Managing Kaspersky Endpoint Agent for Windows

Kaspersky Endpoint Agent is an application that is installed on individual devices within an organization's IT infrastructure. The application constantly monitors the processes running on these devices, as well as open network connections and files modifications. Kaspersky Endpoint Agent interacts with other Kaspersky solutions to detect comprehensive threats (such as targeted attacks).

The application interacts with Kaspersky Anti Targeted Attack Platform using the KATA Central Node component. When integration of Kaspersky Endpoint Agent with KATA Central Node is configured, the application executes the tasks and applies the settings received from the KATA Central Node component, and sends telemetry data from the protected device to the server with the KATA Central Node component.

In this Help section Installing and uninstalling Kaspersky Endpoint Agent Kaspersky Endpoint Agent activation Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console Managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console Managing Kaspersky Endpoint Agent using the command line interface

Page top

Installing and uninstalling Kaspersky Endpoint Agent

This section contains information on how to install Kaspersky Endpoint Agent on a device, how to update the application from a previous version, and how to remove the application from a device.

See also Kaspersky Endpoint Agent activation Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console Managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console Managing Kaspersky Endpoint Agent using the command line interface

In this Help section Preparing for Kaspersky Endpoint Agent installation Installing Kaspersky Endpoint Agent Installing and uninstalling Kaspersky Endpoint Agent locally Installing Kaspersky Endpoint Agent using Kaspersky Security Center Installing Kaspersky Endpoint Agent administration tools Updating Kaspersky Endpoint Agent from the previous version Repairing Kaspersky Endpoint Agent Changes in the system after Kaspersky Endpoint Agent installation

Page top

Preparing for Kaspersky Endpoint Agent installation

Before installing Kaspersky Endpoint Agent on a device or updating the application from a previous version, make sure that the following conditions are met:

• The device complies with the hardware and software requirements.
• You have the permissions required to install the application.

If any of these conditions is not met, the corresponding notification will be displayed.

See also Installing Kaspersky Endpoint Agent Installing and uninstalling Kaspersky Endpoint Agent locally Installing Kaspersky Endpoint Agent using Kaspersky Security Center Installing Kaspersky Endpoint Agent administration tools Updating Kaspersky Endpoint Agent from the previous version Repairing Kaspersky Endpoint Agent Changes in the system after Kaspersky Endpoint Agent installation

Page top

Installing Kaspersky Endpoint Agent

Kaspersky Endpoint Agent installation can be performed:

• Locally using the Installation Wizard.
• Locally using the command line.
• Remotely using Kaspersky Security Center.
• Remotely using Microsoft Windows Group Policy Management Editor (for details, visit the Microsoft Technical Support website).

For remote installation, the settings can be passed using the

configuration file. Before you do so, first place the install_props.json file in the same folder as the endpointagent.msi file.

See also Preparing for Kaspersky Endpoint Agent installation Installing and uninstalling Kaspersky Endpoint Agent locally Installing Kaspersky Endpoint Agent using Kaspersky Security Center Installing Kaspersky Endpoint Agent administration tools Updating Kaspersky Endpoint Agent from the previous version Repairing Kaspersky Endpoint Agent Changes in the system after Kaspersky Endpoint Agent installation

Page top

Installing and uninstalling Kaspersky Endpoint Agent locally

This section contains information on how to install Kaspersky Endpoint Agent locally on a device.

In this Help section Installing Kaspersky Endpoint Agent using the Installation Wizard Removing Kaspersky Endpoint Agent using the Installation and Uninstallation Wizard Installing, restoring and uninstalling the application using the command line

Page top

Installing Kaspersky Endpoint Agent using the Installation Wizard

The interface of the Installation Wizard application consists of a sequence of windows corresponding to the application installation steps.

To install the application or update it from a previous version using the application Installation Wizard,

copy the endpointagent.msi file that is included in the distribution kit to the user device and run it.

The application Installation Wizard starts.

After Kaspersky Endpoint Agent is installed on the device, the Installation Wizard can be launched on this device in one of the following modes:

• Restore damaged application modules.
• Uninstall the application from the device.

See also Removing Kaspersky Endpoint Agent using the Installation and Uninstallation Wizard Installing, restoring and uninstalling the application using the command line

Page top

Removing Kaspersky Endpoint Agent using the Installation and Uninstallation Wizard

You can uninstall Kaspersky Endpoint Agent using standard Microsoft Windows installation and uninstallation tools. To uninstall the application, the wizard is launched. As a result of its operation, all application components will be removed from the device.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.

See also Installing Kaspersky Endpoint Agent using the Installation Wizard Installing, restoring and uninstalling the application using the command line

Page top

Installing, restoring and uninstalling the application using the command line

Kaspersky Endpoint Agent can be installed and uninstalled using the msi package by setting the values of MSI properties in a standard way. For more information on using standard Windows Installer commands and keys, refer to the documentation provided by Microsoft.

Installing Kaspersky Endpoint Agent

An example of installing the application in quiet mode with default settings is shown below. After starting the application installation in quiet mode, your participation in the installation process is not required.

Installing Kaspersky Endpoint Agent in quiet mode requires acceptance of the terms and conditions of the End User License Agreement and Privacy Policy. Use the EULA=1 and PRIVACYPOLICY=1 parameters only if you have fully read, understood, and accept the terms of the End User License Agreement and Privacy Policy.

Command parameters for installing Kaspersky Endpoint Agent

Repairing Kaspersky Endpoint Agent

An example of restoring the application in quiet mode is shown below. After starting application restoration in quiet mode, your participation in the restoration process is not required.

Uninstalling Kaspersky Endpoint Agent

An example of uninstalling the application in quiet mode is shown below. After starting application uninstallation in quiet mode, your participation in the uninstallation process is not required.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.

See also Installing Kaspersky Endpoint Agent using the Installation Wizard Removing Kaspersky Endpoint Agent using the Installation and Uninstallation Wizard

Page top

Installing Kaspersky Endpoint Agent using Kaspersky Security Center

Kaspersky Endpoint Agent can be installed using a remote installation task in Kaspersky Security Center. Installation consists of the following steps:

1. Creating an installation package.
2. Creating a remote installation task.

Kaspersky Security Center also supports other methods of installing applications on groups of managed devices. For more information about installation using a remote installation task and other installation methods, refer to the Kaspersky Security Center Help.

When creating an installation package using Kaspersky Security Center 12 and later in order to install Kaspersky Endpoint Agent on devices running Windows XP, use the installation startup file (setup.exe) from the installation package created using Kaspersky Security Center 10.5.

In this Help section Creating Kaspersky Endpoint Agent installation package Creating Kaspersky Endpoint Agent remote installation task

Page top

Creating Kaspersky Endpoint Agent installation package

Expand all | Collapse all

An installation package is a set of files generated for the remote installation of a Kaspersky application using Kaspersky Security Center. The installation package contains the required settings to install the application and ensure its operation immediately after installation. The installation package is created on the basis of the file with the KUD extension included in the application distribution package.

Creating an installation package in the Administration Console.

Creating an installation package in the Web Console and in the Cloud Console.

When creating an installation package using Kaspersky Security Center 12 and later in order to install Kaspersky Endpoint Agent on devices running Windows XP, use the installation startup file (setup.exe) from the installation package created using Kaspersky Security Center 10.5.

Page top

Creating Kaspersky Endpoint Agent remote installation task

Expand all | Collapse all

The Remote application installation task is intended for the remote installation of Kaspersky Endpoint Agent using Kaspersky Security Center. To install the application, the task uses the application installation package.

Creating a remote installation task in the Administration Console.

Creating a remote installation task in the Web Console and in the Cloud Console.

Page top

Installing Kaspersky Endpoint Agent administration tools

This section contains information on how to install Kaspersky Endpoint Agent Management plug-in for managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console or Kaspersky Endpoint Agent Management web plug-in for managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console.

In this Help section Installing and updating Kaspersky Endpoint Agent Management plug-in Installing and updating Kaspersky Endpoint Agent Management web plug-in

Page top

Installing and updating Kaspersky Endpoint Agent Management plug-in

The Kaspersky Endpoint Agent Management plug-in must be installed in order to manage Kaspersky Endpoint Agent using the Kaspersky Security Center Administration Console.

To install the Kaspersky Endpoint Agent Management plug-in,

copy the klcfginst.msi file from the distribution kit to the device on which Kaspersky Security Center Administration Console is installed and run the file.

The application Installation Wizard starts.

Updating a previously installed version of the Kaspersky Endpoint Agent Management plug-in

This update is only available for the Kaspersky Endpoint Agent Management plug-in versions 3.7 and later.

When installing a plug-in on a device with a previous plug-in version:

• All the setting values, including policies, group and local tasks, are migrated to the new plug-in version, and the previously installed plug-in version is automatically removed.
• The Kaspersky Endpoint Agent settings that were not available in the previous plug-in version are set to default values and can be configured.

  To apply previously unavailable settings, after updating the plug-in, change the desired policy or task and save your changes.

• Policy templates created in the previous plug-in version are available in the new plug-in version.

You can use the new plug-in to manage previous Kaspersky Endpoint Agent versions. However, previous versions of Kaspersky Endpoint Agent do not support and do not apply the settings that have appeared in the new plug-in version.

Page top

Installing and updating Kaspersky Endpoint Agent Management web plug-in

Kaspersky Endpoint Agent Management web plug-in must be installed to manage Kaspersky Endpoint Agent using Kaspersky Security Center Web Console.

You can install the web plug-in in one of the following ways:

• Using the Initial Setup Wizard of the Kaspersky Security Center Web Console.
• From the list of available distribution packages in the Kaspersky Security Center Web Console.

  For detailed information on installing management web plug-ins, refer to the Kaspersky Security Center Help.

• By downloading the distribution package to the Kaspersky Security Center Web Console from a third-party source.

  To install the web plug-in, add a ZIP archive with the distribution package of the Kaspersky Endpoint Agent web plug-in to the Web Console interface (Console settings → Web plug-ins). You can download the web plug-in distribution kit, for example, from Kaspersky's website.

Updating a previously installed version of the Kaspersky Endpoint Agent Management web plug-in

When installing a plug-in on a device with a previous plug-in version:

• All the setting values, including policies, group and local tasks, are migrated to the new plug-in version, and the previously installed plug-in version is automatically removed.
• The Kaspersky Endpoint Agent settings that were not available in the previous plug-in version are set to default values and can be configured.

  To apply previously unavailable settings, after updating the plug-in, change the desired policy or task and save your changes.

• Policy templates created in the previous plug-in version are available in the new plug-in version.

You can use the new plug-in to manage previous Kaspersky Endpoint Agent versions. However, previous versions of Kaspersky Endpoint Agent do not support and do not apply the settings that have appeared in the new plug-in version.

Page top

Updating Kaspersky Endpoint Agent from the previous version

Only Kaspersky Endpoint Agent version 3.8 and later can be updated. The update is possible for application versions installed both as part of the

application and independently. The update can be performed by installing the new version.

When you update Kaspersky Endpoint Agent, the current license is automatically applied to Kaspersky Endpoint Agent. The license term will remain unchanged. When updating the application with an expired license, the new application version works in limited functionality mode after installation.

If the license for the updated version has expired, you can add the license key during the update. The key file can be passed using one of the specified methods.

When Kaspersky Endpoint Agent is installed on a device with a previous version of Kaspersky Endpoint Agent, first all

is saved and used, then the previous version of the application is automatically uninstalled.

If Kaspersky Endpoint Agent is installed on a device with a previous version of Kaspersky Endpoint Agent, you will need to create an account to connect to Kaspersky Security Center and migrate data from the previous version. The account uses the default name: AutoIOC_Admin and a password specified by the user.

When updating a previous version of Kaspersky Endpoint Agent that is password protected, you must pass this password to the installer in one of the following ways:

• When installing the application locally using the installation wizard interface or interactively using the command line, specify the password at the appropriate step.
• When installing the application locally using the command line in quiet mode, specify the password as the value of the UNLOCK_PASSWORD key.
• When installing the application remotely using Kaspersky Security Center, pass the current password in the installation package settings.

When updating Kaspersky Endpoint Agent as part of EPP, you can pass the password as the value of the UNLOCK_PASSWORD key in the install_props.json configuration file.

The application password passed through the install_props.json configuration file is stored in the file in non-encrypted form. To reduce the probability of unauthorized access to this data, it is recommended to restrict access to the install_props.json file and delete it from the device after installing or updating the application.

Starting from version 3.10,

(also referred to as KMP) usage cannot be configured by means of Kaspersky Endpoint Agent. If usage of the KMP service was enabled in the previous Kaspersky Endpoint Agent version, the KMP service continues functioning after the application is updated to version 3.10 and later. After the application update, you can disable the KMP service only using Kaspersky Endpoint Agent Administration Plug-in or Kaspersky Endpoint Agent Web Plug-in of versions earlier then 3.10.

When installing a plug-in on a device with a previous plug-in version:

• All the setting values, including policies, group and local tasks, are migrated to the new plug-in version, and the previously installed plug-in version is automatically removed.
• The Kaspersky Endpoint Agent settings that were not available in the previous plug-in version are set to default values and can be configured.

  To apply previously unavailable settings, after updating the plug-in, change the desired policy or task and save your changes.

• Policy templates created in the previous plug-in version are available in the new plug-in version.

You can use the new plug-in to manage previous Kaspersky Endpoint Agent versions. However, previous versions of Kaspersky Endpoint Agent do not support and do not apply the settings that have appeared in the new plug-in version.

See also Preparing for Kaspersky Endpoint Agent installation Installing Kaspersky Endpoint Agent Installing and uninstalling Kaspersky Endpoint Agent locally Installing Kaspersky Endpoint Agent using Kaspersky Security Center Installing Kaspersky Endpoint Agent administration tools Repairing Kaspersky Endpoint Agent Changes in the system after Kaspersky Endpoint Agent installation

Page top

Repairing Kaspersky Endpoint Agent

If you launch Kaspersky Endpoint Agent installer in Repair mode, it will check and restore the integrity of all damaged application modules and system registry keys created during the application's installation.

You can run the installer in Repair mode in one of the following ways:

• Locally using Kaspersky Endpoint Agent Installation Wizard.
• Locally using the command line.
• Remotely using Kaspersky Security Center by performing one of the following actions (for details, refer to Kaspersky Security Center Help):
  • By selecting the Repair application if it is already installed check box when creating the installation package.
  • By specifying the REINSTALL=ALL parameter when creating a custom installation package.

If Kaspersky Endpoint Agent installer is launched in Repair mode and the application does not need to be repaired, the installer will not perform any changes on the device.

If Kaspersky Endpoint Agent installer is launched in Repair mode and the application is not installed on the device, the application installation will start.

If Kaspersky Endpoint Agent installer is launched in Repair mode locally using the command line or remotely using Kaspersky Security Center, and the settings of the installed application differ from the settings specified in the installer, the installer will be launched in the mode for changing the settings of the installed application.

Page top

Changes in the system after Kaspersky Endpoint Agent installation

The Windows Installer service performs the following changes on the protected device during the installation of Kaspersky Endpoint Agent:

• Creates Kaspersky Endpoint Agent folders.
• Registers Kaspersky Endpoint Agent keys in the system registry.
• Registers Kaspersky Endpoint Agent services and drivers.

Kaspersky Endpoint Agent folders on the protected device

When Kaspersky Endpoint Agent is installed, the following folders are created on the device:

• The default Kaspersky Endpoint Agent installation folder that contains Kaspersky Endpoint Agent executable files:
  • On a 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\
  • On a 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\
• Folder containing Kaspersky Endpoint Agent (x86) drivers:
  • On a 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\drivers\<OS version>\<driver name>
  • On a 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\drivers\x64\<OS version>\<driver name>
• Folders containing IOC files:
  • In 32-bit version of Microsoft Windows:
    • %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc
    • %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.0
    • %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.1
  • In 64-bit version of Microsoft Windows:
    • %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc
    • %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.0
    • %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.1
• Folders containing Kaspersky Endpoint Agent system files:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Images
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kata
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kmp
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Syslog
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Hunts
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Settings
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Tasks
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\DSKM
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp\Tasks
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Bases
• Folder containing system files for Kaspersky Security Network's operation.
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Ksn
• Folder containing quarantined files:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Quarantine
• Folder containing files restored from quarantine:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Restored
• Folder containing Kaspersky Security Center policy configuration files:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Policy
• Folders containing system files for Kaspersky Sandbox's operation:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox\Queue
• Folder containing files of updatable components:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Update
• Folder containing shortcut files for the Start menu:
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kaspersky Endpoint Agent

Kaspersky Endpoint Agent services and drivers

The following Kaspersky Endpoint Agent services are registered and started under the system account (SYSTEM):

• SOYUZ.exe is the main Kaspersky Endpoint Agent service that manages its tasks and operation processes.
• VOSTOK.dll (executed in proton.exe) is a service that facilitates the interaction between Kaspersky Endpoint Agent and the Central Node component.
• ANGARA.dll (executed in proton.exe) is a service that facilitates the interaction between Kaspersky Endpoint Agent and EPP in scenarios of Kaspersky Sandbox integration.

