Kaspersky Anti Targeted Attack Platform
5.0
English

Contents

[Topic 193604]

Creating a local task

Local tasks are run on a specific device. For more information on tasks, refer to Kaspersky Security Center documentation.

To create a local task:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Kaspersky Security Center Administration Console tree, open the Managed devices folder.
  3. In the Managed devices folder, select the folder with the name of the administration group that includes the desired device.
  4. In the workspace, select the Devices tab.
  5. Select the device for which you want to create a local task.
  6. Do one of the following:
    • In the context menu of the device, select All tasksCreate a task.
    • In the context menu of the device, select Properties and in the Properties: <Device name> window that opens on the Tasks tab, click Add.
    • In the Perform action drop-down list, select the Create a task item.

    The task creation wizard will start.

  7. Select the required task and click Next.
  8. Follow the instructions of the task creation wizard.

See also

Creating a group task

Viewing the table of tasks

Deleting a task from the list

Starting tasks manually

Starting tasks by schedule

Viewing task execution results

Configuring the storage time for the task execution results on the Administration Server

Creating Kaspersky Endpoint Agent activation task

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 194322]

Creating a group task

Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

To create a group task:

  1. Open Kaspersky Security Center Administration Console.
  2. Do one of the following:
    • In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
    • In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
  3. In the workspace, select the Tasks tab.
  4. Click Create a task.

    The task creation wizard will start.

  5. Select the required task and click Next.
  6. Follow the instructions of the task creation wizard.

See also

Creating a local task

Viewing the table of tasks

Deleting a task from the list

Starting tasks manually

Starting tasks by schedule

Viewing task execution results

Configuring the storage time for the task execution results on the Administration Server

Creating Kaspersky Endpoint Agent activation task

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 194323][Topic 193074]

Deleting a task from the list

To remove tasks from the list of tasks on Kaspersky Security Center server:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.
  3. In the task list, select the tasks that you want to delete and right-click them to open the context menu.

    A list of the actions you can perform on the tasks will be displayed.

  4. Select the Delete action.

    The action confirmation window opens.

  5. Click Yes.

The selected tasks will be deleted from the list.

See also

Creating a local task

Creating a group task

Viewing the table of tasks

Starting tasks manually

Starting tasks by schedule

Viewing task execution results

Configuring the storage time for the task execution results on the Administration Server

Creating Kaspersky Endpoint Agent activation task

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 193073]

Starting tasks manually

You can start the created tasks manually. For example, you can manually start the tasks for which scheduled start is not configured.

To start a task manually:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    A list of tasks appears.

  3. In the context menu of the desired task, select the Run action.

The task will run.

See also

Creating a local task

Creating a group task

Viewing the table of tasks

Deleting a task from the list

Starting tasks by schedule

Viewing task execution results

Configuring the storage time for the task execution results on the Administration Server

Creating Kaspersky Endpoint Agent activation task

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 193072]

Starting tasks by schedule

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure the scheduled task start:

  1. In the Task schedule section, select the Run by schedule check box.
  2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
  3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
  4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
    1. In the Every list, select the task run frequency. For example, once a day, or twice a week on Tuesdays and Thursdays.
    2. In the Time and Date lists, select the date and time from which the schedule applies.
  5. To configure advanced schedule settings, click the Advanced button and configure the following settings in the Advanced window:
    • Quit tasks, running longer than

      Enable this setting if you want to set a task execution time limit. After the specified time, the task will automatically terminate.

    • Cancel schedule from

      Enable this setting if you want to specify a schedule expiration date. After the specified date, the schedule will expire.

    • Run missed tasks

      Enable this option if you want the application to start tasks that were not completed on time as soon as possible.

    • Randomize the task run to every

      Enable this option if you want to avoid a scenario where a large number of workstations simultaneously access the Administration Server by running the task on each workstation at a random moment within the specified time interval.

  6. Click OK.

Scheduled task start has now been configured and applied on devices.

Page top
[Topic 206053]

Viewing task execution results

You can view the task execution results during their storage period. You can also change the storage period for the task execution results.

It is not recommended to shorten the storage period for IOC Scan task execution results.

To view the task execution result:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    A list of tasks appears.

