Kaspersky Anti Targeted Attack Platform
5.0
English

Contents

Managing Kaspersky Endpoint Agent using the command line interface

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Kaspersky Endpoint Agent can be managed using the command line interface. The functionality of the command line interface is provided by the Agent.exe utility. The Agent.exe utility is included in the Kaspersky Endpoint Agent distribution kit and is installed on each device together with Kaspersky Endpoint Agent. It is installed in the %ProgramFiles%\Kaspersky Lab\Endpoint Agent folder (if a 32-bit operating system is used on the device) or in the % ProgramFiles(x86)%\Kaspersky Lab\Endpoint Agent folder (if 64-bit operating system is used on the device).

Example:

If the device has the x64 Windows operating system installed and you select the C Drive as the installation location for Kaspersky Endpoint Agent, the Agent.exe utility will be placed in the following folder:

C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\

To manage Kaspersky Endpoint Agent using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Type the following command: agent.exe --<application setting you want to configure>=<action on the setting you want to execute> and press ENTER.

    The command execution result (return code) will be displayed.

To display help on all the application settings and their possible values,

run the following command: agent.exe --help

In this Help section

Managing Kaspersky Endpoint Agent activation

Managing Kaspersky Endpoint Agent authentication

Configuring tracing

Configuring creating a dump of Kaspersky Endpoint Agent processes

Viewing information about quarantine settings and quarantined objects

Actions on quarantined objects

Managing integration settings with KATA Central Node component

Running Kaspersky Endpoint Agent database and module update

Starting, stopping and viewing the current application status

Protecting the application with password

Protecting application services with PPL technology

Managing self-defense settings

Managing event filtering

Managing Standard IOC Scan tasks

Managing scanning of files and processes according to YARA rules

Managing scanning of autorun point objects according to YARA rules

Creating a memory dump

Creating a disk dump
Page top
[Topic 193447]

Managing Kaspersky Endpoint Agent activation

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To manage application activation through the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter one of the following commands and press ENTER:
    • To activate the application using the activation code or key file:

      agent.exe --license=add <activation code or path to the key file>

      To activate the application using the activation code, the protected device must be connected to the Internet.

    • To specify an additional key to automatically renew the license:

      agent.exe --license=reserve <activation code or path to the key file>

    • To remove an added primary or additional key:

      agent.exe --license=delete <key serial number>

    • To view the status of added keys:

      agent.exe --license=show

Return codes of the --license command:

  • -305 – the added key has expired.
  • 2 – undefined application error.
  • -302 – the added key is in the deny list.
  • -301 – the added key is not suitable to activate Kaspersky Endpoint Agent.
  • -303 – key file is damaged.
  • 4 – syntax errors.
  • -304 – invalid path to the key file has been specified.
Page top
[Topic 197543]

Managing Kaspersky Endpoint Agent authentication

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To manage application authentication using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.

  3. Run the following command and press Enter:

    agent.exe --proxy={enable|disable|show} --mode={auto|custom} --server=<proxy server address> --port=<port number> --use-auth={yes|no} --proxy-user=<user name> --proxy-password=<user password> --bypass-local={yes|no}

The authentication parameters are described in the following table.

Authentication parameters

Parameters

Description

--proxy={enable|disable|show}

Required parameter.

This parameter controls the connection to the proxy server.
The following values are available:

enable – enables proxy server usage.

disable – disables proxy server usage.

show – displays the current proxy server usage settings.

The specified proxy server will be used to work with Kaspersky Security Network and to update databases.

The settings of the specified proxy server can be used for integration with other statistics collection systems. The use of the specified proxy server must be separately enabled in the integration settings.

--mode={auto|custom}

Required parameter.

This parameter sets the proxy server configuration mode.
The following values are available:

auto – automatic detection of the proxy server.

custom – manual configuration of the proxy server access parameters.

--server=<proxy server address>

Required parameter.

Specifies the proxy server address.

--port=<portport number>

Required parameter.

Specifies the proxy server connection port.

--use-auth={yes|no}

Optional parameter.

This parameter indicates whether proxy server authentication is required.
The following values are available:

yes – user name and password must be specified to connect to the proxy server.

no – connection to the proxy server is possible without specifying a user name and password. Used by default.

--proxy-user=<useruser name>

Optional parameter.

Specifies the user name to connect to the proxy server. Empty by default.

--proxy-password=<user password>

Optional parameter.

Specifies the password to connect to the proxy server. Empty by default.

--bypass-local={yes|no}

Optional parameter.

This parameter toggles a direct connection to local addresses without using a proxy server.
Available values:

yes – connections to the addresses of the current local network will be established without a proxy server. Used by default.

no – connections to the addresses of the current local network and to external addresses will be established through a proxy server.

Page top

[Topic 226281]

Configuring tracing

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Kaspersky Endpoint Agent does not automatically create a folder for storing trace or dump files on the device. Specify a folder that is already available on the device.

To configure tracing in Kaspersky Endpoint Agent using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter one of the following commands and press ENTER:
    • agent.exe --trace=enable --folder <path to the folder where the trace files are to be saved> to enable tracing.

      Tracing will be enabled for all Kaspersky Endpoint Agent processes that are currently running. Trace files will be created in the folder you specified.

      Make sure that the specified folder is available on the managed device. Otherwise, trace files will not be created.

    • agent.exe --trace=enable --folder <path to the folder where the trace files are to be saved> --rotation=yes --rotate-file-size=<maximum file size, MB> --rotate-files-count=<maximum number of files>, enables tracing with overwriting old trace files when the values specified for the size and number of the trace files are reached.

      The specified limit on the number of files is applied separately for each Kaspersky Endpoint Agent process being debugged, so the total number of files for all processes may exceed the specified value. If you do not specify the --rotate-file-size or --rotate-files-count parameters (one or both) with the --rotation=yes parameter, the application uses the default values. The default value is 1 file of 50 MB.

    • agent.exe --trace=disable disables tracing.

      Tracing will be disabled for all Kaspersky Endpoint Agent processes that are currently running.

    • agent.exe --trace=show shows the current tracing status and the path to the folder to save the trace files.

      The values of the trace.enable (true, if tracing is enabled or false, is tracing is disabled) and trace.folder (path to the folder) settings will be displayed.

Return codes of the --trace command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.
  • 5 – object not found (the specified path to the tracing logs folder is not found).
  • 9 – invalid operation (for example, an attempt to execute the --trace=disable command, if tracing is already disabled).