The following Kaspersky Endpoint Agent drivers are registered on the device:

• klsnsr.sys is Event Tracing for Windows (ETW) driver.
• klncap.sys is ETW network packet analyzer.

  When installed on a device running Microsoft Windows XP, the klncapxp.sys driver is registered instead of klncap.sys.

System registry keys

As a result of Kaspersky Endpoint Agent's installation, the following registry keys are created:

Registry keys are listed in the 32-bit application view.

• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdDisplayName]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdVersion]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorVersion]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorFlags]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\NagentMinVer]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorPath]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3KPD]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\ProductCode]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\NoPPL]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\BFESDDL]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable(Example)]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder(Example)]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EnableKillChain]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\SvmUpdateMode]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\MsiPath]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\AgentPath]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EventsExpirationTimeout]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallID]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallTime]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLCID]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLocalization]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallPlatformType]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\Version]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration(Example)]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\StartMenu]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\UninstallShortcut2]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\RelNotes]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\License]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Ksn]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Kmp]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\ProductUrl]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\angara]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncap]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncapxp]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klsnsr]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vostok]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soyuz]

Page top

Kaspersky Endpoint Agent activation

This section contains information about Kaspersky Endpoint Agent activation.

In this Help section Managing Kaspersky Endpoint Agent activation Functional limitations after the license expiration Viewing information about the current license

Page top

Managing Kaspersky Endpoint Agent activation

You can activate Kaspersky Endpoint Agent in one of the following ways:

• During installation:
  • By specifying the key file at a certain step of the Installation Wizard.
  • By placing the key file in the same folder as the endpointagent.msi file before starting the installation in quiet mode (including remote installation).
  • By specifying the path to the key file using the LICENSEKEYPATH parameter when installing the application in quiet mode (including remote installation).

    If there are several key files in the folder, Kaspersky Endpoint Agent will be activated using the key file with the latest license expiration date.

    If Kaspersky Endpoint Agent installer does not detect a key file suitable to activate Kaspersky Endpoint Agent, the application will be installed without being activated.

  When you update Kaspersky Endpoint Agent, the current license is automatically applied to Kaspersky Endpoint Agent. The license term will remain unchanged. When updating the application with an expired license, the new application version works in limited functionality mode after installation.

  If the license for the updated version has expired, you can add the license key during the update. The key file can be passed using one of the specified methods.

• After installation:
  • Using the Application activation task in Kaspersky Security Center Administration Console or in Kaspersky Security Center Web Console.
  • Using the command line locally on the device.

You can use Kaspersky Security Center as a proxy server to activate Kaspersky Endpoint Agent.

You can view information about the current Kaspersky Security Center license in the Kaspersky licenses section, in the device properties, or using the command line.

For detailed information on managing keys using Kaspersky Security Center, refer to Kaspersky Security Center Help.

After the license expires, the application will continue to work but with limited functionality.

See also Functional limitations after the license expiration Viewing information about the current license

Page top

Functional limitations after the license expiration

When the license expires, the following limitations will arise in the operation of Kaspersky Endpoint Agent functional components:

• Telemetry data is not collected.
• Network isolation cannot be enabled.

  If network isolation was enabled when the license expired, the application will disable network isolation in accordance with the specified settings for automatic disabling of network isolation.

• Execution prevention cannot be enabled.

  If Execution prevention was enabled when the license expired, the application will stop blocking objects that fall under the specified Execution prevention rules.

• The following tasks stop and cannot be started: Run process, Terminate process, Delete file.
• The Standard IOC Scan tasks will stop and cannot be started.
• KSN/KPSN usage terminates.

When you try to use the listed application functional components after the license expires, the application will create the critical LicenseViolation event in the Windows event log and in the Kaspersky Security Center Administration Server log. When working using the command line, the application will return the code 8 (AccessDenied).

See also Managing Kaspersky Endpoint Agent activation Viewing information about the current license

Page top

Viewing information about the current license

You can view information about the current license in Kaspersky Security Center in the Kaspersky licenses section or in the device properties in the Keys section. For detailed information on managing keys using Kaspersky Security Center, refer to Kaspersky Security Center Help.

To view information about an active license in the Kaspersky Security Center Administration Console:

1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
2. In the workspace, select the Devices tab.
3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
4. Select Properties in the device context menu.

   The device properties window opens.

5. Select the Applications section.

   A list of Kaspersky applications installed on the device is displayed in the window.

6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
   • Double-click the application name.
   • In the application context menu, select Properties.
   • Click the Properties button under the list of Kaspersky applications.
7. Select the Keys section.

Information about the current license will be displayed in the window.

To view information about an active license in the Kaspersky Security Center Web Console:

1. On the Devices tab, select Managed devices.
2. Click the name of the device you want.
3. In the device properties window that opens, select the Applications tab.
4. In the list of applications, select Kaspersky Endpoint Agent.
5. In the application properties window that opens, select the General tab and open the License section.

The general information about active and backup license keys will be displayed.

See also Managing Kaspersky Endpoint Agent activation Functional limitations after the license expiration

Page top

Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console

Kaspersky Security Center provides a centralized solution for the main tasks of managing and maintaining an organization's network protection system. The application provides the administrator with access to detailed information about the security level of the organization's network and allows the administrator to configure all the components of protection built based on Kaspersky applications.

Kaspersky Security Center enables the remote installation, uninstallation, starting and stopping of Kaspersky Endpoint Agent, as well as configuration of the application settings, as well as the starting and stopping of application tasks. Kaspersky Security Center offers differentiation of access permissions to Kaspersky Endpoint Agent using the Role Based Access Control (RBAC) technology.

For detailed information on Kaspersky Security Center, refer to Kaspersky Security Center Help.

Kaspersky Security Center Administration Console (hereinafter also referred to as Administration Console) provides the user interface for working with Kaspersky Security Center. Administration Console is implemented as an extension component to the Microsoft Management Console (MMC).

Kaspersky Endpoint Agent can be managed in Kaspersky Security Center Administration Console using the Kaspersky Endpoint Agent Management plug-in.

This section contains the basic information about managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console.

See also Installing and uninstalling Kaspersky Endpoint Agent Kaspersky Endpoint Agent activation Managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console Managing Kaspersky Endpoint Agent using the command line interface

In this Help section Managing Kaspersky Endpoint Agent policies Configuring Kaspersky Endpoint Agent settings Managing Kaspersky Endpoint Agent tasks

Page top

Managing Kaspersky Endpoint Agent policies

This section describes how to create Kaspersky Endpoint Agent policies and enable policy settings.

In this section Creating Kaspersky Endpoint Agent policy Enabling settings in Kaspersky Endpoint Agent policy

See also Configuring Kaspersky Endpoint Agent settings Managing Kaspersky Endpoint Agent tasks

Page top

Creating Kaspersky Endpoint Agent policy

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To create a Kaspersky Endpoint Agent policy in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Click Create a policy.

   The policy creation wizard starts.

4. In the Selecting an application for creating a group policy window, select Kaspersky Endpoint Agent.
5. Click Next.
6. In the Enter group policy name window, perform the following actions:
   1. Enter the name that will be used for the new policy in the policy list.
   2. If you want to import the settings of an existing Kaspersky Endpoint Agent policy to a new policy:
      1. Select the Use the policy settings for previous application version check box.
      2. Click Select and in the window that opens, select the policy whose settings you want to import.
      3. Click ОК.
   3. Click Next.
7. In the New policy window, select one of the following options:
   • Create a new policy and configure its settings.
   • Create a new policy with default settings.

   If you enabled the Use the policy settings for previous application version setting at the previous step, the Create a new policy and configure its settings option is selected by default, and the settings specified in the imported policy are displayed during the policy creation. In this case, the switch in the upper right corner of each section with the policy settings, which shows if the policy is applied, depends on the position of the switches

   in the groups of settings of the imported policy

   The switch is set to Under policy if the corresponding switch in the imported policy is also set to Under policy for all groups of settings that are included in the section.

   The switch is set to Unaffected by policy if the corresponding switch in the imported policy is also set to Unaffected by policy for at least one group of settings that are included in the section.

   .

8. Click Next.
9. In the Select policy type window, select the required Kaspersky Endpoint Agent deployment method:
   • Integration with Kaspersky Sandbox
   • Endpoint Detection and Response Expert (KATA EDR), Kaspersky Industrial CyberSecurity for Networks
10. Click Next.
11. If you select the Create a new policy and configure its settings option, perform one of the following actions in all sequentially displayed settings windows:
    • To configure the application settings in the displayed sections during policy creation:
      1. Click Configure next to the name of the required section.
      2. In the window that opens, configure the required settings and click OK.
      3. Click Next.
    • To configure the application settings in the displayed section later, click Next.

    Configuration of the application settings consists of the following steps:

    The composition of the steps depends on the type of policy selected during the previous step and may differ from the one described.

    • Configuring integration between Kaspersky Endpoint Agent and Kaspersky Sandbox.
    • Configuring integration of Kaspersky Endpoint Agent with Endpoint Detection and Response Expert (KATA EDR) and Kaspersky Industrial CyberSecurity for Networks (KICKS for Networks) components.
    • Configuring threat response settings.
    • Configuring application repositories.
    • Configuring application security settings.
    • Configuring general application settings.
12. In the Target group window, select the Kaspersky Security Center administration group to which the created policy will be applied by performing the following steps:
    1. Click Browse.

       The administration group selection window will open.

    2. Select the administration group from the list.

       For example, you can select the Managed devices group.

    3. If you want to create a subgroup in the Managed devices group:
       1. Click New group.
       2. In the window that opens, enter the name of the device subgroup.
       3. Click OK.
    4. Click Next.
13. In the Creating a group policy for the application window, select one of the following policy statuses:
    • Active policy to activate the policy as soon as it is created.
    • Inactive policy to activate the policy later.
    • Out-of-office. The policy becomes active when the computer leaves the corporate network.
14. Select the Open policy properties after creation check box if you want to perform additional configuration of the policy immediately after creating it.
15. Click Finish.

The created policy will now appear in the policy list.

See also Enabling settings in Kaspersky Endpoint Agent policy

Page top

Enabling settings in Kaspersky Endpoint Agent policy

When you configure Kaspersky Endpoint Agent policy settings, by default these settings are saved, but are not applied until you enable them. The settings in the policy sections are divided into groups. You can enable either individual groups or all groups within one policy.

To enable the group of settings in Kaspersky Endpoint Agent policy:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. Select the policy for which you want to enable the settings.
5. In the window that opens, select the section and group of settings to which the required setting belongs.
6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.

All the settings of the group will be applied in the policy after the changes are saved.

See also Creating Kaspersky Endpoint Agent policy

Page top

Configuring Kaspersky Endpoint Agent settings

This section describes how to configure Kaspersky Endpoint Agent settings.

See also Managing Kaspersky Endpoint Agent policies Managing Kaspersky Endpoint Agent tasks

In this Help section Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring storage settings in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

Page top

Opening Kaspersky Endpoint Agent settings window

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To open the Kaspersky Endpoint Agent settings window:

1. Open Kaspersky Security Center Administration Console.
2. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
3. Select the administration group for which you want to configure application settings.
4. Perform one of the following actions in the details pane of the selected administration group:
   • To configure the application settings for a group of devices, select the Policies tab and open the Properties: <Policy name> window by double-clicking the policy name or by selecting Properties in the context menu.
   • To configure the application settings for a single device, select the Devices tab and perform the following actions:
     1. Open the Properties: <Device name> window by double-clicking the device name or by selecting Properties in the context menu.
     2. Select the Applications section.
     3. Open the Application settings window by double-clicking the application name or by clicking the Properties button under the list of applications.

   If an active Kaspersky Security Center policy is applied to a device and blocks changes to the application settings, these settings cannot be edited in the Application settings window, except for the network isolation settings.

   The settings of automatic network isolation can be configured in the policy properties, and the settings of network isolation on demand (manually enabled settings) can be configured in the properties of an individual device.

Page top

Configuring Kaspersky Endpoint Agent security settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To ensure maximum security of the IT infrastructure in your organization, you can configure access of users and third-party processes to Kaspersky Endpoint Agent.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring storage settings in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

In this Help section Configuring user permissions Enabling Password protection Enabling and disabling Self-Defense

Page top

Configuring user permissions

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can grant access to Kaspersky Endpoint Agent to individual users or groups of users. As a result, only specified users will be able to manage settings or services of the application.

To configure user permissions:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Application settings section select the Security settings subsection.
5. In the User permissions group of settings, click the Configure button next to the name of the required setting.

   The permissions window for Kaspersky Endpoint Agent group will open.

6. In the upper block of settings for groups or users, select the group or user to which you want to grant permissions.
7. In the lower block of permission settings for groups or users, select the check boxes for the items with the desired permissions.
8. Click OK.
9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
10. In the policy properties window, click OK.

The user permissions for managing the application settings and services have now been configured and applied.

See also Enabling Password protection Enabling and disabling Self-Defense

Page top

Enabling Password protection

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Unrestricted user access to the application and its settings can reduce the security level of the device. Password protection is a means to limit user access to the application.

To enable password protection:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Application settings section select the Security settings subsection.
5. In the Password protection group of settings select the Apply password protection check box.
6. Enter a password and confirm it.

   It is recommended to select a password that satisfies the following requirements:

   • It is at least 8 characters long.
   • It does not contain the user account name.
   • It does not match the name of the device on which Kaspersky Endpoint Agent is installed.
   • It contains characters from at least three of the following groups:
     • uppercase characters (A-Z);
     • lowercase characters (a-z);
     • numbers (0-9);
     • special characters (!$#%).
7. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
8. Click OK.

Password protection is now enabled. If a user attempts to perform a password protected action, the application will prompt the user to enter the password.

The application does not check the strength of the specified password. We recommend that you use third-party tools to verify the strength of the password. The password is considered strong enough if verification results confirm that the password cannot be guessed for at least 6 months.

The application does not prohibit login attempts after many attempts of entering an incorrect password.

See also Configuring user permissions Enabling and disabling Self-Defense

Page top

Enabling and disabling Self-Defense

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The Self-Defense mechanism of Kaspersky Endpoint Agent provides protection from malware that tries to lock or delete the application. The Self-Defense mechanism prevents the alteration or deletion of application files on the hard drive, memory processes, and entries in the system registry.

To enable or disable Self-Defense:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Application settings section select the Security settings subsection.
5. In the Self-defense group of settings, enable or disable the Enable self-defense for application modules in memory setting.

   The setting is enabled by default.

6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
7. Click OK.

The Self-Defense mechanism is now enabled or disabled.

See also Configuring user permissions Enabling Password protection

Page top

Configuring Kaspersky Endpoint Agent connection settings to a proxy server

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Proxy server connection settings are used for updating databases, activating the application, and external services.

If you want to use a specified proxy server when connecting to KATA server, Kaspersky Sandbox server or Kaspersky Industrial CyberSecurity for Networks server, make sure that the Connect using the proxy server if specified in the general settings option is selected when configuring integration with KATA, Kaspersky Industrial CyberSecurity for Networks or Kaspersky Sandbox. This option is not selected by default.

To configure proxy server connection settings:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Application settings section select the General settings subsection.
5. Select one of the following proxy service usage options:
   • Do not use proxy server.
   • Automatically detect proxy server address.
   • Use proxy server with specified settings.
6. If you select the Automatically detect proxy server address option, the proxy server for further telemetry transmission will be detected automatically.
7. If you select the Use proxy server with specified settings option, specify the address and port of the proxy server you want to connect to in the Server name or IP address and Port fields.

   The default port number is 8080.