  3. Select the task in the list and right-click it to open the task actions menu.
  4. Select the Results menu item.

The Task execution results window will open.

See also

Creating a local task

Creating a group task

Viewing the table of tasks

Deleting a task from the list

Starting tasks manually

Starting tasks by schedule

Configuring the storage time for the task execution results on the Administration Server

Creating Kaspersky Endpoint Agent activation task

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 193071]

Configuring the storage time for the task execution results on the Administration Server

By default, task execution results are stored on the Administration Server for seven days.

To change the storage time for the task execution results on the Administration Server:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    A list of tasks appears.

  3. Select the task in the list and right-click it to open the task actions menu.
  4. Select the Properties menu item.

    The task properties window opens.

  5. In the left part of the window, select the Notification section.
  6. Make sure that the On the Administration Server for (days) check box is selected in the Save information about results section and specify for how many days you want the task execution results to be stored.
  7. Click the Apply button and then click OK.

It is not recommended to shorten the storage period for IOC Scan task execution results.

See also

Creating a local task

Creating a group task

Viewing the table of tasks

Deleting a task from the list

Starting tasks manually

Starting tasks by schedule

Viewing task execution results

Creating Kaspersky Endpoint Agent activation task

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 193070]

Creating Kaspersky Endpoint Agent activation task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can activate Kaspersky Endpoint Agent using a key or activation code.

When activating the application using an activation code, data is sent to the activation server to verify the entered code.

To activate the application using the activation code, the protected device must be connected to the Internet.

To create Kaspersky Endpoint Agent activation task:

  1. Run the Application activation task creation wizard for the desired scope in one of the following ways:
    • Start the local task creation wizard.
    • Start the group task creation wizard.

      Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

      To create a group task:

      1. Open Kaspersky Security Center Administration Console.
      2. Do one of the following:
        • In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
        • In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
      3. In the workspace, select the Tasks tab.
      4. Click Create a task.

        The task creation wizard will start.

      5. Select the required task and click Next.
      6. Follow the instructions of the task creation wizard.
  2. If you want to activate the application using an activation code, perform the following actions in the Activation settings window:
    1. Select the Activate with an activation code option and click Select.
    2. In the window that opens, enter the activation code and click OK.
  3. If you want to activate the application using a key file or a key from Kaspersky Security Center key storage, perform the following actions in the Activation settings window:
    1. Select the Activate with a key file or key option and click Select.
    2. In the drop-down list, select the key distribution method.
    3. If you select the Key file from folder option, in the window that opens, specify the location of the key file and click Open.
    4. If you select the Key from Kaspersky Security Center storage option, in the window that opens, select the key and click OK.

      For detailed information on Kaspersky Security Center key storage, refer to Kaspersky Security Center documentation.

  4. If you want to add this license key as an additional one to automatically renew the license, select the Use as additional key check box.
  5. Click Next.
  6. In the Schedule window, configure the task schedule settings and click Next.

    For detailed information on configuring the settings in this window, refer to Kaspersky Security Center documentation.

  7. In the Selecting an account to run a task window, specify the account to be used to run the task, and click Next.

    For detailed information on configuring the settings in this window, refer to Kaspersky Security Center documentation.

  8. In the Define the task name window, enter the name of the task and click Next.
  9. If you want to run the task immediately after creation, select the Run task after wizard finishes check box.
  10. Click Finish.

The application activation task for the selected device or device group has been created.

See also

Creating a local task

Creating a group task

Viewing the table of tasks

Deleting a task from the list

Starting tasks manually

Starting tasks by schedule

Viewing task execution results

Configuring the storage time for the task execution results on the Administration Server

Managing Kaspersky Endpoint Agent database and module update tasks

Managing IOC Scan tasks in Kaspersky Endpoint Agent
Page top
[Topic 197539]

Managing Kaspersky Endpoint Agent database and module update tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section provides instructions on how to create and configure the Database and application module update task.