Page top

[Topic 193448]

Configuring creating a dump of Kaspersky Endpoint Agent processes

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure the creation of dump files of Kaspersky Endpoint Agent processes using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter one of the following commands and press ENTER:
    • agent.exe --dump=enable --folder <path to the folder where you want to create dump files> enables the creation of dump files of Kaspersky Endpoint Agent processes.

      Creation of dump files will be enabled for all Kaspersky Endpoint Agent processes that are currently running. Dump files will be created in the folder you specified.

      Make sure that the specified folder is available on the managed device. Otherwise, dump files will not be created.

    • agent.exe --dump=disable disables dump creation.

      Creation of dump files will be disabled for all Kaspersky Endpoint Agent processes that are currently running.

    • agent.exe --dump=show shows the current dump creation status and the path to the folder with the dump files.

      The values of the dump.enable (true, if creation of dump files is enabled, or false, if creation of dump files is disabled) and dump.folder (path to the folder) settings will be displayed.

Return codes of the --dump command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.
  • 5 – object not found (unable to find the specified path to the dump files folder).
  • 9 – invalid operation (for example, an attempt to execute the --dump=disable command, if the creation of dumps is already disabled).
Page top
[Topic 193449]

Viewing information about quarantine settings and quarantined objects

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To view information about the quarantine settings and quarantined objects using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter one of the following commands and press ENTER:
    • agent.exe --quarantine=show [--pwd=<current user password>]shows a list of quarantined objects.

    The following information will be displayed for all objects in the Quarantine folder on devices (the Quarantine folder is specified when quarantine settings are configured):

    • Identifiers of objects quarantined so far (ouid parameter).
    • Names of quarantined objects (name + extension).
    • Date and time when the object was quarantined (UTC).
    • Original path to the quarantined file and default path for restoring the quarantined file (without file name).
    • Size of quarantined file (in bytes).
    • Account of the user whose permissions were used to run the task to quarantine the file.
    • Object status:
      • DETECT if the file was quarantined by EPP or while performing actions in response to a threat detected by Kaspersky Sandbox. For example, as a result of the Quarantine and delete local action or the Quarantine and delete when IOC is found global action.
      • CUSTOM if the file was quarantined manually as a result of execution of the --quarantine=add command.
    • The way the file was quarantined:
      • AUTOMATIC_<name of the application that detected a threat in the quarantined file>, if the file was quarantined by EPP or as part of the response to a threat detected by Kaspersky Sandbox. For example, as a result of the Quarantine and delete local action or the Quarantine and delete when IOC is found global action.
      • BY USER if the file was quarantined manually as a result of execution of the --quarantine=add command.
    • agent.exe --quarantine=limits, to view the current values of the Maximum Quarantine size (MB) and Threshold value for space available (MB) settings, as well as the statuses of applying these settings (check box statuses) specified when configuring the quarantine.

Return codes of the --quarantine command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.

Page top

[Topic 193450]

Actions on quarantined objects

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To perform actions on quarantined objects in Kaspersky Endpoint Agent using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Do the following and press ENTER:
    • To permanently delete quarantined objects, execute the following command:

      agent.exe --quarantine=delete --ouid=<comma-separated quarantined object identifiers. Required parameter> [--pwd=<current user password>].

      Objects with the specified identifiers will be deleted from the Quarantine folder specified when quarantine settings are configured.

    • To restore objects from quarantine, execute the following command:

      agent.exe --quarantine=restore --ouid=<comma-separated quarantined object identifiers. Required parameter> [--path-type=<one of the destination folder options to restore the objects from quarantine: original|custom|settings. Optional parameter> --path=<path to the destination folder for restored objects. Required parameter if the --path-type parameter is passed and the original>] value is specified [--action=<one of the actions on the object: replace|rename. Optional parameter>] [--pwd=<current user password>].

    • To quarantine an object, execute one of the following commands:
      • agent.exe --quarantine=add [--file=<full path to the object you want to quarantine>] [--pwd=<current user password>].
      • agent.exe --quarantine=add [--hash=<hash of the object you want to quarantine. Required parameter. If you do not specify the full path to the object and pass the --hashalg parameter>]--hashalg=<one of the hash types: md5|sha256. Required parameter. If you do not specify the full path to the object> [--file=<path to the folder with the object that you want to quarantine>] [--pwd=<current user password>].

    Command parameters when performing actions on quarantined objects

    Parameter

    Description

    --ouid

    Required parameter. The parameter passes a unique numeric (int64) identifier of the quarantined object.

    Displayed when viewing information about quarantined objects (command --quarantine=show).

    --path-type=<original|custom|settings>

    The parameter describes the logic for destination folder selection when restoring objects from quarantine.

    • If the parameter is not passed, the object will be restored to the original folder – the folder where the object was located before being quarantined. If the source folder is not available, the object will be restored to the folder specified when configuring quarantine settings.
    • If the parameter is passed with the <original> value, the object will be restored to the original folder – the folder where the object was located before being quarantined. If the source folder is not available, the object will be restored to the folder specified when configuring quarantine settings.
    • If the parameter is passed with the <settings> value, the object will be restored to the folder specified when quarantine settings were configured. If the folder is not available, the task fails.
    • If the parameter is passed with the <custom> value, the object will be restored to the folder whose path is specified as the value of the --path parameter. If the folder is not available, the task fails.

    --path=<path to the destination folder for restored objects>

    Required parameter if the --path-type parameter is passed with the <custom> value.

    This parameter defines the path to a folder for objects restored from quarantine if you do not want to use the folder where the object was located before being quarantined or the folder specified when quarantine settings were configured.

    --action=<replace|rename>

    This parameter defines the action that you want to perform on the object if the destination folder for restored objects already contains a file with the same name as the file you are restoring from quarantine.

    • If the parameter is not passed, the restored object will be renamed: the _restored suffix will be added to the original object name.
    • If the parameter is passed with the <rename> value, the restored object will be renamed: the _restored suffix will be added to the original object name.
    • If the parameter is passed with the <replace> value, the original object will be replaced with the restored object.

    --file=<full path to the object you want to quarantine>

    A required parameter if the –-hashalg parameter is not passed.

    This parameter defines the full path to the object that you want to quarantine.