8. If you want to use NTLM authentication (NT LAN Manager Network Authentication Protocol) to connect to the proxy server:
   1. Select the Use NTLM authentication by user name and password check box.
   2. In the User name field, enter the name of the user, whose account will be used for proxy server authentication.
   3. In the Password field, enter the password for connecting to the proxy server.

      You can make password characters visible by clicking Show to the right of the Password field.

9. If you do not want to use the proxy server for internal addresses of your organization, select the Bypass proxy server for local addresses check box.
10. Click the Apply button.

    As a result, you will return to the policy properties window.

11. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
12. Click OK.

Proxy server connection settings are now configured.

See also Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring storage settings in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

Page top

Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To enable usage of Kaspersky Security Center as a proxy server for the application activation:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Application settings section select the General settings subsection.
5. In the Licensing group of settings, select the Use Kaspersky Security Center as a proxy server when activating the application check box.
6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
7. Click ОК.

Kaspersky Security Center usage as a proxy server for Kaspersky Endpoint Agent activation is now enabled.

Page top

Configuring KSN usage in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To protect your computer more effectively, Kaspersky Endpoint Security uses data received from users around the globe. Kaspersky Security Network is designed to receive this data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services that provide access to the online Kaspersky Knowledge Base that contains information about the reputations of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by the EPP application to objects that are not yet listed in anti-virus application databases, improves performance of some protection components, and reduces the likelihood of false positives.

Participation in Kaspersky Security Network allows Kaspersky to quickly acquire information about the types and sources of objects that are not yet listed in anti-virus application databases, develop methods for neutralizing such objects, and reduce the number of false positives.

When you use Kaspersky Security Network, certain statistical data collected while Kaspersky Endpoint Agent is running is automatically sent to Kaspersky. Files, or parts of files, that may be exploited by intruders to harm the computer or data can be also sent to Kaspersky to be further examined.

No personal data is collected, processed, or stored. The types of data that Kaspersky Endpoint Agent sends to Kaspersky Security Network are described in the KSN Statement.

Participation in Kaspersky Security Network is voluntary. KSN usage is disabled by default. After enabling KSN usage, you can disable this option at any time.

Starting from version 3.10, Kaspersky Managed Protection (also referred to as KMP) usage cannot be configured by means of Kaspersky Endpoint Agent. If usage of the KMP service was enabled in the previous Kaspersky Endpoint Agent version, the KMP service continues functioning after the application is updated to version 3.10 and later. After the application update, you can disable the KMP service only using Kaspersky Endpoint Agent Administration Plug-in or Kaspersky Endpoint Agent Web Plug-in of versions earlier then 3.10.

To enable KSN usage:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. Select the Kaspersky Security Network section.
5. Review the KSN Statement.
6. If you agree with terms and conditions of the Statement, select the I confirm that I have fully read, understood, and accept the terms and conditions of this Kaspersky Security Network Statement check box.
7. Select the Enable Kaspersky Security Network usage check box.
8. If you want to use Kaspersky Security Center for telemetry transmission, select the
   Use Kaspersky Security Center as a KSN proxy server

   

   This check box allows you to control data transmission from protected devices to KSN.

   If the box is selected, all data is sent to KSN via Kaspersky Security Center.

   If the check box is cleared, data from the Administration Server and protected devices are sent to KSN directly, bypassing Kaspersky Security Center. The active policy determines what type of data is sent directly to KSN.
   The check box is selected by default.

   

   This check box allows you to control data transmission from protected devices to KSN.

   If the box is selected, all data is sent to KSN via Kaspersky Security Center.

   If the check box is cleared, data from the Administration Server and protected devices are sent to KSN directly, bypassing Kaspersky Security Center. The active policy determines what type of data is sent directly to KSN.
   The check box is selected by default.

   check box.
9. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
10. Click OK.

KSN usage is enabled.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring storage settings in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

Page top

Configuring integration between Kaspersky Endpoint Agent and KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure integration between Kaspersky Endpoint Agent and the KATA Central Node component using the Kaspersky Security Center Administration Console.

In this Help section Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring data submission settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure data submission settings:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Telemetry collection servers section, select the General settings subsection.
5. In the Data submission settings group, do the following:
   • Specify the value in the Events transmission period (sec.) field.

     The default value is 30 seconds.

   • Specify the value in the Maximum number of events in a package field.

     The default value is 1024 events in a package.

6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
7. Click OK.

See also Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring request throttling settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The request throttling feature allows restricting the flow of events with low importance from Kaspersky Endpoint Agent to the Central Node component. Event importance is evaluated by the application.

To configure the request throttling settings:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Telemetry collection servers section, select the General settings subsection.
5. In the Request throttling group of settings, you can perform the following actions:
   • Enable or disable the Enable request throttling setting.

     The setting is enabled by default.

   • Specify the number of events in the Maximum number of events per hour field.

     The application analyzes telemetry data flow and restricts transmission of events with low importance if the number of transmitted events tends to exceed the value specified in this field. The default value is 3000 events per hour.

   • Specify the threshold for the flow of events of the same type with low importance in the Percentage of event limit excess field.

     If the flow of events of the same type with low importance exceeds the threshold value specified in this field as a percentage of the total number of events, transmission of events of this type is restricted. You can specify a value from 5% to 100%. The default value is 15%.

6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.

   The default switch position is Under policy.

7. Click OK.

Page top

Enabling and disabling integration with KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

If you use Nginx as a proxy server between a device with Kaspersky Endpoint Agent installed and KATA server, configure the client_max_body_size setting. The value of the client_max_body_size setting must be equal to the maximum size of the object sent by Kaspersky Endpoint Agent to KATA for processing. Otherwise, Nginx will not send objects whose size exceeds the specified value. The default value is 1 MB.

To enable or disable integration with the KATA Central Node component:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Telemetry collection servers section, select the Integration with KATA subsection.
5. In the Connection settings group, do one of the following:
   • To enable integration with KATA Central Node:
     1. Select the Enable KATA integration check box.
     2. In the List of KATA servers settings group, for one or more KATA servers, specify the IP address or full domain name of the KATA server, as well as the port for connecting to the server.

        Kaspersky Endpoint Agent connects to the first server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second server and so on down the list.

   • To disable integration with KATA Central Node, clear the Enable KATA integration check box.
6. In the Connection settings group, enable or disable the Connect using the proxy server if specified in the general settings option.

   This option is disabled by default. The application connects to the KATA server only directly and does not use the general proxy server connection settings. You can enable this option if you want the application to use the general proxy server connection settings when connecting to the KATA server.

7. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
8. Click OK.

Integration with KATA Central Node is enabled or disabled.

See also Configuring data submission settings Configuring request throttling settings Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring trusted connection with KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure trusted connection between Kaspersky Endpoint Agent and KATA Central Node, perform the following actions on Kaspersky Endpoint Agent side:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Telemetry collection servers section, select the Integration with KATA subsection.
5. In the Connection settings group, select the Use pinned certificate to protect connection check box.
6. Click the Add new TLS certificate button.

   The Adding new TLS certificate window opens.

7. Perform one of the following actions to add a TLS certificate:
   • Add a certificate file. Click Browse, and in the window that opens, select the certificate file and click Open.
   • Copy and paste the contents of the certificate file to the Paste TLS certificate data field.

   Kaspersky Endpoint Agent may have only one KATA server TLS certificate. If you have added a TLS certificate before and then add a TLS certificate once again, only the last added certificate is valid.

8. Click the Add button.

   Information about the added TLS certificate is shown in the TLS certificate data group of settings.

9. If you want to configure additional connection protection by a user certificate, click the Add client certificate button.
10. In the Add client certificate window that opens, do the following:
    1. Select the Secure connection with the client certificate check box.
    2. Click the Upload button and in the window that opens select the PFX archive and click Open.
    3. Enter the password for the PFX archive.
    4. Click OK.
11. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
12. Click OK.

The trusted connection to KATA server is now configured.

See also Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure synchronization settings between Kaspersky Endpoint Agent and KATA Central Node:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Telemetry collection servers section, select the Integration with KATA subsection.
5. In the Connection settings group, configure the following settings:
   • Timeout (sec.). Specify the maximum KATA server response timeout. The default value is 10 seconds.
   • Send synchronization request to KATA server every (min.). Specify the time interval for sending requests for synchronization Kaspersky Endpoint Agent settings and tasks with KATA Central Node. You can specify a value from 1 to 60 minutes. The default value is 5 minutes.
   • Select or clear the Use TTL period when sending events check box. The check box is cleared by default.

     If the check box is selected, Kaspersky Endpoint Agent does not send information about the processes that are started again to the KATA server. Kaspersky Endpoint Agent does not consider the launch of the process as repeated if the process is started after the end of the TTL period.

   • If you select the Use TTL period when sending events check box, specify the time in the TTL period (min.) field. The default value is 1440 minutes.
6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
7. Click OK.

See also Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node

Page top

Configuring EDR telemetry settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure:

• Exclusions

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  for EDR
  telemetry

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  about application processes, which Kaspersky Endpoint Agent processes and sends to a server with the KATA Central Node or Kaspersky Industrial CyberSecurity for Networks component.
• Optimization of the volume of EDR telemetry that Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.
• Exclusions for EDR telemetry about network communications, which Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.

In this Help section Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes Enabling and configuring exclusions for sent EDR telemetry about network communications

Page top

Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for and optimization of the volume of EDR telemetry about application processes using Kaspersky Security Center Administration Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about application processes are available when Kaspersky Endpoint Agent is integrated with servers where KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data on excluded application processes to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

Optimization of the volume of EDR telemetry about application processes can be managed (enabled / disabled) when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

If optimization of the volume of EDR telemtry is enabled, Kaspersky Endpoint Agent does not send events with 102 (basic communications) and 8 (network activity of a process) codes for the Microsoft SMB protocol and the Network Agent process klnagent.exe regarding processes of applications on a server where Kaspersky Industrial CyberSecurity for Networks is installed.

To enable and configure exclusions for and optimization of the volume of EDR telemetry on application processes:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
     2. In the workspace, select the Devices tab.
     3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
     4. Select Properties in the device context menu.

        The device properties window opens.

     5. Select the Applications section.

        A list of Kaspersky applications installed on the device is displayed in the window.

     6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
        • Double-click the application name.
        • In the application context menu, select Properties.
        • Click the Properties button under the list of Kaspersky applications.

   • Open the policy properties window.
     1. Open Kaspersky Security Center Administration Console.
     2. In the console tree, open the Policies folder.
     3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
        • Double-click the policy name.
        • Select Properties in the policy context menu.
        • Select the Configure policy settings item in the right part of the window.

2. Select the EDR telemetry → Excluded processes section.
3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Configure optimization of the volume of EDR telemetry:

   When Kaspersky Endpoint Agent is integrated with servers where KATA Central Node is installed, optimization of the volume of EDR telemetry should always be enabled.

   • Disable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol, WinRM service, and the Network Agent process klnagent.exe.
   • Enable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to not send events with codes 102 (basic communications) and 8 (the process’s network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe.

   If the Use exclusions setting is disabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, regardless of the value of the Optimize the amount of telemetry setting.

5. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings:

      Exclusion settings are applied using a logical AND.

      To create an exclusion, specify the value in the Full path field and select at least one event type in the Use this exclusion for the following event types list.

      If the Network events value is selected for the Use this exclusion for the following event types criterion, specify the full path to the file in the Full path field.

      The object for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. For example, if you first configure exclusion for a specific application, and then install that application on the protected device, this exclusion will not be applied.

      1. In the Process information section, specify the values in the following fields:
         • Full path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
         • Command line text. Command line to run the object.
         • Parent folder path. The path to the folder where the file is located.
      2. In the File properties section, specify the values in the following fields:
         • File description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
         • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
         • File version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
      3. In the File checksums section, specify the values in the following fields:
         • MD5. MD5 hash of the file.
         • SHA256. SHA256 hash of the file.
      4. In the Use this exclusion for the following event types list, select at least one value:
         • File modification.
         • Network events.
         • Interactive input in the console.

           This event type is selected by default.

         • Loading the process module.
         • Changes in the Registry.
   3. Click OK to save the changes and close the Rule properties window.

      The new exclusion is created and displayed in the list of exclusions.

   4. If you need to export the exclusion list to an XML file, click the Export button.
   5. If you need to import the exclusion list from an XML file, click the Import button.
   6. If you need to modify an exclusion, click the Modify button.
   7. If you need to delete an exclusion from the list, select the exclusion and click the Delete button.
6. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
7. Click OK to save the changes.

Page top

Enabling and configuring exclusions for sent EDR telemetry about network communications

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for EDR telemetry using Kaspersky Security Center Administration Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about network communications are applied when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

To enable and configure EDR telemetry about network communications:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
     2. In the workspace, select the Devices tab.
     3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
     4. Select Properties in the device context menu.

        The device properties window opens.

     5. Select the Applications section.

        A list of Kaspersky applications installed on the device is displayed in the window.

     6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
        • Double-click the application name.
        • In the application context menu, select Properties.
        • Click the Properties button under the list of Kaspersky applications.

   • Open the policy properties window.
     1. Open Kaspersky Security Center Administration Console.
     2. In the console tree, open the Policies folder.
     3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
        • Double-click the policy name.
        • Select Properties in the policy context menu.
        • Select the Configure policy settings item in the right part of the window.

2. Select the EDR telemetry → Excluded network communications section.
3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings.

      Exclusion settings are applied using a logical AND.

      1. In the Name field, enter the name of the exclusion.
      2. In the Direction drop-down list, select the direction of network traffic.
      3. In the Protocol drop-down list, select the network protocol.
      4. If you select a custom protocol, in the Number field, enter the network protocol number.
      5. Select the Local port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the remote device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      6. Select the Remote port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the local device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      7. Select the Local address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming exclusions (in the Direction drop-down list, Incoming is selected), enter the network address for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address of the remote device.

         For IP addresses, only addresses in IPv4 format are supported.

      8. Select the Remote address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the network address for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address for the local device.

         For IP addresses, only addresses in IPv4 format are supported.

      9. Create the list of application for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
         1. Select the Applications check box.
         2. In the field below, specify the path to the executable file of the application you want to add to the list. You can enter the path manually or with the help of the Browse button.
         3. Click the Add button.
         4. For each application you want to add to the list, repeat steps 2 and 3 of the guide.
         5. If necessary, remove an application from the list:
            1. Select the application in the list.
            2. Click the Delete button.
      10. Click OK to save the changes and close the Rule properties window.

          The new exclusion is created and displayed in the list of exclusions.

   3. If you need to modify an exclusion, click the Modify button.
   4. If you need to delete an exclusion, select the exclusion and click the Delete button.
5. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
6. Click OK to save the changes.

Page top

Configuring storage settings in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section describes how to configure the quarantine settings and data synchronization settings with the Administration Server by means of Kaspersky Endpoint Agent Management plug-in.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

In this section About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

About Kaspersky Endpoint Agent quarantine

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Quarantine is a special local repository on the device. The user can put files considered dangerous to the computer into quarantine. Quarantined files are stored in an encrypted form and therefore do not compromise your device's security.

By default, the local quarantine is located in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Quarantine folder. By default, the objects restored from quarantine are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Restored folder.

Kaspersky Security Center generates a common list of quarantined objects on devices with Kaspersky Endpoint Agent installed. Network Agents on the devices submit information about quarantined files to the Administration Server.

Kaspersky Security Center Network Agent does not copy files from quarantine to the Administration Server. All objects are stored on protected devices with Kaspersky Endpoint Agent installed. Objects are restored from the quarantine also on the protected devices.

See also About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

About quarantine management in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can use Kaspersky Security Center to configure quarantine settings, view the properties of the quarantined objects on the protected devices, delete quarantined objects, and restore objects from Quarantine. For detailed information on managing the quarantined objects using Kaspersky Security Center, refer to Kaspersky Security Center documentation.

In order for Kaspersky Endpoint Agent to send data about quarantined objects to Kaspersky Security Center Administration Server, the corresponding option must be enabled in the quarantine settings in Kaspersky Endpoint Agent policy. This option is enabled by default.

Using the command line interface on the device, you can view information about quarantine settings and properties of the quarantined objects.

Kaspersky Endpoint Agent quarantines object under the system account (SYSTEM).

Quarantined objects can be removed using the command line interface only with the permissions of the local account of the protected device user.

See also About Kaspersky Endpoint Agent quarantine Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

Configuring quarantine settings and restoration of objects from quarantine

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure quarantine settings:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Repositories section select the Quarantine subsection.
5. In the Quarantine settings section configure the quarantine settings:
   1. In the Quarantine folder field, enter the path to where you want to create the Quarantine folder on the devices or click Browse and select the path.