See also

Creating a local task

Creating a group task

Viewing the table of tasks

Deleting a task from the list

Starting tasks manually

Starting tasks by schedule

Viewing task execution results

Configuring the storage time for the task execution results on the Administration Server

Creating Kaspersky Endpoint Agent activation task

Managing IOC Scan tasks in Kaspersky Endpoint Agent

In this section

Creating Database and application module update task

Configuring Database and application module update task
Page top
[Topic 193069]

Creating Database and application module update task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To create the Database and application module update task for Kaspersky Endpoint Agent in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.
  3. Click Create a task.

    The task creation wizard will start.

  4. Select the Kaspersky Endpoint Agent application to create the task, and the Database and application module update task type.
  5. Click Next.

    The Database Update task creation wizard will start.

The Database Update task creation wizard consists of the following steps:

  1. Selecting a database update source

    Do the following:

    1. In the Database update source section, select one of the following database update sources:
      • Kaspersky Security Center Administration Server.
      • Kaspersky update servers.
      • Custom HTTP or FTP servers or network folders.
    2. If required, select the Use Kaspersky update servers if specified servers are not available check box.
    3. If you select Kaspersky update servers as database update source and want to use a proxy-server to connect to it, select the Use proxy server settings to connect to Kaspersky update servers check box in the Update source connection settings section.
    4. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:
      1. Click the Custom HTTP or FTP servers or network folders link.
      2. Add update servers to the list:
        1. Click the Update servers button.
        2. In the new line, enter the address of the update server (HTTP or FTP), or the path to the network or local folder containing the update files.
        3. If you want to use this server to update databases, select the check box next to its address. You can also add servers to the list and clear the check boxes next to the addresses of the servers that you do not want to use now, but plan to use later.

          Perform the same steps to add each server.

        4. Click OK.
        5. The Update servers window closes.
      3. To use a proxy server to connect to update servers, select the Use proxy server settings to connect to other servers check box in the Update source connection settings section.

  2. Configuring the application modules update settings

    Do the following:

    1. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
      • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
      • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
      • Download and install critical application module updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
    2. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.
  3. Configuring the database update schedule

    Do the following:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to start Database Update tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
      5. Click OK.

  4. Selecting the devices on which the task will be performed

    In the device selection window that opens, select the devices for which you want to assign the task and click Next.

    For example, you can select the Assign task for an administration group option and select an administration group from the list.

  5. Selecting the Kaspersky Security Center user account to run the task

    In the Selecting an account to run the task window, do one of the following:

    • Select the default account and click Next.
    • Enter the user name and password to be used to start the task and click Next.

  6. Defining the task name

    In the Define the task name window, enter the task name in the Name field, and click Next.

  7. Running the task immediately after it is created

    If you want the task to start immediately after creation, select the Run task after wizard finishes check box and click Finish.

See also

Configuring Database and application module update task
Page top
[Topic 193068]

Configuring Database and application module update task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

After creating the Database and application module update task, you can configure the settings for this task.

To modify the task settings:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    A list of tasks appears.

  3. In the Database and application module update section, select the task in the list and right-click it to open the task action menu.
  4. Select the Properties menu item.

    The task properties window opens.

  5. In the left part of the window, select the group of settings that you want to configure.
  6. In the right part of the window, make the necessary modifications and click Apply and OK.

You can configure the following task settings:

  • Task name

    Do the following:

    1. Select the General section.
    2. Change the task name in the top line.

  • Devices on which the task will be performed

    The right part of the window displays current devices to which the task is assigned. Perform the following actions to add devices:

    1. Click the Add button.

      A window will open with a list of managed devices.

    2. Select the check boxes next to devices you want to add.
    3. If you want to add devices that are not in the list, click Add in the right part of the window and follow the steps to add devices.

      For example, you can specify device addresses manually or import them from the list.

      You can specify the NetBIOS names, DNS names, IP addresses and IP address ranges of the devices to which you want to assign a task.

    For details on working with managed devices, refer to the Kaspersky Security Center Help.