    --hashalg=<md5|sha256>

    A required parameter if the –-file parameter is not passed and the full path to the object you want to quarantine is not specified.

    The parameter defines the hashing algorithm to calculate the checksum of the object you want to quarantine.

    The parameter can be passed with one of the following values: <md5> or <sha256>.

    --hash=<file checksum>

    Required parameter if the –-hashalg parameter is passed.

    The parameter defines the checksum of the object you want to quarantine.

    --file=<folder that contains the file>

    Required parameter if the –-hashalg parameter is passed.

    This parameter specifies the path to the folder that contains the object that you want to quarantine and whose hash is specified as the value of the –-hash parameter.

    --pwd=<current user password>

    Allows you to specify the password of the user whose account is used to execute the command.

Return codes of the --quarantine command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.

Page top

[Topic 193451]

Managing integration settings with KATA Central Node component

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To manage the integration settings of Kaspersky Endpoint Agent with the KATA Central Node component using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press ENTER:

    agent.exe --message-broker=<enable|disable|show> --type=<kata> --use-proxy={yes|no} --compression=<yes|no> --partitioning-strategy=<automatic|user> [--message-key=<message key> --topic=<topic> --partition=<user specific partition>] --tls=<yes|no> --servers=<address>:<port>[;<address>:<port>[; …]] [--timeout=<maximum response timeout of KATA server] [--pinned-certificate=<full path to the TLS certificate file>] [--client-certificate=<full path to the certificate file>] --client-password=<password for the PFX archive> --sync-period=<interval for sending synchronization requests>

    The --message-broker command parameters when managing the integration settings between Kaspersky Endpoint Agent and the KATA Central Node component

    Parameter

    Description

    --message-broker=<enable|disable|show>

    Required parameter.

    Allows you to enable, disable, and view the status of the integration between Kaspersky Endpoint Agent and the KATA Central Node component.

    • --message-broker=<enable> – enables integration.
    • --message-broker=<disable> – disables integration.
    • --message-broker=<show> – displays the integration status of Kaspersky Endpoint Agent with the KATA Central Node component.

    --type=<kata>

    Required parameter.

    Allows you to specify the KATA Central Node component in order to manage the integration settings of Kaspersky Endpoint Agent with said component.

    --use-proxy={yes|no}

    Required parameter.

    Allows you to enable or disable proxy server usage in the message broker to send messages to KATA.

    --compression=<yes|no>

    Optional parameter.

    Allows you to enable or disable the compression of data transferred between Kaspersky Endpoint Agent and KATA Central Node.

    Enabled by default.

    ---tls=<yes|no>

    Optional parameter.

    Allows you to enable or disable a trusted connection between Kaspersky Endpoint Agent and the KATA Central Node component.

    • --tls=<yes> – enables trusted connection.
    • --tls=<no> – disables trusted connection.

    --servers=<address>:<port>[;<address>:<port>[; …]]

    Required parameter.

    Allows the addition of one or more KATA servers.

    Kaspersky Endpoint Agent connects to the first server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second server and so on down the list.

    --timeout=<maximum response timeout of KATA server>

    Optional parameter.

    Allows you to set the maximum response timeout of the KATA server in milliseconds.

    --pinned-certificate=<full path to the TLS certificate file>

    Required parameter, if the --tls parameter is passed with the <yes> value.

    Allows you to add a TLS certificate for connecting Kaspersky Endpoint Agent to the KATA server.

    --client-certificate=<full path to the certificate file>

    Allows you to add a user certificate for connecting Kaspersky Endpoint Agent to the KATA server.

    --client-password=<password for the PFX archive>

    Allows you to enter a password for the PFX archive that contains the user certificate for connecting Kaspersky Endpoint Agent to the KATA server.

    --sync-period=<interval for sending synchronization requests>

    Allows you to specify the time interval for sending synchronization requests for Kaspersky Endpoint Agent settings and tasks with the KATA Central Node.

    --throttling=<yes|no>

    Allows you to enable or disable request throttling. The request throttling feature allows restricting the flow of events with low importance from Kaspersky Endpoint Agent to the Central Node component.

    --event-limit=<number of events per hour>

    Allows you to specify the maximum number of events per hour. The application analyzes telemetry data flow and restricts transmission of events with low importance if the number of transmitted events tends to exceed the specified value.

    --exceed-limit=<threshold value>

    Allows you to specify the threshold for exceeding the limit of events. If the flow of events with low importance of the same type exceeds the threshold percentage of the total number of events, the transmission of events of this type will be restricted. You can specify a value from 5 to 100 (without the % character).

See also

Managing Kaspersky Endpoint Agent activation

Managing Kaspersky Endpoint Agent authentication

Configuring tracing

Configuring creating a dump of Kaspersky Endpoint Agent processes

Viewing information about quarantine settings and quarantined objects

Actions on quarantined objects

Running Kaspersky Endpoint Agent database and module update

Starting, stopping and viewing the current application status

Protecting the application with password

Protecting application services with PPL technology

Managing self-defense settings

Managing event filtering

Managing Standard IOC Scan tasks

Managing scanning of files and processes according to YARA rules

Managing scanning of autorun point objects according to YARA rules

Creating a memory dump

Creating a disk dump
Page top
[Topic 197185]

Running Kaspersky Endpoint Agent database and module update

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To update the Kaspersky Endpoint Agent application database and modules using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press ENTER:

    agent.exe --update=bases|modules [--source=<addresses of custom database update sources separated by semicolons without spaces>|kl|ksc]

    Command parameters when running Kaspersky Endpoint Agent database update

    Parameter

    Description

    --update=bases|modules

    Required parameter.

    Allows you to specify the type of update:

    • --update=bases starts the application database update.
    • --update=modules starts the application module update.

    --source=<addresses of custom database update sources>|kl|ksc]

    Optional parameter.

    Allows you to select a database update source.

    • --source=<addresses of custom database update sources> allows you to select the Custom HTTP or FTP servers or network folders option as database update source and specify the path to the network folder or IP, FTP or HTTP-address of the server from which the application downloads database updates.

      You can specify several addresses of custom database update sources, separated by semicolons without spaces (";"). The application will download updates from the first available database update source. If no addresses are available, the task will fail.

    • --source=kl allows you to select the Kaspersky update servers option as database update source.

      If the servers are not available, the task will fail.

    • --source=ksc allows you to select the Kaspersky Security Center Administration Server option as database update source.