      The default path is %SOYUZAPPDATA%\Quarantine\. The Quarantine folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

      The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed. For example, if Kaspersky Endpoint Agent is installed on drive C, the path to the Quarantine folder will be C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Quarantine.

   2. To configure the maximum quarantine size, select the Maximum Quarantine size (MB) check box and type the maximum size of quarantine in MB or select it from the list.

      For example, you can set the maximum quarantine size to 200 MB.

      When the maximum quarantine size is reached, Kaspersky Endpoint Agent will publish the corresponding event on Kaspersky Security Center server and in the Windows Event Log, but will not stop quarantining new objects.

   3. To specify the quarantine threshold (the space in quarantine remaining until the maximum quarantine size is reached), select the Threshold value for space available (MB) check box.

      For example, you can set the quarantine threshold value to 50 MB.

      When the quarantine threshold is reached, Kaspersky Endpoint Agent will publish the corresponding event on Kaspersky Security Center server and in the Windows Event Log, but will not stop quarantining new objects.

6. In the Restoring objects from Quarantine section, in the Target folder for restored objects field, specify the path to create the folder for objects restored from quarantine.

   The default path is %SOYUZAPPDATA%\Restored\. The Restored folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

   The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed. For example, if Kaspersky Endpoint Agent is installed on drive C, the path to the folder with the objects restored from quarantine will be C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Restored.

7. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
8. Click the Apply button and then click OK.

The quarantine settings and the folder for restoring objects from quarantine have been configured.

See also About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring data synchronization with the Administration Server

Page top

Configuring data synchronization with the Administration Server

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure synchronization of data on quarantined objects on managed devices with Kaspersky Security Center Administration Server. Data synchronization is required to manage quarantine using Kaspersky Security Center.

To configure data synchronization with the Administration Server:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. In the Repositories section select the Synchronization with Administration Server subsection.
5. In the Settings section in the Send the following data to the Administration Server subsection, select the Data about objects, quarantined on managed devices check box.
6. In the upper right corner of the settings group, change the switch from Unaffected by policy to Under policy.
7. Click the Apply button and then click OK.

Data synchronization with the Administration Server is configured.

See also About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine

Page top

Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Before performing the following steps, get the MDR configuration file. It contains a configuration file (BLOB) required for integration.

If you want Kaspersky Endpoint Agent to process data about events generated by Kaspersky Industrial CyberSecurity for Networks and send this data to Kaspersky Managed Detection and Response, configure interaction with Kaspersky Security Center in the settings of Kaspersky Industrial CyberSecurity for Networks. For detailed information on configuring interaction between the applications, refer to the Kaspersky Industrial CyberSecurity for Networks Help.

Integration with Kaspersky Managed Detection and Response is only available for Kaspersky Endpoint Agent Management plug-in versions 3.9.2 and later.

In order to configure integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response using the Kaspersky Security Center Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. In the console tree, open the Policies folder.
3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
   • Double-click the policy name.
   • Select Properties in the policy context menu.
   • Select the Configure policy settings item in the right part of the window.
4. Select the Managed Detection and Response section.
5. In the Managed Detection and Response settings group, do the following:
   1. Select the Enable Managed Detection and Response check box.
   2. Click the Upload configuration file (BLOB) button and select the BLOB configuration file to load.

      By downloading the Managed Detection and Response configuration file, you agree to automatically send the specified data from the device with Kaspersky Endpoint Agent installed to Kaspersky for processing. Do not download the configuration file if you do not want the specified information to be processed.

   3. In the User identifier field, enter an arbitrary value.
6. In the policy properties window, click OK.

Integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response is configured.

MDR operation when using Kaspersky Endpoint Agent simultaneously with Kaspersky Endpoint Security

Kaspersky Endpoint Security 11 or later with the current database version supports interaction with MDR. In Kaspersky Endpoint Security 11.6.0 or later, interaction with MDR is available immediately after installation.

If you use Kaspersky Endpoint Agent to work with MDR and install Kaspersky Endpoint Security of the version that supports interaction with MDR or update Kaspersky Endpoint Security 11 or later databases to the current version, MDR stops working with Kaspersky Endpoint Agent and becomes available for work with Kaspersky Endpoint Security. At that:

• Switching between Kaspersky Endpoint Agent and Kaspersky Endpoint Security is performed in quiet mode.
• Kaspersky Endpoint Agent allows for configuring settings for interaction with MDR, but these settings are not applied on the device.
• If Kaspersky Endpoint Security is not available (for example, you uninstalled the application), MDR can start working with Kaspersky Endpoint Agent if you restart the Kaspersky Endpoint Agent service.
• The Managed Detection and Response component remains in the Running status in Kaspersky Endpoint Agent settings on the device, since Kaspersky Endpoint Agent continues to communicate with MDR (for example, to resume working with the solution if necessary).

Page top

Configuring failure diagnosis

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Kaspersky Endpoint Agent does not automatically create a folder for storing trace or dump files on the device. Specify a folder that is already available on the device.

To configure failure diagnosis:

1. Open the application properties window for an individual device.
   1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
   2. In the workspace, select the Devices tab.
   3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
   4. Select Properties in the device context menu.

      The device properties window opens.

   5. Select the Applications section.

      A list of Kaspersky applications installed on the device is displayed in the window.

   6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
      • Double-click the application name.
      • In the application context menu, select Properties.
      • Click the Properties button under the list of Kaspersky applications.

2. In the Application settings section select the Failure diagnosis subsection.
3. To enable logging of debug information to the trace files:
   1. Enable the Write debug information to trace files option.
   2. In the Trace files folder field, specify the path to the folder on the device where the application saves the trace files.

      Make sure that the specified folder is available on the managed device. Otherwise, the debug information will not be saved.

   3. In the Maximum trace file size (MB) field, specify the file size in megabytes.

      The default value is 50 MB. When the specified file size is reached, the application continues writing to a new file.

4. If you want the application to overwrite old trace files:
   1. Enable the Overwrite old trace files option.
   2. Enter the desired value in the Maximum number of files per trace log field.

      The default value is 1 file. When the specified number of files is reached, the application overwrites old files, starting with the oldest one. The specified limit is applied separately for each Kaspersky Endpoint Agent process being debugged, so the total number of files for all processes may exceed the specified value.

5. To enable logging of dump files:
   1. Enable the Create dump files option.
   2. In the Dump files folder field, specify the folder to save the dump files.

      Make sure that the specified folder is available on the managed device. Otherwise, the debug information will not be saved.

6. Click OK.

Failure diagnostics is configured and enabled for all Kaspersky Endpoint Agent processes that are currently running. Failure diagnostics files will be generated in the folders you specified.

Page top

Managing Kaspersky Endpoint Agent tasks

This section describes how to manage Kaspersky Endpoint Agent tasks.

See also Managing Kaspersky Endpoint Agent policies Configuring Kaspersky Endpoint Agent settings

In this Help section Creating a local task Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Creating a local task

Local tasks are run on a specific device. For more information on tasks, refer to Kaspersky Security Center documentation.

To create a local task:

1. Open Kaspersky Security Center Administration Console.
2. In the Kaspersky Security Center Administration Console tree, open the Managed devices folder.
3. In the Managed devices folder, select the folder with the name of the administration group that includes the desired device.
4. In the workspace, select the Devices tab.
5. Select the device for which you want to create a local task.
6. Do one of the following:
   • In the context menu of the device, select All tasks → Create a task.
   • In the context menu of the device, select Properties and in the Properties: <Device name> window that opens on the Tasks tab, click Add.
   • In the Perform action drop-down list, select the Create a task item.

   The task creation wizard will start.

7. Select the required task and click Next.
8. Follow the instructions of the task creation wizard.

See also Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Creating a group task

Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

To create a group task:

1. Open Kaspersky Security Center Administration Console.
2. Do one of the following:
   • In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
   • In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
3. In the workspace, select the Tasks tab.
4. Click Create a task.

   The task creation wizard will start.

5. Select the required task and click Next.
6. Follow the instructions of the task creation wizard.

See also Creating a local task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Viewing the table of tasks

To view the list of tasks on Kaspersky Security Center server:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

A list of tasks appears.

See also Creating a local task Creating a group task Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Deleting a task from the list

To remove tasks from the list of tasks on Kaspersky Security Center server:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.
3. In the task list, select the tasks that you want to delete and right-click them to open the context menu.

   A list of the actions you can perform on the tasks will be displayed.

4. Select the Delete action.

   The action confirmation window opens.

5. Click Yes.

The selected tasks will be deleted from the list.

See also Creating a local task Creating a group task Viewing the table of tasks Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Starting tasks manually

You can start the created tasks manually. For example, you can manually start the tasks for which scheduled start is not configured.

To start a task manually:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   A list of tasks appears.

3. In the context menu of the desired task, select the Run action.

The task will run.

See also Creating a local task Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Starting tasks by schedule

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure the scheduled task start:

1. In the Task schedule section, select the Run by schedule check box.
2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
   1. In the Every list, select the task run frequency. For example, once a day, or twice a week on Tuesdays and Thursdays.
   2. In the Time and Date lists, select the date and time from which the schedule applies.
5. To configure advanced schedule settings, click the Advanced button and configure the following settings in the Advanced window:
   • Quit tasks, running longer than

     Enable this setting if you want to set a task execution time limit. After the specified time, the task will automatically terminate.

   • Cancel schedule from

     Enable this setting if you want to specify a schedule expiration date. After the specified date, the schedule will expire.

   • Run missed tasks

     Enable this option if you want the application to start tasks that were not completed on time as soon as possible.

   • Randomize the task run to every

     Enable this option if you want to avoid a scenario where a large number of workstations simultaneously access the Administration Server by running the task on each workstation at a random moment within the specified time interval.

6. Click OK.

Scheduled task start has now been configured and applied on devices.

Page top

Viewing task execution results

You can view the task execution results during their storage period. You can also change the storage period for the task execution results.

It is not recommended to shorten the storage period for IOC Scan task execution results.

To view the task execution result:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   A list of tasks appears.

3. Select the task in the list and right-click it to open the task actions menu.
4. Select the Results menu item.

The Task execution results window will open.

See also Creating a local task Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Configuring the storage time for the task execution results on the Administration Server

By default, task execution results are stored on the Administration Server for seven days.

To change the storage time for the task execution results on the Administration Server:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   A list of tasks appears.

3. Select the task in the list and right-click it to open the task actions menu.
4. Select the Properties menu item.

   The task properties window opens.

5. In the left part of the window, select the Notification section.
6. Make sure that the On the Administration Server for (days) check box is selected in the Save information about results section and specify for how many days you want the task execution results to be stored.
7. Click the Apply button and then click OK.

It is not recommended to shorten the storage period for IOC Scan task execution results.

See also Creating a local task Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Creating Kaspersky Endpoint Agent activation task Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Creating Kaspersky Endpoint Agent activation task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can activate Kaspersky Endpoint Agent using a key or activation code.

When activating the application using an activation code, data is sent to the activation server to verify the entered code.

To activate the application using the activation code, the protected device must be connected to the Internet.

To create Kaspersky Endpoint Agent activation task:

1. Run the Application activation task creation wizard for the desired scope in one of the following ways:
   • Start the local task creation wizard.
   • Start the group task creation wizard.

     Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

     To create a group task:

     1. Open Kaspersky Security Center Administration Console.
     2. Do one of the following:
        • In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
        • In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
     3. In the workspace, select the Tasks tab.
     4. Click Create a task.

        The task creation wizard will start.

     5. Select the required task and click Next.
     6. Follow the instructions of the task creation wizard.
2. If you want to activate the application using an activation code, perform the following actions in the Activation settings window:
   1. Select the Activate with an activation code option and click Select.
   2. In the window that opens, enter the activation code and click OK.
3. If you want to activate the application using a key file or a key from Kaspersky Security Center key storage, perform the following actions in the Activation settings window:
   1. Select the Activate with a key file or key option and click Select.
   2. In the drop-down list, select the key distribution method.
   3. If you select the Key file from folder option, in the window that opens, specify the location of the key file and click Open.
   4. If you select the Key from Kaspersky Security Center storage option, in the window that opens, select the key and click OK.

      For detailed information on Kaspersky Security Center key storage, refer to Kaspersky Security Center documentation.

4. If you want to add this license key as an additional one to automatically renew the license, select the Use as additional key check box.
5. Click Next.
6. In the Schedule window, configure the task schedule settings and click Next.

   For detailed information on configuring the settings in this window, refer to Kaspersky Security Center documentation.

7. In the Selecting an account to run a task window, specify the account to be used to run the task, and click Next.

   For detailed information on configuring the settings in this window, refer to Kaspersky Security Center documentation.

8. In the Define the task name window, enter the name of the task and click Next.
9. If you want to run the task immediately after creation, select the Run task after wizard finishes check box.
10. Click Finish.

The application activation task for the selected device or device group has been created.

See also Creating a local task Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Managing Kaspersky Endpoint Agent database and module update tasks Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top

Managing Kaspersky Endpoint Agent database and module update tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section provides instructions on how to create and configure the Database and application module update task.

See also Creating a local task Creating a group task Viewing the table of tasks Deleting a task from the list Starting tasks manually Starting tasks by schedule Viewing task execution results Configuring the storage time for the task execution results on the Administration Server Creating Kaspersky Endpoint Agent activation task Managing IOC Scan tasks in Kaspersky Endpoint Agent

In this section Creating Database and application module update task Configuring Database and application module update task

Page top

Creating Database and application module update task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To create the Database and application module update task for Kaspersky Endpoint Agent in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.
3. Click Create a task.

   The task creation wizard will start.

4. Select the Kaspersky Endpoint Agent application to create the task, and the Database and application module update task type.
5. Click Next.

   The Database Update task creation wizard will start.

The Database Update task creation wizard consists of the following steps:

1. Selecting a database update source

   Do the following:

   1. In the Database update source section, select one of the following database update sources:
      • Kaspersky Security Center Administration Server.
      • Kaspersky update servers.
      • Custom HTTP or FTP servers or network folders.
   2. If required, select the Use Kaspersky update servers if specified servers are not available check box.
   3. If you select Kaspersky update servers as database update source and want to use a proxy-server to connect to it, select the Use proxy server settings to connect to Kaspersky update servers check box in the Update source connection settings section.
   4. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:
      1. Click the Custom HTTP or FTP servers or network folders link.
      2. Add update servers to the list:
         1. Click the Update servers button.
         2. In the new line, enter the address of the update server (HTTP or FTP), or the path to the network or local folder containing the update files.
         3. If you want to use this server to update databases, select the check box next to its address. You can also add servers to the list and clear the check boxes next to the addresses of the servers that you do not want to use now, but plan to use later.

            Perform the same steps to add each server.

         4. Click OK.
         5. The Update servers window closes.
      3. To use a proxy server to connect to update servers, select the Use proxy server settings to connect to other servers check box in the Update source connection settings section.

2. Configuring the application modules update settings

   Do the following:

   1. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
      • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
      • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
      • Download and install critical application module updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
   2. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.
3. Configuring the database update schedule

   Do the following:

   1. In the Task schedule section, select the Run by schedule check box.
   2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
   3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
   4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
   5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to start Database Update tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
      5. Click OK.

4. Selecting the devices on which the task will be performed

   In the device selection window that opens, select the devices for which you want to assign the task and click Next.

   For example, you can select the Assign task for an administration group option and select an administration group from the list.

5. Selecting the Kaspersky Security Center user account to run the task

   In the Selecting an account to run the task window, do one of the following:

   • Select the default account and click Next.
   • Enter the user name and password to be used to start the task and click Next.

6. Defining the task name

   In the Define the task name window, enter the task name in the Name field, and click Next.

7. Running the task immediately after it is created

   If you want the task to start immediately after creation, select the Run task after wizard finishes check box and click Finish.

See also Configuring Database and application module update task

Page top

Configuring Database and application module update task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

After creating the Database and application module update task, you can configure the settings for this task.

To modify the task settings:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   A list of tasks appears.

3. In the Database and application module update section, select the task in the list and right-click it to open the task action menu.
4. Select the Properties menu item.

   The task properties window opens.

5. In the left part of the window, select the group of settings that you want to configure.
6. In the right part of the window, make the necessary modifications and click Apply and OK.