  • Database update source

    Do the following:

    1. In the Database update source section, select one of the following database update sources:
      • Kaspersky Security Center Administration Server.
      • Kaspersky update servers.
      • Custom HTTP or FTP servers or network folders.
    2. If required, select the Use Kaspersky update servers if specified servers are not available check box.
    3. If you select Kaspersky update servers as database update source and want to use a proxy-server to connect to it, select the Use proxy server settings to connect to Kaspersky update servers check box in the Update source connection settings section.
    4. If you select Custom HTTP or FTP servers or network folders as database update source, do the following:
      1. Click the Custom HTTP or FTP servers or network folders link.
      2. Add update servers to the list:
        1. Click the Update servers button.
        2. In the new line, enter the address of the update server (HTTP or FTP), or the path to the network or local folder containing the update files.
        3. If you want to use this server to update databases, select the check box next to its address. You can also add servers to the list and clear the check boxes next to the addresses of the servers that you do not want to use now, but plan to use later.

          Perform the same steps to add each server.

        4. Click OK.
        5. The Update servers window closes.
      3. To use a proxy server to connect to update servers, select the Use proxy server settings to connect to other servers check box in the Update source connection settings section.

  • Configuring additional database update settings

    Do the following:

    1. In the Update settings section, select the conditions for the application to check for the availability of application module updates:
      • Do not check for updates. Kaspersky Endpoint Agent will not check the availability of application module updates.
      • Only check for availability of critical software modules updates. Kaspersky Endpoint Agent will check the availability only for important application module updates.
      • Download and install critical application module updates. Kaspersky Endpoint Agent will check the availability of application module updates and download and install critical application module updates.
    2. If you want the application to display a notification about all scheduled application modules updates available in the update source, select the Receive information about available scheduled application module updates check box.
  • Database update schedule

    Do the following:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run the tasks: At specified time, Every hour, Every day, Every week, On application launch or After the application database update.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to start Database Update tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
      5. Click OK.

  • Kaspersky Security Center user account used to run the task

    In the Selecting an account to run the task window, do one of the following:

    • Select the default account and click Next.
    • Enter the user name and password to be used to start the task.

  • Storage time for the task execution results on the Administration Server

    Do the following:

    1. Select the Notification section.
    2. Make sure, that the On the Administration Server for (days) check box is selected in the Save information about results section, and specify for how many days you want to store the task execution results.

      By default, task execution results are stored on the Administration Server for 7 days.

See also

Creating Database and application module update task
Page top
[Topic 193067]

Managing IOC Scan tasks in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section describes how to manage IOC Scan tasks in Kaspersky Endpoint Agent using Kaspersky Endpoint Agent Management plugin.

In this Help section

About IOC Scan tasks in Kaspersky Endpoint Agent

Managing IOC Scan tasks in Kaspersky Endpoint Agent

Managing Standard IOC Scan tasks
Page top
[Topic 198723]

About IOC Scan tasks in Kaspersky Endpoint Agent

When executing IOC Scan tasks, Kaspersky Endpoint Agent uses

IOC files
(
indicators of compromise
files of the
OpenIOC
open description standard) to search for these indicators on devices.

Kaspersky Endpoint Agent supports the following types of IOC Scan tasks:

  • Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.
  • IOC scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface allows application users to use IOC files to search for signs of targeted attacks, as well as infected and probably infected objects in the event and detection database, and also to scan computers on which Kaspersky Endpoint Agent is installed.

Different tasks are managed in different ways and have different configurable settings and task scopes. A description of each type of IOC Scan task is provided in the table below.

IOC Scan task types

Task type

Task description

Task scope

Standard IOC Scan tasks

These tasks are created and configured manually in Kaspersky Security Center or using the command line interface, without integration with third-party systems.

IOC files prepared by the user are used to run the tasks.

The task settings do not depend on the policy settings.

The

Retrospective IOC scan
mode is available for tasks.

You can specify the following actions as responses to detected IOCs (not available when running the tasks from the command line):

  • Run on-demand scan tasks using EPP on the device.
  • Enable network isolation of the device.

    Viewing reports is available both in the task execution results as a summary table and in the

    Detected IOC card
    .

Local or group

IOC Scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface

IOC files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure the IOC scan schedule for computers with Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform.

Task management using Kaspersky Security Center or using the command line is not supported.

No actions are automatically performed when an IOC is detected.

Task settings do not depend on Kaspersky Endpoint Agent policies.

Not applicable

The results of group IOC Scan tasks execution can be viewed in Kaspersky Security Center for 7 days after the task is executed, or until the task is removed.