      If the Administration Server is not available, the task will fail.

Return codes of the --update=bases command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.
  • 8 – permission error.
  • 200 – all objects are valid.
  • -206 – update files are not available in the specified database update source or have an unknown format.
  • -209 – error connecting to the database update source.
  • -232 – error connecting to the proxy server.
  • -234 – error connecting to Kaspersky Security Center.
  • -236 – application databases are corrupted.

Page top

[Topic 193453]

Starting, stopping and viewing the current application status

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To start, stop, or view the current Kaspersky Endpoint Agent status using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press ENTER:

    agent.exe --product=<start|stop|state> [--pwd=<current user password>]

    Command parameters when starting, stopping, and viewing the current state of Kaspersky Endpoint Agent

    Parameter

    Description

    --product=<start|stop|state>

    Allows you to start, stop, or view the current application status.

    • --product=<start> – starts the application.
    • --product=<stop> – stops the application.

      If password protection is configured for the application, a password is required to execute the --product=<stop> command.

    • --product=<state> – displays the current state of the application: started or stopped.

    --pwd=<current user password>

    Allows you to specify the password of the user whose account is used to execute the command.

Return codes of the --product=<start|stop|state> command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.
  • 8 – permission error.
  • 9 – invalid operation (for example, an attempt to execute the --product=start command if the application is already running).

Page top

[Topic 193454]

Protecting the application with password

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To restrict Kaspersky Endpoint Agent's operations that might result in a decrease in the protection level of the user's computer and the data processed on that computer, as well as a decrease in the application's self-defense level, it is necessary to password protect the application.

The password is required to execute the following commands in Kaspersky Endpoint Agent command line interface:

  • --sandbox=disable
  • --sandbox=show
  • --sandbox=enable --tls=no
  • --sandbox=enable --pinned-certificate=<full path to the TLS certificate file for connecting Kaspersky Endpoint Agent to Kaspersky Sandbox>
  • --quarantine=delete –ouid
  • --quarantine=show
  • --quarantine=restore
  • --quarantine=add
  • --product=stop
  • --password=reset
  • --isolation=disable
  • --prevention=disable
  • --selfdefense
  • --license=delete
  • --message-broker --type=kata <settings>
  • --event --action=enable
  • --event --action=disable

To enter the password, use the --pwd=<current user password> parameter.

The password is also required when performing the following actions on the application:

  • Application uninstallation and remote application uninstallation using Kaspersky Security Center
  • Application update (upgrade)
  • Application repair (repair)
  • Operations in the application installation wizard
  • Operations in the command line interface

After enabling password protection and applying the Kaspersky Security Center policy, the same password is applied to all devices in the Kaspersky Endpoint Agent managed group.

After disabling password protection in the policy, the password protection settings are retained for the local device and can be edited.

The password is stored in the application settings in encrypted form (as a checksum).

To enter the password, use the --pwd=<current user password> parameter.

To configure Kaspersky Endpoint Agent password protection using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter one of the following commands and press ENTER:
    • agent.exe --password=state to view the current password protection status of the application.
    • agent.exe --password=set --pwd=<current user password> --new=<new user password> to set a new user password.
    • agent.exe --password=reset --pwd=<current user password> to reset the user password.

Page top

[Topic 193455]

Protecting application services with PPL technology

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The protection of application services using the Protected Process Light (PPL) technology is implemented in Kaspersky Endpoint Agent.

The protection of application services using the Protected Process Light (PPL) technology is only available on the following operating systems:

  • For workstations: Windows 10 version 1703 RS2 and above
  • For servers: Windows Server 2016 version 1709 and above

Processes that are running with the PPL flag cannot be stopped or changed by other processes without the PPL flag.

Usage of the PPL flag for the application services allows you to protect the services from malicious external influences and attempts to compromise the application.

To configure protection of application services by the PPL technology using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter one of the following commands and press ENTER:
    • agent.exe --ppl=show [--pwd=<current user password>] shows the current status of application services protection by the PPL technology.
    • agent.exe --ppl=disable [--pwd=<current user password>] disables application services protection by the PPL technology.

Return codes of the --ppl command:

  • 0 – command successfully executed.
  • 2 – general error.
  • 4 – syntax error.
  • 8 – permission error.

Page top

[Topic 193458]

Managing self-defense settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To manage self-defense settings using the Kaspersky Endpoint Agent command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press ENTER:

    agent.exe --selfdefense=<enable|disable>

See also

Managing Kaspersky Endpoint Agent activation

Managing Kaspersky Endpoint Agent authentication

Configuring tracing

Configuring creating a dump of Kaspersky Endpoint Agent processes

Viewing information about quarantine settings and quarantined objects

Actions on quarantined objects

Managing integration settings with KATA Central Node component

Running Kaspersky Endpoint Agent database and module update

Starting, stopping and viewing the current application status

Protecting the application with password

Protecting application services with PPL technology

Managing event filtering

Managing Standard IOC Scan tasks

Managing scanning of files and processes according to YARA rules

Managing scanning of autorun point objects according to YARA rules

Creating a memory dump

Creating a disk dump
Page top
[Topic 198505]

Managing event filtering

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To manage event filtering using the Kaspersky Endpoint Agent command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press ENTER:

    agent.exe --event =<createprocess|loadimage|registry|network|eventlog|filechange|accountloggon|codeinjection|wmiactivity> --action=<enable|disable|show>

See also

Managing Kaspersky Endpoint Agent activation

Managing Kaspersky Endpoint Agent authentication

Configuring tracing

Configuring creating a dump of Kaspersky Endpoint Agent processes

Viewing information about quarantine settings and quarantined objects

Actions on quarantined objects

Managing integration settings with KATA Central Node component

Running Kaspersky Endpoint Agent database and module update

Starting, stopping and viewing the current application status

Protecting the application with password

Protecting application services with PPL technology

Managing self-defense settings

Managing Standard IOC Scan tasks

Managing scanning of files and processes according to YARA rules

Managing scanning of autorun point objects according to YARA rules

Creating a memory dump

Creating a disk dump
Page top
[Topic 198513]

Managing Standard IOC Scan tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To create and configure a Standard IOC Scan task using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Run the following command and press Enter:

    agent.exe --scan-ioc {[--path=<path to the folder with IOC files>] | [<full path to the IOC file>]} [--process=no] [--hint=<full path to the process executable file|full path to the file>] [--registry=no] [--dnsentry=no] [--arpentry=no] [--ports=no] [–services=no] [--system=no] [--users=no] [--volumes=no] [--eventlog=no] [--datetime=<event publication date>] [--channels=<list of channels>] [--files=no] [--network=no] [--url=no] [--drives=<all|system|critical|custom>] [--excludes=<list of exclusions>][--scope=<configurable list of folders>] [--retro]

    If the --scan-ioc command is passed with only the required parameters, Kaspersky Endpoint Agent will perform the scan with the default settings.