You can configure the following task settings:

• Task name

  Do the following:

  1. Select the General section.
  2. Change the task name in the top line.

• Devices on which the task will be performed

  The right part of the window displays current devices to which the task is assigned. Perform the following actions to add devices:

  1. Click the Add button.

     A window will open with a list of managed devices.

  2. Select the check boxes next to devices you want to add.
  3. If you want to add devices that are not in the list, click Add in the right part of the window and follow the steps to add devices.

     For example, you can specify device addresses manually or import them from the list.

     You can specify the NetBIOS names, DNS names, IP addresses and IP address ranges of the devices to which you want to assign a task.

  For details on working with managed devices, refer to the Kaspersky Security Center Help.

• Database update source

  Do the following:

  1. In the Database update source section, select one of the following database update sources:
     • Kaspersky Security Center Administration Server.
     • Kaspersky update servers.
     • Custom HTTP or FTP servers or network folders.
  2. If required, select the Use Kaspersky update servers if specified servers are not available check box.
  3. If you select Kaspersky update servers as database update source and want to use a proxy-server to connect to it, select the Use proxy server settings to connect to Kaspersky update servers check box in the Update source connection settings section.
  4. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:
     1. Click the Custom HTTP or FTP servers or network folders link.
     2. Add update servers to the list:
        1. Click the Update servers button.
        2. In the new line, enter the address of the update server (HTTP or FTP), or the path to the network or local folder containing the update files.
        3. If you want to use this server to update databases, select the check box next to its address. You can also add servers to the list and clear the check boxes next to the addresses of the servers that you do not want to use now, but plan to use later.

           Perform the same steps to add each server.

        4. Click OK.
        5. The Update servers window closes.
     3. To use a proxy server to connect to update servers, select the Use proxy server settings to connect to other servers check box in the Update source connection settings section.

• Configuring additional database update settings

  Do the following:

  1. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
     • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
     • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
     • Download and install critical application module updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
  2. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.
• Database update schedule

  Do the following:

  1. In the Task schedule section, select the Run by schedule check box.
  2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
  3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
  4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
     1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
     2. In the Time and Date lists, select the date and time from which the schedule applies.
  5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
     1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
     2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
     3. If you want the application to start Database Update tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
     4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
     5. Click OK.

• Kaspersky Security Center user account used to run the task

  In the Selecting an account to run the task window, do one of the following:

  • Select the default account and click Next.
  • Enter the user name and password to be used to start the task.

• Storage time for the task execution results on the Administration Server

  Do the following:

  1. Select the Notification section.
  2. Make sure, that the On the Administration Server for (days) check box is selected in the Save information about results section, and specify for how many days you want to store the task execution results.

     By default, task execution results are stored on the Administration Server for 7 days.

See also Creating Database and application module update task

Page top

Managing IOC Scan tasks in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section describes how to manage IOC Scan tasks in Kaspersky Endpoint Agent using Kaspersky Endpoint Agent Management plugin.

In this Help section About IOC Scan tasks in Kaspersky Endpoint Agent Managing IOC Scan tasks in Kaspersky Endpoint Agent Managing Standard IOC Scan tasks

Page top

About IOC Scan tasks in Kaspersky Endpoint Agent

When executing IOC Scan tasks, Kaspersky Endpoint Agent uses

( files of the open description standard) to search for these indicators on devices.

Kaspersky Endpoint Agent supports the following types of IOC Scan tasks:

• Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.
• IOC scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface allows application users to use IOC files to search for signs of targeted attacks, as well as infected and probably infected objects in the event and detection database, and also to scan computers on which Kaspersky Endpoint Agent is installed.

Different tasks are managed in different ways and have different configurable settings and task scopes. A description of each type of IOC Scan task is provided in the table below.

IOC Scan task types

The results of group IOC Scan tasks execution can be viewed in Kaspersky Security Center for 7 days after the task is executed, or until the task is removed.

Page top

Managing IOC Scan tasks in Kaspersky Endpoint Agent

You can manage IOC Scan tasks using Kaspersky Security Center or using the Kaspersky Endpoint Agent command line interface, and you can also download IOC files and configure the IOC scan schedule in the Kaspersky Anti Targeted Attack Platform web interface. The description of each IOC Scan task type and information on the available management capabilities for IOC Scan tasks are shown in the table below.

Managing IOC Scan tasks.

Page top

Managing Standard IOC Scan tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

This section provides instructions on how to manage Standard IOC Scan tasks.

See also About IOC Scan tasks in Kaspersky Endpoint Agent Managing IOC Scan tasks in Kaspersky Endpoint Agent

In this Help section Requirements for IOC files Supported IOC terms Creating and configuring Standard IOC Scan task Configuring Standard IOC Scan task IOC collection export Viewing IOC Scan task execution results

Page top

Requirements for IOC files

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When creating IOC Scan tasks, consider the following requirements and limitations related to IOC files:

• Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.
• Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
• If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
• If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.
• Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.
• Identifiers of all IOC files

  IOC file identifier example:

  <ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">

  IOC file identifier example:

  <ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">

  IOC file identifier example:

  <ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">

  that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.
• The size of a single IOC file must not exceed 3 MB. Using larger files results in the failure of IOC Scan tasks. In this case, the total size of all added files in the IOC collection can exceed 3 MB.
• It is recommended to create one IOC file per each threat. This makes it easier to read the results of the IOC Scan task.

The table below shows the features and limitations of the OpenIOC standard supported by the application.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

See also Supported IOC terms Creating and configuring Standard IOC Scan task Configuring Standard IOC Scan task IOC collection export Viewing IOC Scan task execution results

Page top

Supported IOC terms

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The file that can be downloaded by the following link contains a table with a full list of supported IOC terms of the OpenIOC standard.

DOWNLOAD IOC_TERMS.XLSX FILE

Page top

Creating and configuring Standard IOC Scan task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To create and configure a Standard IOC Scan task,

depending on the required task scope, perform one of the following actions:

• Start the local task creation wizard.
• Start the group task creation wizard.

  Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

  To create a group task:

  1. Open Kaspersky Security Center Administration Console.
  2. Do one of the following:
     • In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
     • In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
  3. In the workspace, select the Tasks tab.
  4. Click Create a task.

     The task creation wizard will start.

  5. Select the required task and click Next.
  6. Follow the instructions of the task creation wizard.

The task creation wizard allows you to configure the following settings:

• IOC collection

  To configure IOC collection:

  1. In the IOC collection group of settings click Browse.
  2. In the context menu, do one of the following:
     • Select the Select folder item to add a group of IOC files to the IOC collection.
     • Select the Select file item to add one IOC file to the IOC collection.
  3. Depending on your choice, do one of the following in the window that opens:
     • Specify the path to the folder with IOC files and click OK.
     • Specify the path to IOC file and click Open.

     If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

  4. To view the list of all IOC files that are included in the IOC collection, as well as to get information about each IOC file, click View.

     The Select folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.

  5. Click OK to save the changes and close the Select folder window.
  6. To export the created IOC collection, click Export.

     In the window that opens, specify the name of the file and select the folder where you want to save it.

  7. Click the Save button.

     The application creates a ZIP file in the specified folder.

• Data types (IOC documents) to be analyzed during IOC scan

  To select data types (IOC documents) that you want to analyze during IOC scan and configure the additional scan settings:

  1. Click the Configure IOC terms and documents button.

     The IOC terms and documents window opens.

  2. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.

     Depending on the loaded IOC files, some check boxes may be disabled.

     Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.

  3. To configure additional settings for the selected ProcessItem IOC document:
     1. Click the Advanced (ProcessItem) button.

        The ProcessItem document scan settings window opens.

     2. In the Indicators group of settings, select data that you want to analyze during the task execution.
     3. Click OK to save the changes and close the ProcessItem document scan settings window.
  4. To configure additional settings for the selected FileItem IOC document:
     1. Click the Advanced (FileItem) button.

        The FileItem document scan settings window opens.

     2. On the Scan areas tab, select data that you want to analyze during the task execution.
     3. On the Scan areas tab, select the areas on protected device drives where to look for indicators of compromise.

        You can select one of the predefined areas, or specify the paths to the desired areas manually.

     4. On the Exclusions tab, select the Apply exclusions check box and specify the paths to the areas on the protected device drives that do not need to be scanned during the task execution.
     5. Click OK to save the changes and close the FileItem document scan settings window.
  5. To configure additional settings for the selected RegistryItem IOC document:
     1. Click the Advanced (RegistryItem) button.

        The RegistryItem document scan settings window opens.

     2. Specify the Windows registry keys to be scanned during the task execution.

        You can select to scan predefined registry keys or specify the list of required registry keys manually.

     3. Click OK to save the changes and close the RegistryItem document scan settings window.
  6. To configure additional settings for the selected EventLogItem IOC document:
     1. Click the Advanced (EventLogItem) button.

        The EventLogItem document scan settings window opens.

     2. To ignore the events that were logged before the specified moment, select the Scan only events logged during the specified period check box and specify date and time.
     3. If necessary, in the bottom of the window, edit the predefined list of channels that are analyzed during the task execution.
     4. Click OK to save the changes and close the EventLogItem document scan settings window.
  7. Click OK to save the changes and close the window.

  The saved settings will be applied when the task is executed.

• Retrospective IOC scan

  Retrospective IOC scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.

  The Retrospective IOC scan mode is available only for Standard IOC Scan tasks.

  To enable the Retrospective IOC scan mode:

  1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
  2. Specify the time interval.

     During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.

  If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.

• Application actions on IOC detection

  To configure Kaspersky Endpoint Agent actions on IOC detection:

  1. In the Actions section, select the Take response actions when indicator of compromise is found check box.
  2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
  3. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

  When configuring the task settings in Kaspersky Security Center Administration Console, the Do not perform actions on critical system files check box is available only if the Quarantine and delete response action is selected for the task (this setting can be configured only in Kaspersky Security Center Web Console).

• Task start schedule

  To configure the schedule settings for IOC Scan task:

  1. In the Task schedule section, select the Run by schedule check box.
  2. In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, Every week or On application launch.
  3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
  4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
     1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
     2. In the Time and Date lists, select the date and time from which the schedule applies.
  5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
     1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
     2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
     3. If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
     4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
     5. Click OK.
• Running the task from a Kaspersky Security Center user account

  To select Kaspersky Security Center user account, under which you want to run the task,

  perform one of the following actions in the group of settings for selecting an account to start the task:

  • Select the default account and click Next.
  • Enter the name and password of the user whose account permissions will be used to start the task.
• Task name

  The task name cannot be longer than 100 characters long and cannot contain special characters ("* <>? \: |).

Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.

If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.

See also Requirements for IOC files Supported IOC terms Configuring Standard IOC Scan task IOC collection export Viewing IOC Scan task execution results

Page top

Configuring Standard IOC Scan task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To configure the Standard IOC Scan task settings:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   The list of tasks is displayed in the workspace.

3. Open the settings of the required task in one of the following ways:
   • Double-click the task name.
   • Open the policy context menu and select Properties.
   • Select a task and click Configure task in the right part of the window.

   The Properties: <Task name> window will open.

4. In the left part of the window, select the group of settings that you want to configure.
5. In the right part of the window, make the necessary changes and click Apply, and then click OK.

   Configuration of the Standard IOC Scan task settings is now finished.

You can configure the following task settings:

• Task name

  Do the following:

  1. Select the General section.
  2. Change the task name in the top line.

• Storage time for the task execution results on the Administration Server

  Do the following:

  1. Select the Notification section.
  2. Make sure, that the On the Administration Server for (days) check box is selected in the Save information about results section, and specify for how many days you want to store the task execution results.

     By default, task execution results are stored on the Administration Server for 7 days.

• IOC collection

  To configure IOC collection:

  1. In the IOC collection group of settings click Browse.
  2. In the context menu, do one of the following:
     • Select the Select folder item to add a group of IOC files to the IOC collection.
     • Select the Select file item to add one IOC file to the IOC collection.
  3. Depending on your choice, do one of the following in the window that opens:
     • Specify the path to the folder with IOC files and click OK.
     • Specify the path to IOC file and click Open.

     If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

  4. To view the list of all IOC files that are included in the IOC collection, as well as to get information about each IOC file, click View.

     The Select folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.

  5. Click OK to save the changes and close the Select folder window.
  6. To export the created IOC collection, click Export.

     In the window that opens, specify the name of the file and select the folder where you want to save it.

  7. Click the Save button.

     The application creates a ZIP file in the specified folder.

• Retrospective IOC scan

  Retrospective IOC scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.

  The Retrospective IOC scan mode is available only for Standard IOC Scan tasks.

  To enable the Retrospective IOC scan mode:

  1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
  2. Specify the time interval.

     During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.

  If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.

• Application actions on IOC detection

  To configure Kaspersky Endpoint Agent actions on IOC detection:

  1. In the Actions section, select the Take response actions when indicator of compromise is found check box.
  2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
  3. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

  When configuring the task settings in Kaspersky Security Center Administration Console, the Do not perform actions on critical system files check box is available only if the Quarantine and delete response action is selected for the task (this setting can be configured only in Kaspersky Security Center Web Console).

• Data types (IOC documents) to be analyzed during IOC scan

  To select data types (IOC documents) that you want to analyze during IOC scan and configure the additional scan settings:

  1. Open the Advanced section.
  2. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.

     Depending on the loaded IOC files, some check boxes may be disabled.

     Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.

  3. To configure additional settings for the selected ProcessItem IOC document:
     1. Click the Advanced (ProcessItem) button.

        The ProcessItem document scan settings window opens.

     2. In the Indicators group of settings, select data that you want to analyze during the task execution.
     3. Click OK to save the changes and close the ProcessItem document scan settings window.
  4. To configure additional settings for the selected FileItem IOC document:
     1. Click the Advanced (FileItem) button.

        The FileItem document scan settings window opens.

     2. On the Scan areas tab, select data that you want to analyze during the task execution.
     3. On the Scan areas tab, select the areas on protected device drives where to look for indicators of compromise.

        You can select one of the predefined areas, or specify the paths to the desired areas manually.

     4. On the Exclusions tab, select the Apply exclusions check box and specify the paths to the areas on the protected device drives that do not need to be scanned during the task execution.
     5. Click OK to save the changes and close the FileItem document scan settings window.
  5. To configure additional settings for the selected RegistryItem IOC document:
     1. Click the Advanced (RegistryItem) button.

        The RegistryItem document scan settings window opens.

     2. Specify the Windows registry keys to be scanned during the task execution.

        You can select to scan predefined registry keys or specify the list of required registry keys manually.

     3. Click OK to save the changes and close the RegistryItem document scan settings window.
  6. To configure additional settings for the selected EventLogItem IOC document:
     1. Click the Advanced (EventLogItem) button.

        The EventLogItem document scan settings window opens.

     2. To ignore the events that were logged before the specified moment, select the Scan only events logged during the specified period check box and specify date and time.
     3. If necessary, in the bottom of the window, edit the predefined list of channels that are analyzed during the task execution.
     4. Click OK to save the changes and close the EventLogItem document scan settings window.
  7. Click OK to save the changes and close the window.

  The saved settings will be applied when the task is executed.

• IOC Scan task schedule

  To configure the schedule settings for IOC Scan task:

  1. In the Task schedule section, select the Run by schedule check box.
  2. In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, Every week or On application launch.
  3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
  4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
     1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
     2. In the Time and Date lists, select the date and time from which the schedule applies.
  5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
     1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
     2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
     3. If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
     4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
     5. Click OK.
• Kaspersky Security Center user account to run the task

  To select Kaspersky Security Center user account, under which you want to run the task,

  perform one of the following actions in the group of settings for selecting an account to start the task:

  • Select the default account and click Next.
  • Enter the name and password of the user whose account permissions will be used to start the task.
• Excluding groups of devices from the task scope

  To exclude groups of devices from the task scope, in the Exclusions from task scope section, select the groups of devices to which the task will not be applied.

  Only the subgroups of the administration group to which the task applies can be excluded.

Page top

IOC collection export

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To export an IOC collection:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   A list of tasks appears.

3. In the Run IOC Scan section, select the task in the list and right-click it to open the task action menu.
4. Select the Properties menu item.

   The task properties window opens.

5. Select the IOC Scan settings section.
6. In the IOC collection section click Export.
7. In the window that opens, specify the name of the file and select the folder where you want to save it.
8. Click the Save button.

   The application creates a ZIP file in the folder you specified.

