter short names of processes or a mask of files that you want to exclude from scanning.

        If multiple processes with identical names are running on the host, the program excludes all such processes from scanning.

   4. If you selected Autorun points, in the Scan type field, select the scan type:
      • Quick.

        In this case, all autorun points are scanned, except COM objects.

      • Full.

        In this case, all autorun points are scanned, as well as files involved with them.

   5. If you selected Specified directories:
      • In the Specified directories field, enter the full path to folders, name or mask of files that you want to scan (for example, C:\Users\User1\Documents\* or C:\Program files\*.exe).
      • In the Exclusions field, enter the full path to folders, name or mask of files that you want to exclude from scanning.
   6. Maximum scan duration is the maximum scan duration.

      When this time elapses, the scan is stopped even if some rules were not applied to scan the hosts. The task report contains results that are up-to-date at the moment when the scan was stopped.

   7. Description—Task description. This field is optional.
   8. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

        The task of scanning Kaspersky Endpoint Agent hosts by YARA rules can only be assigned to hosts with Kaspersky Endpoint Agent for Windows 3.12 or later. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent 3.12 and earlier versions of the program, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12.

To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Custom rules section, YARA subsection:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.
2. Select check boxes to the left of rules that you want to use when scanning the hosts.

   A control panel appears in the lower part of the window.

3. Click Start YARA scan.
4. Carry out step 3 of the instruction above.

Task creation is complete. The task runs automatically after it is created.

If the scan detects any threats, Kaspersky Anti Targeted Attack Platform creates corresponding alerts.

Users with the Security auditor role cannot create a task to scan Kaspersky Endpoint Agent for Windows hosts by YARA rules.

Users with the Security officer role do not have access to tasks.

Creating a service management task

You can remotely start, stop, pause, or resume a service, as well as remove a service or change its start type on selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a service management task.

To create a service management task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Service management.

   This opens the task creation window.

3. Configure the following settings:
   1. In the Service name field, enter the name of the service.
   2. In the MD5/SHA256 field, enter the MD5 or SHA256 hash of the service. This field is optional.

      If you enter the hash of a service that is loaded from a DLL, Kaspersky Anti Targeted Attack Platform simultaneously compares the specified hash with the hash of the service DLL and the hash of the svchost process.

   3. In the Action field, select the operation that you want to perform on the service.

      The program supports the following operations with services:

      • Start.
      • Stop.
      • Pause.
      • Resume.
      • Delete.
      • Modify startup type.

      When you remove a service, processes that the service has started keep running until the system is restarted or the process is terminated.

   4. If you selected Modify startup type, in the Startup type, select the start type for the service.
   5. Description is the task description. This field is optional.
   6. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

      You can assign the task only to hosts with Kaspersky Endpoint Agent for Windows 3.12 or later. Host with earlier versions of Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Agent for Linux hosts are displayed in the list of hosts but cannot be selected.

4. Click Add.

The service management task is created. The task runs automatically after it is created.

Users with the Security auditor role cannot create service management tasks.

Users with the Security officer role do not have access to tasks.

Creating a program execution task

You can create a program startup task or command execution task.

If the standard output file or error output file reaches a size of 100 KB when the task is running, some of the data is deleted from the file. The file will not contain all the data.

To create a task for starting a program or executing a command:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Run program.

   This opens the task creation window.

3. Configure the following settings:
   1. In the File path and Working directory fields, enter values in one of the following ways:
      • In the File path field, enter the full path to the executable file (for example, C:\Windows\System32\ipconfig.exe). Leave the Working directory field empty.

        When creating a task, the program does not check if the specified path to the executable file is valid.

      • In the File path field, enter the name and extension of the executable file (for example, ipconfig.exe). In the Working directory field, enter the working directory (for example, C:\Windows\System32\).
   2. In the Arguments field, enter additional options for running the file or task (for example, the /all argument).
   3. In the Description field, enter the task description. This field is optional.
   4. Configure the Task for setting, that is, the task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
4. Click Add.

The program startup task or command execution task will be created. The task runs automatically after it is created.

Users with the Security auditor role cannot create program running tasks or command execution tasks.

Users with the Security officer role do not have access to tasks.

Creating a file deletion task

To create a file deletion task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Delete file.

   This opens the task creation window.

3. Configure the following settings:
   1. File path—Path to the file that you want to delete.

      You can also specify the path to an alternate data stream of this file. In this case, only the specified data stream will be deleted. The other data streams of this file will be left unchanged.

   2. MD5/SHA256—MD5- or SHA256 hash of the file that you want to delete. This field is optional.
   3. Description—Task description. This field is optional.
   4. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
4. Click Add.

The file deletion task will be created. The task runs automatically after it is created.

If the file has been blocked by another process, the task will be displayed with the Completed status but the file will be deleted only after the host is restarted. It is recommended to check whether the file is successfully deleted after the host is restarted.

Deleting the file from a mapped network drive is not supported.

Users with the Security auditor role cannot create file deletion tasks.

Users with the Security officer role do not have access to tasks.

Creating a file quarantine task

If you believe that an infected or probably infected file is on the computer with the Kaspersky Endpoint Agent program, you can isolate it by putting it into quarantine. The file is deleted from its folder on the computer and placed in Kaspersky Endpoint Agent quarantine on the same computer, in the quarantine directory that is configured in Kaspersky Endpoint Agent settings.

To create a file quarantine task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Quarantine file.

   This opens the task creation window.

3. Configure the following settings:
   1. In the File path field, enter the path to the file that you want to quarantine.
   2. In the MD5/SHA256 field, enter the MD5 or SHA256 hash of the file that you want to quarantine. This field is optional.
   3. Description—Task description. This field is optional.
   4. In the Hosts field, enter the name or IP address of the host to which you want to assign the task.