    If the --scan-ioc command is passed together with the two required parameters (--path=<path to the folder with IOC files> and <full path to the IOC file>), Kaspersky Endpoint Agent scans the submitted IOC files.

    Command parameters for running and configuring Standard IOC Scan tasks

    Parameters

    Description

    --scan-ioc

    Required parameter.

    Starts the Standard IOC Scan tasks on the device.

    --path=<path to the folder with IOC files>

    Path to the folder with the IOC files that you want to scan.

    Required parameter if the <full path to the IOC file> parameter is not specified.

    <full path to the IOC file>

    Full path to the IOC file, with ioc or xml extension, that you want to scan.

    A required parameter if the --path=<path to the folder with IOC files> parameter is not specified.

    Passed without the --path argument.

    --process=<no>

    Optional parameter.

    This parameter disables the analysis of process data during scans.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent does not consider the processes running on the device during scanning. If the IOC file contains IOC terms of the ProcessItem IOC document, they are ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scan the process data if the ProcessItem IOC document is described in the IOC file submitted for scanning.

    --hint=<full path to the process executable file|full path to the file>

    Optional parameter.

    This parameter allows you to narrow the scope of data analyzed while checking the ProcessItem and FileItem IOC documents by specifying a particular file.

    The parameter value can be set as:

    • <full path to the executable file of the process> – ProcessItem
    • <full path to the file> – FileItem

      This parameter can only be passed together with the --process=yes and --files=yes arguments.

    --dnsentry=no

    Optional parameter.

    This parameter disables the analysis of data on records in the local DNS cache (DnsEntryItem IOC document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not scan the local DNS cache. If the IOC file contains the terms of the DnsEntryItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scan the local DNS cache if the DnsEntryItem IOC document is described in the IOC file submitted for scanning.

    --arpentry=no

    Optional parameter.

    This parameter disables the analysis of data in ARP table (ArpEntryItem document) records during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not scan the ARP table. If the IOC file contains the terms of the ArpEntryItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scan the ARP table if the ArpEntryItem IOC document is described in the IOC file submitted for scan.

    --ports=no

    Optional parameter.

    This parameter disables the analysis of data on ports that are open for listening (PortItem document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not scan the table of active connections on the device. If the IOC file contains the terms of the PortItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scan the table of active connections if the PortItem IOC document is described in the IOC file submitted for scanning.

    --services=no

    Optional parameter.

    This parameter disables the analysis of data on services installed on the device (ServiceItem document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not scan data on services installed on the device. If the IOC file contains the terms of the ServiceItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scans the data on services if the ServiceItem IOC document is described in the IOC file submitted for scanning.

    --volumes=no

    Optional parameter.

    This parameter disables the analysis of volume data (VolumeItem document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not scan volume data on the device. If the IOC file contains the terms of the VolumeItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scan the data on volumes if the VolumeItem IOC document is described in the IOC file submitted for scanning.

    --eventlog=no

    Optional parameter.

    This parameter disables the analysis of data about Windows Event Log entries (EventLogItem document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not scan Windows Event Log entries. If the IOC file contains the terms of the EventLogItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only scan Windows Event Log entries if the EventLogItem IOC document is described in the IOC file submitted for scanning.

    --datetime=<event publication date>

    Optional parameter.

    This parameter allows you to enable or disable accounting for the date and time when the event was registered in the Windows Event Log when determining the IOC scan area for the corresponding IOC document.

    During IOC scanning, Kaspersky Endpoint Agent will only process events that were registered within the time interval between the specified date and time and the task execution time.

    Kaspersky Endpoint Agent allows you to specify the event registration date as the parameter value. Scans will be performed only for events registered in the Windows Event Log between the specified date and the time when the IOC scan is performed.

    If the parameter is not passed, Kaspersky Endpoint Agent will scan events with any registration date. The TaskSettings::BaseSettings::EventLogItem::datetime parameter cannot be changed.

    This parameter is only used if the EventLogItem IOC document is described in the IOC file submitted for scanning.

    --channel=<list of channels>

    Optional parameter.

    This parameter allows you to pass a list of the names of channels (logs) for which IOC scanning is required.

    If this parameter is passed, Kaspersky Endpoint Agent will only consider events published in the specified logs when performing the IOC Scan task.

    The name of the log is specified as a string based on the name of the log (channel) specified in the properties of this log (the Full Name parameter) or in the properties of the event (the <Channel></Channel> parameter in the xml-scheme of the event).

    By default (including in the case that the parameter is not passed), IOC scanning is performed for the Application, System, and Security channels.

    Several values, separated by spaces, can be passed to the parameter.

    This parameter is only used if the EventLogItem IOC document is described in the IOC submitted for scanning.

    --system=no

    Optional parameter.

    This parameter disables the analysis of environmental data (SystemInfoItem IOC document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not analyze environmental data. If the IOC file contains the terms of the SystemInfoItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only analyze environmental data if the SystemInfoItem IOC document is described in the IOC file submitted for scanning.

    --users=no

    Optional parameter.

    This parameter disables the analysis of user data (UserItem IOC document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not analyze the data on users created in the system. If the IOC file contains the terms of the UserItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only analyze data on users created in the system if the UserItem IOC document is described in the IOC file submitted for scanning.

    --files=no

    Optional parameter.

    This parameter disables the analysis of data on files (FileItem IOC document) during IOC scanning.

    If the parameter is passed with the <no> value, Kaspersky Endpoint Agent will not analyze data on files. If the IOC file contains the terms of the FileItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only analyze data on files if the FileItem IOC document is described in the IOC file submitted for scanning.

    --network=no

    Optional parameter.

    This parameter enables threat lookup based on the Network IOC document during IOC scanning.

    If the <no> value is set for the parameter, Kaspersky Endpoint Agent does not perform threat lookup based on the Network IOC document. If the IOC file contains the terms of the Network IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent only enables threat lookup based on the Network IOC document if the Network IOC document is described in the IOC file submitted for scanning.