See also Requirements for IOC files Supported IOC terms Creating and configuring Standard IOC Scan task Configuring Standard IOC Scan task Viewing IOC Scan task execution results

Page top

Viewing IOC Scan task execution results

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To view the IOC Scan task execution results:

1. Open Kaspersky Security Center Administration Console.
2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

   The list of tasks is displayed in the workspace.

3. Open the settings of the required task in one of the following ways:
   • Double-click the task name.
   • Open the policy context menu and select Properties.
   • Select a task and click Configure task in the right part of the window.

   The Properties: <Task name> window opens.

4. Select the Results section.
5. In the Show task results for the device list, select the devices for which you want to view the results of IOC Scan tasks.
6. To view detailed information about a particular task, double-click it.
7. To view detailed information about the detected indicator of compromise, click the Show card button.

   Detected IOC card contains information about objects that match the conditions of the processed IOC file, as well as the text of the matched branches or individual conditions from this IOC file.

   Viewing the Detected IOC card is not available for IOC files, for which no indicators of compromise were detected during scan.

See also Requirements for IOC files Supported IOC terms Creating and configuring Standard IOC Scan task Configuring Standard IOC Scan task IOC collection export

Page top

Managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console

You can centrally manage several protected devices with Kaspersky Endpoint Agent installed, that are included in the administration group, by means of Kaspersky Endpoint Agent Management web plug-in. Kaspersky Security Center Web Console also lets you separately configure the operation settings of each protected device in the administration group.

An administration group is created manually in Kaspersky Security Center Web Console and includes several devices with Kaspersky Endpoint Agent installed, for which the same control and protection settings can be configured. For details on using administration groups, see Kaspersky Security Center Help.

Application settings for an individual protected device cannot be configured if Kaspersky Endpoint Agent operation on this protected device is controlled by an active Kaspersky Security Center policy.

Kaspersky Endpoint Agent can be managed from Kaspersky Security Center Web Console in the following ways:

• Using Kaspersky Security Center policies. Kaspersky Security Center policies can be used to remotely configure the same protection settings for a group of devices. Task settings specified in the active policy have priority over task settings configured locally in the Application Console or remotely in the device properties window of Kaspersky Security Center Web Console.
• You can use policies to configure general application settings, Real-Time Protection task settings, Local Activity Control tasks settings, and scheduled system task start settings.
• Using Kaspersky Security Center group tasks. Kaspersky Security Center group tasks allow remote configuration of common settings of tasks with a limited execution period for a group of devices.
• You can use group tasks to activate the application, configure On-Demand Scan task settings, update task settings, and Rule Generator for Applications Launch Control task settings.
• Using tasks for a set of devices. Tasks for a set of devices allow remote configuration of common settings of tasks with a limited execution period for protected devices that do not belong to any administration group.
• Using the properties window of a single device. In the device properties window, you can remotely configure the task settings for a single protected device included in the administration group. You can configure both general application settings and the settings of all Kaspersky Endpoint Agent tasks if the selected protected device is not controlled by an active Kaspersky Security Center policy.

Kaspersky Security Center Web Console makes it possible to configure application settings and advanced features, and lets you work with logs and notifications. You can configure these settings for a group of protected devices as well as for an individual protected device.

Google Chrome for Windows is required to manage Kaspersky Endpoint Agent using Kaspersky Security Center Web Console.

See also Installing and uninstalling Kaspersky Endpoint Agent Kaspersky Endpoint Agent activation Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console Managing Kaspersky Endpoint Agent using the command line interface

In this Help section Managing Kaspersky Endpoint Agent policies Configuring Kaspersky Endpoint Agent settings Managing Kaspersky Endpoint Agent tasks

Page top

Managing Kaspersky Endpoint Agent policies

This section describes how to create Kaspersky Endpoint Agent policies and enable policy settings.

In this section Creating Kaspersky Endpoint Agent policy Enabling settings in Kaspersky Endpoint Agent policy

See also Configuring Kaspersky Endpoint Agent settings Managing Kaspersky Endpoint Agent tasks

Page top

Creating Kaspersky Endpoint Agent policy

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To create a Kaspersky Endpoint Agent policy in the Kaspersky Security Center Web Console:

1. In the main window, select Devices → Policies and profiles.
2. Click the Add button.

   The policy creation wizard starts.

3. Select the Kaspersky Endpoint Agent application and click Next.
4. Select the required Kaspersky Endpoint Agent deployment method by selecting the appropriate check boxes:
   • Integration with Kaspersky Sandbox
   • Endpoint Detection and Response Optimum
   • Endpoint Detection and Response Expert (KATA EDR), Kaspersky Industrial CyberSecurity for Networks.

   Policy type and integration with Kaspersky Sandbox and KATA EDR cannot be selected in Kaspersky Security Center Cloud Console.

5. Click Next.
6. On the General tab, you can perform the following actions:
   • Change the policy name.
   • Select policy status:
     • Active. After the next synchronization, the policy will be active on the computer.
     • Inactive. Backup policy. An inactive policy can be made active, if required.
     • Out-of-office. The policy will become active when the computer leaves the corporate network.
   • Configure the policy settings inheritance:
     • Inherit settings from parent policy. If this option is enabled, the policy settings will be inherited from the upper-level policy. The policy settings cannot be modified if the Force inheritance of settings in child policies option is enabled in the parent policy.
     • Force inheritance of settings in child policies. If this option is enabled, the parent policy settings will be applied to child policies. In the properties window of the child policy, the Inherit settings from parent policy option is automatically enabled and cannot be disabled.
7. On the Application settings tab, you can configure Kaspersky Endpoint Agent policy settings.
8. Click the Save button.

Page top

Enabling settings in Kaspersky Endpoint Agent policy

When you configure Kaspersky Endpoint Agent policy settings, by default these settings are saved, but are not applied until you enable them.

You can enable settings for the groups where these settings are located. You can enable either individual groups of settings or all groups of settings within one policy.

To enable the group of settings in Kaspersky Endpoint Agent policy:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. Select the section and group of settings to which the required setting belongs.
3. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

All the settings of the group will be applied in the policy.

See also Creating Kaspersky Endpoint Agent policy

Page top

Configuring Kaspersky Endpoint Agent settings

This section describes how to configure Kaspersky Endpoint Agent settings.

See also Managing Kaspersky Endpoint Agent policies Managing Kaspersky Endpoint Agent tasks

In this Help section Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

Page top

Opening Kaspersky Endpoint Agent settings window

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To open the Kaspersky Endpoint Agent policy settings window:

1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
2. Select the policy you want to configure.
3. In the <Policy name> window that opens, select the Application settings tab.

To open the Kaspersky Endpoint Agent settings window for an individual device:

1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
2. Select the device.
3. In the <Device name> window that opens, select the Applications tab.
4. Select Kaspersky Endpoint Agent.
5. In the window that opens, select the Application settings tab.

   If an active Kaspersky Security Center policy is applied to a device and blocks changes to the application settings, these settings cannot be edited in the Application settings window, except for the network isolation settings.

   The settings of automatic network isolation can be configured in the policy properties, and the settings of network isolation on demand (manually enabled settings) can be configured in the properties of an individual device.

Page top

Configuring Kaspersky Endpoint Agent security settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To ensure maximum security of the IT infrastructure in your organization, you can configure access of users and third-party processes to Kaspersky Endpoint Agent. To do so, you can:

• Restrict user permissions to manage the application settings and services.
• Password protect actions in the application.
• Enable the application self-defense mechanism.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

In this Help section Configuring user permissions Enabling Password protection Enabling and disabling Self-Defense

Page top

Configuring user permissions

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can grant access to Kaspersky Endpoint Agent to individual users or groups of users. As a result, only specified users will be able to manage settings or services of the application.

To configure user permissions:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the User permissions for application service management group of settings, click the Configure button next to the name of the required setting (User permissions for application management or Configure user permissions for application management).

   To add users and user groups, specify the security descriptor strings using the

   Security Descriptor Description Language (SDDL)

   Example: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) Access Type: Access Granted Access permissions: Create all child objects|Delete all child objects|Display contents|All validated write operations|Read all properties|Write all properties|Delete subtree|Display objects|All extended permissions|Delete|Read permissions|Change permissions|Change owner Trusted user: Local System Account

   For more information about Security Descriptor Description Language (SDDL), refer to Microsoft Knowledge Base.

   .

4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. Click the Save button.

See also Enabling Password protection Enabling and disabling Self-Defense

Page top

Enabling Password protection

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Unrestricted user access to the application and its settings can reduce the security level of the device. Password protection is a means to limit user access to the application.

To enable password protection:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Password protection group of settings select the Apply password protection check box.
4. Enter a password and confirm it.

   It is recommended to select a password that meets the following requirements:

   • The password must be at least 8 characters long.
   • The password must not contain the user's account name.
   • The password must not match the name of the device on which Kaspersky Endpoint Agent is installed.
   • The password must contain characters from at least three of the following groups:
     • uppercase characters (A-Z);
     • lowercase characters (a-z);
     • numbers (0-9);
     • special characters (!$#%).
5. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
6. Click OK.
7. Click the Save button.

Password protection is now enabled. If a user attempts to perform a password protected action, the application will prompt the user to enter the password.

The application does not check the strength of the specified password. We recommend that you use third-party tools to verify the strength of the password. The password is considered strong enough if verification results confirm that the password cannot be guessed for at least 6 months.

The application does not prohibit login attempts after many attempts of entering an incorrect password.

See also Configuring user permissions Enabling and disabling Self-Defense

Page top

Enabling and disabling Self-Defense

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The Self-Defense mechanism of Kaspersky Endpoint Agent provides protection from malware that tries to lock or delete the application. The Self-Defense mechanism prevents the alteration or deletion of application files on the hard drive, memory processes, and entries in the system registry.

To enable or disable Self-Defense:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Self-defense group of settings, enable or disable the Enable self-defense for application modules in memory setting.
4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. Click the Save button.

The Self-Defense mechanism is now enabled or disabled.

See also Configuring user permissions Enabling Password protection

Page top

Configuring Kaspersky Endpoint Agent connection settings to a proxy server

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Proxy server connection settings are used for updating databases, activating the application, and external services.

If you want to Use proxy server with the specified settings when connecting to KATA, Kaspersky Industrial CyberSecurity for Networks or Kaspersky Sandbox server, make sure that the Connect using the proxy server if specified in the general settings option is selected when configuring integration with KATA, Kaspersky Industrial CyberSecurity for Networks or Kaspersky Sandbox. This option is not selected by default.

To configure proxy server connection settings:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. Select one of the following proxy service usage options:
   • Do not use proxy server.
   • Automatically detect proxy server address.
   • Use proxy server with specified settings.
4. If you select the Automatically detect proxy server address option, the proxy server for further telemetry transmission will be detected automatically.
5. If you select the Use proxy server with specified settings option, specify the address and port of the proxy server you want to connect to in the Server name or IP address and Port fields.

   The default port number is 8080.

6. If you want to use NTLM authentication to connect to the proxy server:
   1. Select the Use NTLM authentication by user name and password check box.
   2. In the User name field, enter the name of the user, whose account will be used for proxy server authentication.
   3. In the Password field, enter the password for connecting to the proxy server.

      You can make password characters visible by clicking Show to the right of the Password field.

7. If you do not want to use the proxy server for internal addresses of your organization, select the Bypass proxy server for local addresses check box.
8. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
9. Click OK.
10. In the policy properties window, click Save.

Proxy server connection settings are now configured.

See also Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

Page top

Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To enable usage of Kaspersky Security Center as a proxy server for the application activation:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Licensing group of settings, select the Use Kaspersky Security Center as a proxy server when activating the application check box.
4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. In the policy properties window, click Save.

Kaspersky Security Center usage as a proxy server for Kaspersky Endpoint Agent activation is now enabled.

Page top

Configuring Kaspersky Endpoint Agent policy type

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Selecting Kaspersky Endpoint Agent's policy type is necessary in order for the list of settings displayed in the policy to correspond to the selected Kaspersky Endpoint Agent deployment method.

To configure the policy type:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Management and interface subsection.
3. In the window that opens, select the required Kaspersky Endpoint Agent deployment method by selecting the appropriate check boxes:
   • Integration with Kaspersky Sandbox
   • Endpoint Detection and Response Optimum
   • Endpoint Detection and Response Expert (KATA EDR), Kaspersky Industrial CyberSecurity for Networks

   Policy type and integration with Kaspersky Sandbox and KATA EDR cannot be selected in Kaspersky Security Center Cloud Console.

4. Click ОК.

The policy type has been changed. The policy contains the settings for the selected Kaspersky Endpoint Agent deployment method.

Page top

Configuring KSN usage in Kaspersky Endpoint Agent

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To protect your computer more effectively, Kaspersky Endpoint Security uses data received from users around the globe. Kaspersky Security Network is designed to receive this data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services that provide access to the online Kaspersky Knowledge Base that contains information about the reputations of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by the EPP application to objects that are not yet listed in anti-virus application databases, improves performance of some protection components, and reduces the likelihood of false positives.

Participation in Kaspersky Security Network allows Kaspersky to quickly acquire information about the types and sources of objects that are not yet listed in anti-virus application databases, develop methods for neutralizing such objects, and reduce the number of false positives.

When you use Kaspersky Security Network, certain statistical data collected while Kaspersky Endpoint Agent is running is automatically sent to Kaspersky. Files, or parts of files, that may be exploited by intruders to harm the computer or data can be also sent to Kaspersky to be further examined.

No personal data is collected, processed, or stored. The types of data that Kaspersky Endpoint Agent sends to Kaspersky Security Network are described in the KSN Statement.

Participation in Kaspersky Security Network is voluntary. KSN usage is disabled by default. After enabling KSN usage, you can disable this option at any time.

Starting from version 3.10, Kaspersky Managed Protection (also referred to as KMP) usage cannot be configured by means of Kaspersky Endpoint Agent. If usage of the KMP service was enabled in the previous Kaspersky Endpoint Agent version, the KMP service continues functioning after the application is updated to version 3.10 and later. After the application update, you can disable the KMP service only using Kaspersky Endpoint Agent Administration Plug-in or Kaspersky Endpoint Agent Web Plug-in of versions earlier then 3.10.

To enable KSN usage:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Kaspersky Security Network section, click the Read terms and conditions of the KSN Statement link and perform the following actions:
   1. In the right part of the window, review the terms and conditions of the KSN Statement.
   2. If you agree with terms and conditions of the Statement, select the I confirm that I have fully read, understood, and accept the terms and conditions of this Kaspersky Security Network Statement check box.
   3. Click OK.
3. Select the Enable Kaspersky Security Network usage check box.
4. If you want to use Kaspersky Security Center for telemetry transmission, select the Use Kaspersky Security Center as a KSN proxy server check box.
5. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
6. Click OK.
7. In the policy properties window, click Save.

KSN usage is enabled.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

Page top

Configuring integration between Kaspersky Endpoint Agent and KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure integration between Kaspersky Endpoint Agent and the KATA Central Node component using the Kaspersky Security Center Web Console.

In this Help section Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring data submission settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure data submission settings:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the General settings subsection.

   The General settings window opens.

3. In the Data submission settings group, do the following:
   • Specify the value in the Events transmission period (sec.) field.
   • Specify the value in the Maximum number of events in a package field.
4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

5. Click OK.

See also Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring request throttling settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The request throttling feature allows restricting the flow of events with low importance from Kaspersky Endpoint Agent to the Central Node component.

To configure the request throttling settings:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the General settings subsection.

   The General settings window opens.

3. In the Request throttling group of settings, you can perform the following actions:
   • Select or clear the Enable request throttling check box to enable or disable the feature.

     This feature is enabled by default.

   • Specify the value in the Maximum number of events per hour field.

     The application analyzes telemetry data flow and restricts transmission of events with low importance if the number of transmitted events tends to exceed the value specified in this field. The default value is 3000 events per hour.

   • Specify the value in the Percentage of event limit excess field.

     If the flow of events of the same type with low importance exceeds the threshold value specified in this field as a percentage of the total number of events, transmission of events of this type is restricted. You can specify a value from 5% to 100%. The default value is 15%.

4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

5. Click OK.

Page top

Enabling and disabling integration with KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

If you use Nginx as a proxy server between a device with Kaspersky Endpoint Agent installed and KATA server, configure the client_max_body_size setting. The value of the client_max_body_size setting must be equal to the maximum size of the object sent by Kaspersky Endpoint Agent to KATA for processing. Otherwise, Nginx will not send objects whose size exceeds the specified value. The default value is 1 MB.