      You can specify multiple hosts.

   5. Click Add.

   The file quarantine task is created. The task runs automatically after it is created.

   As a result of the task:

   • The file is deleted from its folder on the computer with the Kaspersky Endpoint Agent program and placed in Kaspersky Endpoint Agent quarantine on the same workstation, in the quarantine directory that is configured in Kaspersky Endpoint Agent settings.
   • In the task list of the Tasks section of the program web interface, execution information about the task is displayed.
   • In the file list in the Storage section, Quarantine subsection, information about the quarantined file is displayed.

If the file has been blocked by another process, the task is displayed with the Completed status but the file is placed in Quarantine only after the host is restarted. It is recommended to check whether the task was successfully completed after the host is restarted.

The file quarantine task can finish with the Access denied error if you are trying to quarantine an executable file and it is currently running.

To solve this problem, create a process termination task for this file, and then try creating the file quarantine task again.

Users with the Security auditor role cannot create file quarantine tasks.

Users with the Security officer role do not have access to tasks.

Creating a quarantined file recovery task

If you believe that a previously isolated file is safe, you can restore it from Quarantine to the host.

To create a task for restoring a file from Quarantine:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Restore file from quarantine.

   This opens the task creation window.

3. Configure the following settings:
   1. Description—Task description. This field is optional.
   2. File search—Name of the file in Quarantine.
4. Click Add.

The task for restoring a file from Quarantine is created. The task runs automatically after it is created.

After restoring a file from Quarantine to a host, metadata about the file remains in the table of objects placed in Storage.

Users with the Security auditor role cannot create tasks to restore files from Quarantine.

Users with the Security officer role do not have access to tasks.

Creating a copy of a task

To copy the task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Open the task that you want to copy.
3. Click Duplicate.

   This opens the task creation window. All task settings will be copied.

4. If you want to modify task settings, edit one or more settings depending on the type of the task being copied.
5. Click Add.

A copy of the selected task will be created.

Users with the Security auditor role cannot copy tasks.

Users with the Security officer role do not have access to tasks.

Deleting tasks

If you delete a task while it is running, the task results might not be saved.

If you delete a successfully completed file download task, the file is also deleted.

To delete a task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Open the task that you want to delete.
3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The task will be deleted.

To delete all or multiple tasks:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Select check boxes next to the tasks that you want to delete.

   You can select all tasks by selecting the check box in the row containing the headers of columns.

3. In the pane that appears in the lower part of the window, click Delete.

   This opens the action confirmation window.

4. Click Yes.

The selected tasks are deleted.

Users with the Security auditor role cannot delete tasks.

Users with the Security officer role do not have access to tasks.

Filtering tasks by creation time

To filter tasks by creation time:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Time link to open the task filtering menu.
3. Select one of the following task display periods:
   • All, if you want the program to display all created tasks in the table.
   • Last hour, if you want the program to display the tasks that were created during the last hour in the table.
   • Last day, if you want the program to display the tasks that were created during the last day in the table.
   • Custom range, if you want the program to display tasks that were created during the period you specify in the table.
4. If you have selected the Custom range task display period:
   1. In the calendar that opens, specify the start and end dates of the task display period.
   2. Click Apply.

   The calendar closes.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by type

If you are using distributed solution and multitenancy mode, you can filter tasks by their type.

To filter tasks by type:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Type link to open the task filtering menu.
3. Select one of the following task display options:
   • All, if you want to display all tasks regardless of their type.
   • Global, if you want to display only tasks that were created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
   • Local, if you want to display only tasks that were created on a SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by name

To filter tasks by name:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Name link to open the task filtering menu.
3. Select one or more check boxes:
   • Kill process
   • Run program
   • Get forensics
   • Start YARA scan
   • Service management
   • Get file
   • Delete file
   • Quarantine file
   • Restore file
   • Get disk image
   • Get memory dump
4. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by file name and path

You can filter tasks based on the Details criterion—Name and path to the file or data stream.

To filter tasks by name and path to the file or data stream:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Details link to open the task filter configuration window.
3. In the drop-down list on the right, select Details.
4. In the drop-down list on the left, select one of the following task filtering operators:
   • Contains
   • Does not contain
   • Equal to
   • Not equal to
5. In the entry field, specify one or several characters of the file name or path.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by description

You can filter tasks by the Description criterion, which is the task description that was added when the task was created.

To filter tasks by description:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Details link to open the task filter configuration window.
3. In the drop-down list on the left, select Description.
4. In the drop-down list on the right, select one of the following task filtering operators:
   • Contains
   • Does not contain
   • Equal to
   • Not equal to
5. In the entry field, specify one or several characters of the file name or path.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by server name

If you are using distributed solution and multitenancy mode, you can filter tasks based on the servers to which the tasks are applied.

To filter tasks by servers to which the tasks are applied:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Servers link to open the task filtering menu.
3. Select the check boxes next to the names of the servers whose tasks you want to display.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks based on the name of the user that created the task

To filter tasks based on the user name that created the task, all tasks must be displayed. If only tasks created by the current user are displayed, tasks cannot be filtered by user name.

To filter tasks by the name of the user that created the task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the Created by link to open the task filtering menu.
3. In the drop-down list, select one of the following task filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the user name.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by processing status

To filter tasks based on the status of their processing by the user:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click the State link to open the task filtering menu.
3. Select one or more check boxes:
   • Pending.
   • In process.
   • Completed.
4. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Clearing a task filter

To clear the task filter for one or more filtering criteria:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The tasks table displays only tasks matching the filter criteria you have set.