    --url=no

    Optional parameter.

    This parameter enables threat lookup based on the UrlHistoryItem IOC document during IOC Scanning.

    If the <no> value is set for the parameter, Kaspersky Endpoint Agent will not perform threat lookup based on the UrlHistoryItem IOC document. If the IOC file contains the terms of the UrlHistoryItem IOC document, they will be ignored (defined as no match).

    If the parameter is not passed, Kaspersky Endpoint Agent will only enable threat lookup based on the UrlHistoryItem IOC document if the UrlHistoryItem IOC document is described in the IOC file submitted for scanning.

    --drives=<all|system|critical|custom>

    Optional parameter.

    This parameter allows you to specify the scope of the IOC scan when analyzing data for the FileItem IOC document.

    This parameter can have one of the following values:

    • <all> – the application scans all available file areas.
    • <system> – the application only scans files that are located in the folders where the operating system is installed.
    • <critical> – the application only scans temporary files that are located in user and system folders.
    • <custom> – the application only scans files that are located in the areas specified by the user.

      If the parameter is not passed, critical areas will be scanned.

    --Excludes=<list of exclusions>

    Optional parameter.

    This parameter allows you to specify exclusion scopes when analyzing data for the FileItem IOC document. Several values separated by space can be passed by the parameter.

    If the parameter is not passed, all folders will be scanned, with no exclusions.

    --scope=<configurable list of folders>

    Optional parameter.

    This parameter becomes required if the --drives=custom parameter is passed.

    This parameter allows you to specify a list of scan areas. Several values separated by space can be passed by the parameter.

    --retro

    Optional parameter.

    The parameter is used to start the task in the

    Retrospective IOC scan
    mode.

    In addition to this parameter, you can specify the time interval within which the application will perform a retrospective IOC scan using the following parameters:

    • --start-time=<interval start date and time>
    • --end-time=<interval end date and time>

      Example:

      agent.exe --scan-ioc --path=<path to the folder with IOC files> --retro --start-time=2021-05-21T10:30:00Z --end-time=2021-05-24T10:30:00Z

      If the time interval is not specified, the default interval will be used, starting one day before the task was started and ending at the moment the task was launched.

Return codes of the --scan-ioc command:

  • -1 – command is not supported by Kaspersky Endpoint Agent version installed on the device.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.

If the command was executed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the following data on the task execution results in the command line:

Data displayed by the application in the command line when an IOC is detected

Uuid

IOC file identifier from the header of the IOC file structure (<ioc id=""> tag)

Name

IOC file description from the header of the IOC file structure (<description></description> tag)

Matched Indicator Items

The list of identifiers of all triggered indicators.

Matched objects

Data on each IOC document where a match was detected.

Date

Creation date of the file where indicators of compromise were detected.

Created

Only for FileItem. Creation time of the object where indicators of compromise were detected.

Pid

Identifier of the process for which indicators of compromise were detected.

Upid

Unique identifier of the process for which indicators of compromise were detected.

ParentPid

Identifier of the parent object that contains the process for which indicators of compromise were detected.

Username

Name of the user who made changes to the object being scanned.

StartTime

Start time of the process for which indicators of compromise were detected.

Page top

[Topic 194147]

Managing scanning of files and processes according to YARA rules

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

YARA scanning is a process that you can create and configure manually using the command line interface.

YARA files
are used to run the scan.

Only the files with YARA rules can be specified for the YARA Scan task. Files with other types of rules are not supported for the YARA Scan task.

To run a YARA scan using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.

  3. Run the following command and press Enter:

    agent.exe --scan-yara [<path to the YARA file>] [--path=<path to the folder with YARA rules>] [--fast-scan] [--tag-hint=<tag rule>] [--id-hint=<rule ID>] [--max-rules=<maximum number of scan rules>] [--timeout=<stop scan after the specified time in seconds>] [--recursive] [--scan_folders [<list of folders to be scanned>] [--scan-memory] [--scan-process <process name>][--max-size=<file size in bytes>] [--excludes <list of objects to be scanned>] [--includes <list of objects to be scanned>]

    If the --scan-yara command is passed with only the required parameters, Kaspersky Endpoint Agent will perform the scan with the default settings.

The scan parameters are described in the following table.

Command parameters when starting and configuring YARA scan

Parameters

Description

--scan-yara [<full path to the YARA file>]

Required parameter.

Starts a YARA scan on the device. The scan is performed according to the rules in the YARA files with the yara or yar extension.

Several values, separated by spaces, can be passed to the parameter.

At least one <full path to the yara file> value must be specified if the --path parameter is not specified.

If the --path parameter is also specified in addition to the arguments of the --scan-yara parameter, the scan uses both the files with the YARA rules specified as the arguments and the files from the folder specified by the --path parameter.

--path=<pathpath to the folder with the YARA files>

Path to the folder with the YARA files that you want to scan.

Required parameter, if the <full path to the YARA file> parameter is not specified.

--fast-scan

Optional parameter.

The parameter starts the fast scan mode. For each scan object, one occurrence of the detected marker is logged, and duplicates of the detected markers are not logged. Usage of this parameter allows you to reduce the time for scanning large files.

If the parameter is not passed, a standard scan is performed and the duplicates of detected markers are logged.

--tag-hint=<tag rule>

Optional parameter.

The parameter allows considering only the rules with the specified tag during scan. You can specify only one parameter value.
Rules without tags or with tags other than those specified as the parameter value are ignored during scan.

If the parameter is not passed, all the rules are considered during scan.

--id-hint=<rulerule ID>

Optional parameter.

The parameter allows considering only the rules with the specified ID during scan. You can specify only one parameter value.
Rules without IDs or with IDs other than those specified as the parameter value are ignored during scan.

If the parameter is not passed, all the rules are considered during scan.

--max-rules=<maximum number of scan rules>

Optional parameter.

The parameter sets the limit of unique triggered detection rules; scan stops upon exceeding this limit.

If the parameter value is not specified or equals to 0, the scan is performed without limitations.

--timeout=<stop scan after the specified time in seconds>

Optional parameter.

The parameter specifies the scan duration in seconds. The scan will be stopped after the specified time.

If the parameter value is not specified or equals to 0, the scan is performed without limitations.

--recursive

Optional parameter.