To enable or disable integration with the KATA Central Node component:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the Integration with KATA subsection.

   The KATA integration window opens.

3. In the Connection settings group, do one of the following:
   • To enable integration with KATA Central Node:
     1. Select the Enable KATA integration check box.
     2. In the List of KATA servers settings group, for one or more KATA servers, specify the IP address or full domain name of the KATA server, as well as the port for connecting to the server.

        Kaspersky Endpoint Agent connects to the first server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second server and so on down the list.

   • To disable integration with KATA Central Node, clear the Enable KATA integration check box.
4. Enable or disable the Connect using the proxy server if specified in the general settings option.

   This option is disabled by default. The application connects to the KATA server only directly and does not use the general proxy server connection settings. You can enable this option if you want the application to use the general proxy server connection settings when connecting to the KATA server.

5. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

6. Click OK.

Integration with KATA Central Node is enabled or disabled.

See also Configuring data submission settings Configuring request throttling settings Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring trusted connection with KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure trusted connection between Kaspersky Endpoint Agent and KATA Central Node, perform the following actions on Kaspersky Endpoint Agent side:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the Integration with KATA subsection.

   The KATA integration window opens.

3. In the Connection settings group, select the Use pinned certificate to protect connection check box.
4. Click the Add new TLS certificate button.

   The window for adding a new TLS certificate opens.

5. Perform one of the following actions to add a TLS certificate:
   • Add a certificate file. Click Upload, and in the window that opens, select the certificate file and click Open.
   • Copy and paste the contents of the certificate file to the TLS certificate data field.

   Kaspersky Endpoint Agent may have only one KATA server TLS certificate. If you have added a TLS certificate before and then add a TLS certificate once again, only the last added certificate is valid.

6. Click OK.

   Information about the added TLS certificate is shown in the TLS certificate data group of settings.

7. If you want to configure additional connection protection by a user certificate, do the following:
   1. Select the Secure connection with the client certificate check box.
   2. Click the Load Crypto-container button.
   3. In the window that opens select the PFX archive and click Open.
   4. In the Crypto-container password field, enter the password for the PFX archive.
   5. Click OK.
8. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

9. Click OK.

A Trusted connection to the KATA server is now configured.

The TLS certificate file must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM or DER format.
• The private key length must be 2048 bits or longer.

For more details about preparing TLS certificates for import, refer to OpenSSL documentation.

See also Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure synchronization settings between Kaspersky Endpoint Agent and KATA Central Node:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the Integration with KATA subsection.

   The KATA integration window opens.

3. In the Additional settings group, configure the following settings:
   • Timeout (sec.). Specify the maximum KATA server response timeout. The default value is 10 seconds.
   • Send synchronization request to KATA server every (min.). Specify the time interval for sending requests for synchronization Kaspersky Endpoint Agent settings and tasks with KATA Central Node. You can specify a value from 1 to 60 minutes. The default value is 5 minutes.
   • Select or clear the Use TTL period when sending events check box. The check box is cleared by default.

     If the check box is selected, Kaspersky Endpoint Agent does not send information about the processes that are started again to the KATA server. Kaspersky Endpoint Agent does not consider the launch of the process as repeated if the process is started after the end of the TTL period.

   • If you select the Use TTL period when sending events check box, specify the time in the TTL period (min.) field. The default value is 1440 minutes.
4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

5. Click OK.

See also Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node

Page top

Configuring EDR telemetry settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure:

• Exclusions for EDR telemetry about application processes, which Kaspersky Endpoint Agent processes and sends to a server with the KATA Central Node or Kaspersky Industrial CyberSecurity for Networks component.
• Optimization of the volume of EDR telemetry that Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.
• Exclusions for EDR telemetry about network communications, which Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.

In this Help section Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes Enabling and configuring exclusions for sent EDR telemetry about network communications

Page top

Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can enable and configure exclusions for and optimization of EDR telemetry about application processes using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about application processes are available when Kaspersky Endpoint Agent is integrated with servers where KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data on excluded application processes to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

Optimization of the volume of EDR telemetry about application processes can be managed (enabled / disabled) when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

If optimization of the volume of EDR telemtry is enabled, Kaspersky Endpoint Agent does not send events with 102 (basic communications) and 8 (network activity of a process) codes for the Microsoft SMB protocol and the Network Agent process klnagent.exe regarding processes of applications on a server where KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.

To enable and configure exclusions for and optimization of the volume of EDR telemetry on application processes:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the EDR telemetry section, select Excluded processes.

   The Excluded processes window opens.

3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Configure optimization of the volume of EDR telemetry:

   When Kaspersky Endpoint Agent is integrated with servers where KATA Central Node is installed, optimization of the volume of EDR telemetry should always be enabled.

   • Disable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol, WinRM service, and the Network Agent process klnagent.exe.
   • Enable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to not send events with codes 102 (basic communications) and 8 (the process’s network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe.

   If the Use exclusions setting is disabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, regardless of the value of the Optimize the amount of telemetry setting.

5. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings:

      Exclusion settings are applied using a logical AND.

      To create an exclusion, specify the value in the Full path field and select at least one event type in the Use this exclusion for the following event types list.

      If the Network events value is selected for the Use this exclusion for the following event types criterion, specify the full path to the file in the Full path field.

      The object for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. For example, if you first configure exclusion for a specific application, and then install that application on the protected device, this exclusion will not be applied.

      1. In the Process information section, specify the values in the following fields:
         • Full path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
         • Command line text. Command line to run the object.
         • Parent folder path. The path to the folder where the file is located.
      2. In the File properties section, specify the values in the following fields:
         • File description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
         • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
         • File version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
      3. In the File checksums section, specify the values in the following fields:
         • MD5. MD5 hash of the file.
         • SHA256. SHA256 hash of the file.
      4. In the Use this exclusion for the following event types list, select at least one value:
         • File modification.
         • Network events.
         • Interactive input in the console.

           This event type is selected by default.

         • Loading the process module.
         • Changes in the Registry.
   3. Click OK to save the changes and close the Rule properties window.

      The new exclusion is created and displayed in the list of exclusions.

   4. If you need to export the exclusion list to an XML file, click the Export button.
   5. If you need to import the exclusion list from an XML file, click the Import button.
   6. If you need to modify an exclusion, click the Modify button.
   7. If you need to delete an exclusion from the list, select the exclusion and click the Delete button.
6. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
7. Click OK to save the changes.

Page top

Enabling and configuring exclusions for sent EDR telemetry about network communications

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for EDR telemetry about network communications using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about network communications are applied when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

To enable and configure EDR telemetry about network communications:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the EDR telemetry section, select Excluded network communications.

   The Excluded network communications of the process window opens.

3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings.

      Exclusion settings are applied using a logical AND.

      1. In the Name field, enter the name of the exclusion.
      2. In the Direction drop-down list, select the direction of network traffic.
      3. In the Protocol drop-down list, select the network protocol.
      4. If you select a custom protocol, in the Number field, enter the network protocol number.
      5. Select the Local port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the remote device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      6. Select the Remote port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the local device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      7. Select the Local address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming exclusions (in the Direction drop-down list, Incoming is selected), enter the network address for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address of the remote device.

         For IP addresses, only addresses in IPv4 format are supported.

      8. Select the Remote address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the network address for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address for the local device.

         For IP addresses, only addresses in IPv4 format are supported.

      9. Create the list of application for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
         1. Select the Applications check box.
         2. In the field below, specify the path to the executable file of the application you want to add to the list. You can enter the path manually or with the help of the Browse button.
         3. Click the Add button.
         4. For each application you want to add to the list, repeat steps 2 and 3 of the guide.
         5. If necessary, remove an application from the list:
            1. Select the application in the list.
            2. Click the Delete button.
      10. Click OK to save the changes and close the Rule properties window.

          The new exclusion is created and displayed in the list of exclusions.

   3. If you need to modify an exclusion, click the Modify button.
   4. If you need to delete an exclusion, select the exclusion and click the Delete button.
5. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
6. Click OK to save the changes.

Page top

Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Before performing the following steps, get the MDR configuration file. It contains a configuration file (BLOB) required for integration.

By downloading the Kaspersky Managed Detection and Response configuration file, you agree to automatically send the data from the device with Kaspersky Endpoint Security installed to Kaspersky for processing. Do not download the configuration file if you do not want the transmitted data to be processed.

If you want Kaspersky Endpoint Agent to process data about events generated by Kaspersky Industrial CyberSecurity for Networks and send this data to Kaspersky Managed Detection and Response, configure interaction with Kaspersky Security Center in the settings of Kaspersky Industrial CyberSecurity for Networks. For detailed information on configuring interaction between the applications, refer to the Kaspersky Industrial CyberSecurity for Networks documentation.

To configure integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response using the Kaspersky Security Center Web Console:

1. Open the Kaspersky Security Center Web Console.
2. Open the Devices → Policies and profiles tab.
3. In the list of policies, select the name of Kaspersky Endpoint Agent policy that you want to configure.

   This opens the policy settings window.

4. Enable KSN Usage.

   Open the main window of the Kaspersky Security Center Web Console.

5. In the Administration Console tree, configure the Private KSN settings (for information on configuring Kaspersky Security Network proxy server settings, refer to Kaspersky Security Center Help).

   Download the Kaspersky Managed Detection and Response configuration file with the pkcs7 extension that is included in the mdr_config.zip archive.

6. To continue configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response, open the main window of the Kaspersky Security Center Web Console.
7. Open the Devices → Policies and profiles tab.
8. In the list of policies, select the name of Kaspersky Endpoint Agent policy that you want to configure.

   This opens the policy settings window.

9. On the Application settings tab, select Managed Detection and Response.
10. In the Managed Detection and Response settings group, do the following:
    1. Switch the toggle button to Managed Detection and Response enabled.
    2. Click the Upload configuration file (BLOB) button and select the BLOB configuration file to load.
    3. In the User identifier field, enter an arbitrary value.
    4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.
11. Click Save to save the changes.

Integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response is configured.

MDR operation when using Kaspersky Endpoint Agent simultaneously with Kaspersky Endpoint Security

Kaspersky Endpoint Security 11 or later with the current database version supports interaction with MDR. In Kaspersky Endpoint Security 11.6.0 or later, interaction with MDR is available immediately after installation.

If you use Kaspersky Endpoint Agent to work with MDR and install Kaspersky Endpoint Security of the version that supports interaction with MDR or update Kaspersky Endpoint Security 11 or later databases to the current version, MDR stops working with Kaspersky Endpoint Agent and becomes available for work with Kaspersky Endpoint Security. At that:

• Switching between Kaspersky Endpoint Agent and Kaspersky Endpoint Security is performed in quiet mode.
• Kaspersky Endpoint Agent allows for configuring settings for interaction with MDR, but these settings are not applied on the device.
• If Kaspersky Endpoint Security is not available (for example, you uninstalled the application), MDR can start working with Kaspersky Endpoint Agent if you restart the Kaspersky Endpoint Agent service.
• The Managed Detection and Response component remains in the Running status in Kaspersky Endpoint Agent settings on the device, since Kaspersky Endpoint Agent continues to communicate with MDR (for example, to resume working with the solution if necessary).

Page top

Configuring storage settings in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section describes how to configure the quarantine settings and data synchronization settings with the Administration Server by means of Kaspersky Endpoint Agent Management plug-in.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

In this section About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

About Kaspersky Endpoint Agent quarantine

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Quarantine is a special local repository on the device. The user can put files considered dangerous to the computer into quarantine. Quarantined files are stored in an encrypted form and therefore do not compromise your device's security.

By default, the local quarantine is located in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Quarantine folder. By default, the objects restored from quarantine are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Restored folder.

Kaspersky Security Center generates a common list of quarantined objects on devices with Kaspersky Endpoint Agent installed. Network Agents on the devices submit information about quarantined files to the Administration Server.

Kaspersky Security Center Network Agent does not copy files from quarantine to the Administration Server. All objects are stored on protected devices with Kaspersky Endpoint Agent installed. Objects are restored from the quarantine also on the protected devices.

See also About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

About quarantine management in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can use Kaspersky Security Center to configure quarantine settings, view the properties of the quarantined objects on the protected devices, delete quarantined objects, and restore objects from Quarantine. For detailed information on managing the quarantined objects using Kaspersky Security Center, refer to Kaspersky Security Center documentation.

In order for Kaspersky Endpoint Agent to send data about quarantined objects to Kaspersky Security Center Administration Server, the corresponding option must be enabled in the quarantine settings in Kaspersky Endpoint Agent policy. This option is enabled by default.

Using the command line interface on the device, you can view information about quarantine settings and properties of the quarantined objects.

Kaspersky Endpoint Agent quarantines object under the system account (SYSTEM).

Quarantined objects can be removed using the command line interface only with the permissions of the local account of the protected device user.

See also About Kaspersky Endpoint Agent quarantine Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

Configuring quarantine settings and restoration of objects from quarantine

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure quarantine settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
2. Select the policy you want to configure.
3. In the <Policy name> window that opens, select the Application settings tab.
4. In the Repositories section select the Quarantine subsection.
5. In the Quarantine settings section configure the quarantine settings:
   1. In the Quarantine folder field, enter the path to where you want to create the Quarantine folder on the devices or click Browse and select the path.

      The default path is %SOYUZAPPDATA%\Quarantine\. The Quarantine folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

      The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed.

      Example: If the device has the Windows 7 operating system installed and Kaspersky Endpoint Agent is installed on drive C, the path to the Quarantine folder will be: C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Quarantine

   2. To configure the maximum quarantine size, select the Maximum Quarantine size (MB) check box and specify the maximum size of quarantine in megabytes or select it from the list.

      For example, you can set the maximum quarantine size to 200 MB.

      When the maximum quarantine size is reached, Kaspersky Endpoint Agent will publish the corresponding event on Kaspersky Security Center server and in the Windows Event Log, but will not stop quarantining new objects.

   3. To specify the quarantine threshold (the space in quarantine remaining until the maximum quarantine size is reached), select the Threshold value for space available (MB) check box.

      For example, you can set the quarantine threshold value to 50 MB.

      When the quarantine threshold is reached, Kaspersky Endpoint Agent will publish the corresponding event on the Kaspersky Security Center server and in the Windows Event Log, but will not stop quarantining new objects.

6. In the Restoring objects from Quarantine section, in the Target folder for restored objects field, specify the path to create the folder for objects restored from quarantine.

   The default path is %SOYUZAPPDATA%\Restored\. The Restored folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

   The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed.

   Example: If the device has the Windows 7 operating system installed and Kaspersky Endpoint Agent is installed on drive C, the path to the folder with the objects restored from quarantine will be: C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Restored

7. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
8. Click Apply and OK.

The quarantine settings and the folder for restoring objects from quarantine have been configured.

See also About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring data synchronization with the Administration Server

Page top

Configuring data synchronization with the Administration Server

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure synchronization of data on quarantined objects on managed devices with Kaspersky Security Center Administration Server.

To configure data synchronization with the Administration Server:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Repositories section select the Synchronization with Administration Server subsection.
3. Select the Data about quarantined objects on managed devices.
4. Click OK.
5. Click the Save button.

Data synchronization with the Administration Server is configured.

See also About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine

Page top

Configuring failure diagnosis

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Kaspersky Endpoint Agent does not automatically create a folder for storing trace or dump files on the device. Specify a folder that is already available on the device.

To configure failure diagnosis:

1. Open the application properties window for an individual device.
   1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
   2. Select the device.
   3. In the <Device name> window that opens, select the Applications tab.
   4. Select Kaspersky Endpoint Agent.
   5. In the window that opens, select the Application settings tab.
2. In the Application settings section select the Failure diagnosis subsection.
3. To enable logging of debug information to the trace files:
   1. Enable the Write debug information to trace files option.
   2. In the Trace files folder field, specify the path to the folder on the device where the application saves the trace files.

      Make sure that the specified folder is available on the managed device. Otherwise, the debug information will not be saved.

   3. In the Maximum trace file size (MB) field, specify the file size in megabytes.

      The default value is 50 MB. When the specified file size is reached, the application continues writing to a new file.

4. If you want the application to overwrite old trace files:
   1. Enable the Overwrite old trace files option.
   2. Enter the desired value in the Maximum number of files per trace log field.

      The default value is 1 file. When the specified number of files is reached, the application overwrites old files, starting with the oldest one. The specified limit is applied separately for each Kaspersky Endpoint Agent process being debugged, so the total number of files for all processes may exceed the specified value.