The parameter starts recursive scan of subfolders within the [<list of folders to be scanned>] value.

--scan_folders [<
list of folders to be scanned>]

Optional parameter.

This parameter starts a scan of the files in the specified list of folders.

If the value of the <list of folders to be scanned> parameter is not specified, the scan is performed recursively for all local drives, except for network, cloud, and connected drives.

--scan-memory

Optional parameter.

This parameter starts a memory scan for all running processes.

--scan-process <process name>

Optional parameter.

This parameter starts a memory scan for only specified processes. Standard masks are supported for the <process name> value: "?" and "*".

--max-size=<file size in bytes>>

Optional parameter.

Scan is performed only for the files that do not exceed the specified size. Larger files are skipped during scan.

--includes <list of objects to be scanned>

Optional parameter.

This parameter allows you to limit the scan scope. You can specify several parameter values separated by a space. Available values:

  • File name
  • File path
  • File name mask
  • File path mask

    Passed with the --scan-folders parameter.

    Example:
    --scan-folders c:\*.* --recursive --includes *.exe c:\temp\*.* *.dll – the scan will be performed for all files with the "exe" and "dll" extensions on the C: drive, and all files in the c:\temp folder will be scanned recursively.

--excludes <list of objects to be scanned>

Optional parameter.

This parameter excludes the specified files or folders from the scan. You can specify several parameter values separated by a space. Available values:

  • File name
  • File path
  • File name mask
  • File path mask

    Passed with the --scan-folders parameter.

    Example:
    --scan-folders c:\*.* --excludes readme.txt c:\trusted\*.* *.xml – the readme.txt files, all files from the c:\trusted folder, and all files with the xml extension in the root folder on the C: drive will be skipped during the scan.

Return codes of the --scan-yara command:

  • -1 – command is not supported by Kaspersky Endpoint Agent version installed on the device.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.
  • 5 – one or more files with YARA rules specified as the parameter value not found.

If the command execution completed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:

Data displayed by the application in the command line when YARA signatures are detected.

Offset

Offset in the object scanned by Kaspersky Endpoint Agent.

Data

Signatures searched by Kaspersky Endpoint Agent during scanning.

Object Name

The name of the scanned object.

Rule Name

The name of the rule used during scan.

Page top

[Topic 225479]

Managing scanning of autorun point objects according to YARA rules

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

YARA scanning of the

autorun points
is a process that you can create and configure manually using the command line interface. YARA files are used to run the scan.

Only files with YARA rules can be specified in the YARA Scan task for autorun point objects. Files with other types of rules are not supported for the YARA Scan task.

By default, scanning of objects according to YARA rules is performed for the following types of autorun points:

  • Logon
  • Run
  • Explorer
  • Shell
  • Office
  • Internet Explorer
  • Tasks
  • Services
  • Drivers
  • Telephony
  • Cryptography
  • Debuggers
  • COM
  • Session Manager
  • Network
  • LSA
  • Applications
  • Codecs
  • Shellex
  • Unspecified

To run a YARA scan of autorun points using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.

  3. Run the following command and press Enter:

    agent.exe --scan-yara [<path to the YARA file>] [--path=<path to the file with the YARA rules>] --scan-autoruns=yes [--fast-scan] [--tag-hint=<rule tag>] [--id-hint=<rule ID>] [--max-rules=<maximum number of scan rules>] [--timeout=<stop scan after the specified time in seconds>] [--max-size=<file size in bytes>] [--exclude-autoruns=COM]

    If the --scan-yara --scan-autoruns command is passed with only the required parameters, Kaspersky Endpoint Agent performs a scan with the default settings.

The scan parameters are described in the following table.

Command parameters when starting and configuring YARA scan

Parameters

Description

--scan-yara [<full path to the YARA file>]

Required parameter.

Starts a YARA scan for the autorun point files on the device. The scan is performed according to the rules in YARA files with the yara or yar extension.

Several values separated by spaces can be passed to the parameter.

At least one <full path to the yara file> value must be specified if the --path parameter is not specified.

If the --path parameter is also specified in addition to the arguments of the --scan-yara --scan-autoruns parameter, the scan uses both the files with the YARA rules specified as the arguments and the files from the folder specified by the --path parameter.

--path=<pathpath to the folder with the YARA files>

Path to the folder with the YARA files that you want to use to search for autorun point files.

Required parameter, if the <full path the YARA file> parameter is not specified.

--scan-autoruns=yes

Required parameter.

This parameter accesses autorun points and scans objects for all types of autorun points according to the specified YARA rules.

Specify the yes value to start the scan. If parameter value is not specified, the parameter will be ignored.

--fast-scan

Optional parameter.

The parameter starts the fast scan mode. For each scan object, one occurrence of the detected marker is logged, and duplicates of the detected markers are not logged. Usage of this parameter allows you to reduce the time for scanning large files.

If the parameter is not passed, a standard scan will be performed and the duplicates of detected markers will be logged.

--tag-hint=<tag rule>

Optional parameter.

The parameter allows considering only the rules with the specified tag during scan. You can specify only one parameter value.
Rules without tags or with tags other than those specified as the parameter value are ignored during scan.

If the parameter is not passed, all the rules are considered during scan.

--id-hint=<rulerule ID>

Optional parameter.

The parameter allows considering only the rules with the specified ID during scan. You can specify only one parameter value.
Rules without IDs or with IDs other than those specified as the parameter value are ignored during scan.

If the parameter is not passed, all the rules are considered during scan.

--max-rules=<maximum number of scan rules>

Optional parameter.

This parameter sets the limit of unique triggered detection rules; the scan will stop upon exceeding this limit.

If the parameter value is not specified or equals 0, the scan will be performed without limitations.

--timeout=<stop scan after the specified time in seconds>

Optional parameter.

This parameter specifies the scan duration of each object in seconds. The scan will be stopped after the specified time.

If the parameter value is not specified or equals to 0, the scan is performed without limitations.

--max-size=<file size in bytes>>

Optional parameter.

Scan is performed only for the files that do not exceed the specified size. Larger files are skipped during scan.

--exclude-autoruns=<list of objects to be scanned>

Optional parameter.

This parameter excludes files of the specified autorun point from the scan. You can specify several parameter values separated by a space. Available value: COM (as of this writing, only this type of autorun point can be excluded from a scan).