5. To enable logging of dump files:
   1. Enable the Create dump files option.
   2. In the Dump files folder field, specify the folder to save the dump files.

      Make sure that the specified folder is available on the managed device. Otherwise, the debug information will not be saved.

6. Click OK.

Failure diagnostics is configured and enabled for all Kaspersky Endpoint Agent processes that are currently running. Failure diagnostics files will be generated in the folders you specified.

Page top

Managing Kaspersky Endpoint Agent tasks

This section describes how to manage Kaspersky Endpoint Agent tasks.

See also Managing Kaspersky Endpoint Agent policies Configuring Kaspersky Endpoint Agent settings

In this Help section Creating tasks Viewing the table of tasks Deleting a task from the list Configuring task schedule settings Starting tasks manually Creating Kaspersky Endpoint Agent activation tasks Configuring Database and application module update task Managing Standard IOC Scan tasks Configuring the Quarantine file task Configuring the Delete file task Configuring the Run process task Configuring the Terminate process task

Page top

Creating tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To create a task:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. Click the Add button.

   The task creation wizard will start.

3. In the Application drop-down list, select Kaspersky Endpoint Agent.
4. In the Task type drop-down list, select the required task type and follow the wizard instructions.
5. To change the default values of the task settings immediately after its creation, select the Open task details when creation is complete check box on the Finish task creation page.

   If you do not select this check box, the task will be created with the default settings. You can subsequently change these settings at any time for the following task types:

   • Application activation
   • IOC Scan
   • Security audit
   • Delete file
   • Quarantine file
   • Terminate process
   • Run process
   • Application Databases and Modules Update
6. Click Finish.

The task will be created and displayed in the list of tasks.

You can start the created task manually or configure a scheduled task start.

Page top

Viewing the table of tasks

To view the list of tasks,

select Devices → Tasks in the main Web Console window.

A list of tasks appears. The tasks are grouped by the names of the applications for which they are created.

Page top

Deleting a task from the list

To remove tasks from the list of tasks on Kaspersky Security Center server:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.

   A list of tasks appears.

2. In the list of tasks, select the check boxes next to the tasks that you want to delete.
3. Click the Delete button.

   The action confirmation window opens.

4. Click Yes.

The selected tasks will be deleted from the list.

Page top

Configuring task schedule settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure the scheduled task start:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. On the Schedule tab in the General section, change the toggle button from Schedule disabled to Run by schedule.
4. In the Frequency drop-down list select one of the following options: At specified time, Every hour, Every day, Every week or On application launch.
5. If you select the At specified time option, specify the day and time to start the task.
6. If you select one of the following options: Every hour, Every day or Every week, configure the following settings:
   1. In the Every field, specify the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
   2. In the Start time and Start date fields, select the date and time from which the schedule applies.
7. To configure advanced schedule settings, select the Advanced section and perform the following steps:
   1. If you want to set maximum timeout for the task execution, select the Quit task, running longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
   2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
   3. If you want the application to start the tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
   4. If you want to avoid simultaneous access of a large number of devices to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task start time within the interval check box and specify the start interval in minutes.
8. Click the Save button.

Page top

Starting tasks manually

The application starts tasks according to the schedule specified in the properties of each task. You can start the task manually at any time.

To start a task manually:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. In the list of tasks, select the check box next to the task that you want to start.
3. Click Start.

The task will be started. You can check the task status in the Status column or by clicking the Result button.

Page top

Creating Kaspersky Endpoint Agent activation tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can activate Kaspersky Endpoint Agent using a license key from the Kaspersky Security Center key store. For detailed information on managing license keys using Kaspersky Security Center, refer to the Kaspersky Security Center Help.

To create Kaspersky Endpoint Agent activation task:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. Click the Add button.

   The task creation wizard will start.

3. In the Application drop-down list, select Kaspersky Endpoint Agent.
4. In the Task type drop-down list, select Application activation.
5. In the Task name field, specify the display name of the task.
6. To create a task for devices of a specific Administration Server group, perform the following actions:
   1. In the Selecting devices to which the task is assigned group of settings, select the Group of devices option and click Next.
   2. Select the desired Administration Server group and click Next.
7. To create a task for specific devices using a range of IP addresses, NetBIOS names, DNS names, or to select devices from the list of devices detected in the network by the Administration Server, perform the following actions:
   1. In the Selecting devices to which the task is assigned group of settings, select the Selected or imported from the list option and click Next.
   2. Add devices to the list by the required criteria and click Next.
8. To create a task for devices of a specific selection, perform the following actions:
   1. In the Selecting devices to which the task is assigned group of settings, select the Selection option and click Next.
   2. Select the desired selection from the list and click Next.
9. In the Select a license key window, select the required license key from the list of Kaspersky Security Center keys available in the key storage.
10. If you want to add this license key as an additional one to automatically renew the license, select the Use as additional key check box.
11. Click Next.
12. In the Selecting an account to run a task window, select the desired account and click Next.
13. To change the default values of the task settings immediately after its creation, select the Open task details when creation is complete check box on the Finish task creation page.
14. Click Finish.

The task will be created and displayed in the list of tasks.

You can start the created task manually or configure a scheduled task start.

Page top

Configuring Database and application module update task

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Task creation is performed before, as an individual step.

If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.

To configure the Database and application module update task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. Select the Application settings tab.
4. Select the Connection settings section.
5. If you use Kaspersky Security Center, in the Update source group of settings, select one of the following options:
   • Kaspersky Security Center Administration Server.
   • Kaspersky update servers.
   • Custom HTTP or FTP servers or network folders.
6. If you use Kaspersky Security Center Cloud Console, in the Update source group of settings, select one of the following options:
   • Distribution points. Devices with Network Agent installed are used as the update source.

     Detailed information on using the distribution points is available in the Kaspersky Security Center Cloud Console Help.

   • Kaspersky update servers. Kaspersky update servers are used as the update source.
7. If required, select the Use Kaspersky update servers if specified servers are not available check box.

   Not available in Kaspersky Security Center Cloud Console.

8. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:

   Not available in Kaspersky Security Center Cloud Console.

   1. Click the Settings link to open the Custom update sources window.
   2. Add the update sources to the list by following these steps:
      1. Click the Add button.
      2. In the dialog box that opens, in the Web address field, enter the address of the update server (HTTP or FTP), or the path to the network folder or local folder containing the update files, and click OK.
      3. If you want to use the database update source, switch the toggle button next to its address to Enable.

         Follow the same steps to add each update source.

      4. Click OK.

         The Custom update sources window closes.

9. Select the Update settings section.
10. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
    • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
    • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
    • Download and install critical software modules updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
11. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.
12. Click the Save button.

You can start the created task manually or configure a scheduled task start.

See also Creating tasks Viewing the table of tasks Deleting a task from the list Configuring task schedule settings Starting tasks manually Creating Kaspersky Endpoint Agent activation tasks Managing Standard IOC Scan tasks Configuring the Quarantine file task Configuring the Delete file task Configuring the Run process task Configuring the Terminate process task

Page top

Managing Standard IOC Scan tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

This section provides instructions on how to manage Standard IOC Scan tasks.

See also Creating tasks Viewing the table of tasks Deleting a task from the list Configuring task schedule settings Starting tasks manually Creating Kaspersky Endpoint Agent activation tasks Configuring Database and application module update task Configuring the Quarantine file task Configuring the Delete file task Configuring the Run process task Configuring the Terminate process task

In this Help section Requirements for IOC files Supported IOC terms Configuring Standard IOC Scan task Viewing IOC Scan task execution results

Page top

Requirements for IOC files

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When creating IOC Scan tasks, consider the following requirements and limitations related to IOC files:

• Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.
• Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
• If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
• If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.
• Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.
• Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.
• The size of a single IOC file must not exceed 3 MB. Using larger files results in the failure of IOC Scan tasks. In this case, the total size of all added files in the IOC collection can exceed 3 MB.
• It is recommended to create one IOC file per each threat. This makes it easier to read the results of the IOC Scan task.

The table below shows the features and limitations of the OpenIOC standard supported by the application.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

See also Supported IOC terms Configuring Standard IOC Scan task Viewing IOC Scan task execution results

Page top

Supported IOC terms

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The file that can be downloaded by the following link contains a table with a full list of supported IOC terms of the OpenIOC standard.

DOWNLOAD IOC_TERMS.XLSX FILE

Page top

Configuring Standard IOC Scan task

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Task creation is performed before, as an individual step.

If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To configure the Standard IOC Scan task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. Select the Application settings tab.
4. In the IOC scan settings section, configure the IOC collection by following these steps:
   1. In the IOC collection group of settings click the Redefine IOC files button.
   2. In the dialog that opens, click the Add IOC files button and specify the IOC files that you want to use for the task.

      You can select multiple IOC files for a single IOC Scan task.

   3. Click OK to close the dialog box.

      If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

   4. To view the list of all IOC files that are included in the IOC collection, as well as to obtain information about each IOC file, do the following:
      1. Click the link with the names of all downloaded IOC files in the IOC files group of settings.

         The IOC contents window opens.

      2. To view detailed information about an individual IOC file, click the name of the required IOC file in the list of files on the IOC collection tab.

         In the window that opens, information about the selected IOC file will be displayed.

      3. To close the window with information about the selected IOC file, click OK or Cancel.
      4. To view information about all downloaded IOC files at once, open the IOC data tab.

         Information about each downloaded IOC file will be displayed in the workspace of the window.

      5. If you do not want to use a specific IOC file when the IOC Scan task is executed, on the IOC collection tab, switch the toggle button next to the IOC file name from Include to Exclude.
      6. Click OK to save the changes and close the IOC contents window.
   5. To export the created IOC collection, click the Export IOC collection button.

      In the window that opens, specify the name of the file and select the folder where you want to save it.

   6. Click the Save button.

      The application creates a ZIP file in the specified folder.

   7. In the Retrospective IOC scan group of settings configure the settings for Retrospective IOC scan mode:
      1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
      2. Specify the time interval.

         During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.

         If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.

   8. In the Actions group of settings, configure the response actions on detecting the indicator of compromise:
      1. Select the Take response actions after an indicator of compromise is found check box.
      2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
      3. Select the Quarantine and delete check box to quarantine the detected object and remove it from the device.
      4. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

      If the Quarantine and delete or Run critical areas scan option is enabled, Kaspersky Endpoint Agent may recognize the detected files as infected and delete them from the device in response.

   9. In the Protection of critical system files group of settings, select the Do not perform actions on critical system files check box if you want to protect critical system files from being quarantined or deleted when an indicator of compromise is detected.

      The option is available only if the Quarantine and delete option is selected in the Actions group of settings.

      If this option is selected and an object is a critical system file, the application does not perform any actions on this object. This information is logged in the task execution report.

5. In the Advanced section, select data types (IOC documents) that you want to analyze during the task execution and configure the additional scan settings:
   1. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.

      Depending on the loaded IOC files, some check boxes may be disabled.

      Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.

   2. If the Analyze file data (FileItem) check box is selected, click the Advanced (FileItem) link and in the FileItem document scan settings window that opens, select the scan areas on the protected device drives where to look for indicators of compromise.

      You can select one of the predefined areas, or specify the paths to the desired areas manually.

   3. Click OK to save the changes and close the FileItem document scan settings window.
   4. If the Analyze WEL data (EventLogItem) check box is selected, click the Advanced (EventLogItem) link and in the EventLogItem document scan settings window that opens, configure additional event analysis settings:
      • Scan only events that are logged within the specified period.

        If the check box is selected, only the events that were logged during the specified period will be taken into account during the task's execution.

      • Scan events that belong to the following channels.

        List of channels to be analyzed during the task's execution.

   5. Click OK to save the changes and close the FileItem document scan settings window.
6. Click the Save button.

You can start the created task manually or configure a scheduled task start.

Page top

Viewing IOC Scan task execution results

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To view the IOC Scan task execution results:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. Select the Application settings tab.
4. Select the IOC Scan results section.
5. In the Device drop-down list, select the devices, for which you want to view the results of IOC Scan task.

   A summary table with the task execution results on the selected devices will be displayed.

   If compromise indicators are detected on devices, the Results column displays the compromise indicators detected link.

6. If you want to view detailed information on the detected compromise indicators on a specific device, do the following:
   1. Click the compromise indicators detected link in the row with the name of the desired device.

      The IOC Scan results window opens that contains a list of all IOC files used in the task. If there is an object on the selected device that matches a certain compromise indicator, the Status column displays the Match value.

   2. Click the Match link in the row with the name of the desired IOC file.

      The IOC incident card window opens.

      The IOC incident card contains information about objects on the device that match the conditions of the processed IOC file, as well as the text of the matched branches or individual conditions from this IOC file.

      Viewing the IOC incident card is not available for IOC files for which no matches were detected on the device during scanning.

See also Requirements for IOC files Supported IOC terms Configuring Standard IOC Scan task

Page top

Configuring the Quarantine file task

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

If you suspect that an infected or probably infected file is on the computer, you can isolate it by moving it to quarantine.

Task creation is performed before, as an individual step.

If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.

To configure the Quarantine file task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. Select the Application settings tab.
4. In the Specify the file to be Quarantined drop-down list, select one of the following values: Specify the file by full path or Specify the file by folder path and checksum.
5. If you select the Specify the file by its full path option, specify the value in the File full path field.
6. If you select the Specify the file by folder path and checksum option, configure the following settings:
   • In the Checksum type drop-down list, select one of the following values: MD5 or SHA256.
   • Specify the value in the File checksum field.
   • Specify the value in the File folder path field.
7. In the Actions after quarantining file group of settings, select whether the file must be deleted from the protected device after quarantining.

   If the file is locked by another process, the file will only be deleted after the device has been rebooted.

8. In the Protection of critical system files group of settings, select the Do not perform actions on critical system files check box if you want to exclude critical system files from the task scope.

   If this option is selected and an object is a critical system file, the application does not perform any actions on this object. This information is logged in the task execution report.

9. Click the Save button.

You can start the created task manually or configure a scheduled task start.

If the file is locked by another process, the task will be displayed with the Completed status, but the file itself will only be quarantined after the device has been restarted. It is recommended to check whether the task was completed successfully after the device has been restarted.

The Quarantine file task may fail with the Access denied error if you try to quarantine an executable file that is currently running. To solve this problem, create the Terminate process task for this file and try to create a Quarantine file task again.

Page top

Configuring the Delete file task

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Task creation is performed before, as an individual step.

If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.

To configure the Delete file task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. Select the Application settings tab.
4. In the File to delete list, click the Add button.
5. The File to delete dialog box opens.
6. In the Specify the file to delete drop-down list, select one of the following values: Specify the file by its full path or Specify the file by its folder path and checksum.
7. If you select the Specify the file by its full path option, specify the value in the File full path field.
8. If you select the Specify the file by folder path and checksum option, configure the following settings:
   • In the Checksum type drop-down list, select one of the following values: MD5 or SHA256.
   • Specify the value in the File checksum field.
   • Specify the value in the File folder path field.
   • Select the Including subfolders check box for the application to delete all occurrences of the object not only in the specified folder, but also in all its subfolders.
9. Click OK to add the specified object to the File to be removed list.

   You can specify several objects for deletion in one Delete file task.

10. In the Protection of critical system files group of settings, select the Do not perform actions on critical system files check box if you want to exclude critical system files from the task scope.

    If this option is selected and an object is a critical system file, the application does not perform any actions on this object. This information is logged in the task execution report.

11. Click the Save button.

You can start the created task manually or configure a scheduled task start.

If the file is locked by another process, the task will be displayed with the Completed status, but the file itself will only be deleted after the device has been restarted. It is recommended to check whether the file was deleted successfully after the device has been restarted.

Deleting a file from a connected network drive is not supported.

Page top

Configuring the Run process task

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Using the Run process task, you can run the required application or command on the device.

Task creation is performed before, as an individual step.

If you selected the Open task details when creation is complete check box on the Finish task creation page during the task creation, proceed to step 4 of the following instruction.

To configure the Run process task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. To open the task settings window, click the task name.
3. Select the Application settings tab.
4. To run the application using the command line (cmd.exe) or execute a command, type the required command in the Executable command field.
5. If you want to run the application directly, do the following:
   1. Specify the path to the application executable file in the Working folder field.
   2. Specify the keys for running the application in the Arguments field.
6. Click the Save button.

You can start the created task manually or configure a scheduled task start.

Page top