Example:
--exclude-autoruns=COM

The files from the COM autorun point scope will be ignored during the scan.

Limitations

The resulting lists of autorun points for COM objects may not contain component builds developed using .NET due to the special aspects of their registration in the system.

Return codes of the --scan-yara command:

  • -1 – command is not supported by Kaspersky Endpoint Agent version installed on the device.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.
  • 5 – one or more files with YARA rules specified as the parameter value not found.

If the command execution completed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:

Data displayed by the application in the command line when YARA signatures are detected.

Offset

Offset in the object scanned by Kaspersky Endpoint Agent.

Data

Signatures searched by Kaspersky Endpoint Agent during scanning.

Object Name

The name of the scanned object.

Rule Name

The name of the rule used during scan.

Page top

[Topic 228850]

Creating a memory dump

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can create a memory dump for the computer on which Kaspersky Endpoint Agent is installed.

Before creating the memory dump, we recommend terminating processes of critical applications. After creating the memory dump, we recommend restarting the computer for which the memory dump was created.

To create a memory dump using the Kaspersky Endpoint Agent command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Enter the command:

    agent.exe --memory-dump --path=<path to local or network folder where you want to save the memory dump> [--user=<user name> --pwd=<password>].

    The user name and password are required if a folder for storing the memory dump is password protected.

    Be sure that write access is granted for the folder where the memory dump will be stored. Otherwise, dump file will not be created.

  4. Press ENTER.

    In the specified folder, Kaspersky Endpoint Agent creates a memory dump with the name MemoryDump_<host name>_<date and time when the file began to be written>.dmp.

    Command parameters for creating a memory dump

    Parameter

    Description

    --path

    Required parameter. This parameter passes the full path to the local or network folder where the application will store the memory dump.

    The name of a network folder must be in UNC format.

     

    --user

    This parameter passes the user name for accessing the folder specified by the --path parameter.

    If this parameter is missing, the SYSTEM account must have access to the folder.

    --pwd

    This parameter passes the password for accessing the folder specified by the --path parameter.

    If this parameter is missing, the SYSTEM account must have access to the folder.

Return codes of the --memory-dump command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.

Kaspersky Endpoint Agent does not encrypt or compress the memory dump file. If necessary, you can use third-party tools to encrypt and compress of the folder where the memory dump is stored.

The SMB 3 (or higher) protocol must be configured in order for Kaspersky Endpoint Agent to save the memory dump file to the folder in encrypted form.

Page top
[Topic 241675]

Creating a disk dump

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can create a dump of a physical or logical disk of the computer on which Kaspersky Endpoint Agent is installed.

To create a disk dump using the Kaspersky Endpoint Agent command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

    Enter the command:

    agent.exe --disk-image --volume=<disk name> [--format=<file format, RAW or EWF>] [--max-size=<size in bytes>] [--segment-size=<size in bytes>] --path=<path to a local or network folder where you want to save the disk dump> [--user=<user name> --pwd=<password>]

    The user name and password are required if the folder for storing the disk dump is password protected.

    Be sure that write access is granted for the folder where the disk dump will be stored. Otherwise, dump file will not be created.

  3. Press ENTER.

    In the specified folder, Kaspersky Endpoint Agent creates a disk dump file with a name in the format <disk name>_<date and time when the file started to be written>.<extension>.

    The disk dump file extension may be the following:

    • If the RAW format was specified in the command to create the disk dump (--format=RAW):
      • if the disk dump is not split (the --segment-size parameter is omitted), then the disk dump file has the raw extension;
      • If the disk dump is split (the --segment-size parameter is specified), then the parts of the dump have the extensions 001, 002, 003, etc. up to 999.
    • If the EWF format was specified in the command to create the disk dump (--format=EWF):
      • If the disk dump is not split (the --segment-size parameter is omitted), then the disk dump file has the extension E01;
      • If the disk dump is split (the --segment-size parameter is specified), then the parts of the dump have the extension E01, E02, ..., E99; EAA, EAB, ..., EAZ; FAA, FAB, ..., FZZ, <...>; ZAA, ZAB, ..., ZZZ.

    Command parameters for creating a disk dump

    Parameter

    Description

    --volume

    Required parameter. This parameter passes the number of a physical disk or the name of a logical disk, where the dump will be created.

    The format for the physical disk number is: \??\PHYSICALDRIVEN or PHYSICALDRIVEN, where N is the disk number. For example: \??\PHYSICALDRIVE0, PHYSICALDRIVE1.

    Format of the name of the logical disk: N:, where N is the letter designation of the logical disk. For example, С:.

    If you create a dump file for a logical disk used to boot the operating system, use the %SystemDrive% variable as the disk name.

    --format

    This parameter passes the format for the file with the disk dump. Possible values: RAW or EWF.

    If the parameter is omitted, the application creates a disk dump in the RAW format.

    --max-size

    This parameter passes the maximum allowed size of the disk dump in bytes.

    If this parameter is omitted, the application creates a disk dump with a maximum size of 1,099,511,627,776 bytes.

    --segment-size

    This parameter passes the maximum size of part of the disk dump in bytes. Additionally, the minimum size of part of the dump must be larger than 33,554,432 bytes.

    If the parameter is specified, the application splits the disk dump into parts of the specified size and adds them to an archive. The size of the archived dump parts is less than the value specified using the parameter.

    If the parameter is omitted, the application does not split the disk dump into parts.

    --path

    Required parameter. This parameter passes the full path to the local or network folder where the application stores the disk dump.

    The name of a network folder must be in UNC format.

    --user

    This parameter passes the user name for accessing the folder specified by the --path parameter.

    If the parameter is omitted, the SYSTEM access must have access to the folder where the disk dump will be stored.

    --pwd

    This parameter passes the password for accessing the folder specified by the --path parameter.

    If the parameter is omitted, the SYSTEM access must have access to the folder where the disk dump will be stored.

Return codes of the --memory-dump command:

  • -1 – command is not supported.
  • 0 – command successfully executed.
  • 1 – required argument is not passed to the command.
  • 2 – general error.
  • 4 – syntax error.

Kaspersky Endpoint Agent does not encrypt or compress the memory dump file. If necessary, you can use third-party tools to encrypt and compress of the folder where the memory dump is stored.

The SMB 3 (or higher) protocol must be configured in order for Kaspersky Endpoint Agent to save the memory dump file to the folder in encrypted form.

Page top
[Topic 241674]