Page top
[Topic 235158]

Managing IOC Scan tasks in Kaspersky Endpoint Agent

You can manage IOC Scan tasks using Kaspersky Security Center or using the Kaspersky Endpoint Agent command line interface, and you can also download IOC files and configure the IOC scan schedule in the Kaspersky Anti Targeted Attack Platform web interface. The description of each IOC Scan task type and information on the available management capabilities for IOC Scan tasks are shown in the table below.

Managing IOC Scan tasks.

Task type

Using Kaspersky Security Center

Using the Central Node component

Using the command line interface

Standard IOC Scan task

Task management is not applicable.

IOC Scan task created by Central Node

Task management is not applicable.

Downloading IOC files, configuring IOC scan schedule.

Task management is not applicable.

Page top

[Topic 235159]

Managing Standard IOC Scan tasks

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

This section provides instructions on how to manage Standard IOC Scan tasks.

See also

About IOC Scan tasks in Kaspersky Endpoint Agent

Managing IOC Scan tasks in Kaspersky Endpoint Agent

In this Help section

Requirements for IOC files

Supported IOC terms

Creating and configuring Standard IOC Scan task

Configuring Standard IOC Scan task

IOC collection export

Viewing IOC Scan task execution results
Page top
[Topic 194312]

Requirements for IOC files

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When creating IOC Scan tasks, consider the following requirements and limitations related to IOC files:

  • Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.
  • Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
  • If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
  • If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.
  • Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.
  • Identifiers of all IOC files
    that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.
  • The size of a single IOC file must not exceed 3 MB. Using larger files results in the failure of IOC Scan tasks. In this case, the total size of all added files in the IOC collection can exceed 3 MB.
  • It is recommended to create one IOC file per each threat. This makes it easier to read the results of the IOC Scan task.

The table below shows the features and limitations of the OpenIOC standard supported by the application.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

Supported conditions

OpenIOC 1.0:

is

isnot (as an exclusion from the set)

contains

containsnot (as an exclusion from the set)

OpenIOC 1.1:

is

contains

starts-with

ends-with

matches

greater-than

less-than

Supported condition attributes

OpenIOC 1.1:

preserve-case

negate

Supported operators

AND

OR

Supported data types

date: date (applicable conditions: is, greater-than, less-than)

int: integer number (applicable conditions: is, greater-than, less-than)

string: string (applicable conditions: is, contains, matches, starts-with, ends-with)

duration: duration in seconds (applicable conditions: is, greater-than, less-than)

Data types interpretation details

The following data types are interpreted as string: Boolean string, restricted string, md5, IP, sha256, base64Binary.

The application supports interpretation of the Content parameter specified as intervals for the following data types: int and date:

OpenIOC 1.0:

Using the TO operator in the Content field:

<Content type="int">49600 TO 50700</Content>

<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>

<Content type="int">[154192 TO 154192]</Content>

OpenIOC 1.1:

Using the greater-than and less-than conditions

Using the TO operator in the Content field

The application supports interpretation of the date and duration data types if the indicators are specified in the ISO 8601, Zulu time zone, UTC format.

Supported IOC terms

The full list of supported IOC terms is provided in a separate table.

See also

Supported IOC terms

Creating and configuring Standard IOC Scan task

Configuring Standard IOC Scan task

IOC collection export

Viewing IOC Scan task execution results
Page top
[Topic 194662]

Supported IOC terms

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The file that can be downloaded by the following link contains a table with a full list of supported IOC terms of the OpenIOC standard.

DOWNLOAD IOC_TERMS.XLSX FILE

Page top

[Topic 199237]

Creating and configuring Standard IOC Scan task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To create and configure a Standard IOC Scan task,

depending on the required task scope, perform one of the following actions:

  • Start the local task creation wizard.
  • Start the group task creation wizard.

    Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

    To create a group task:

    1. Open Kaspersky Security Center Administration Console.
    2. Do one of the following:
      • In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
      • In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
    3. In the workspace, select the Tasks tab.
    4. Click Create a task.

      The task creation wizard will start.

    5. Select the required task and click Next.
    6. Follow the instructions of the task creation wizard.

The task creation wizard allows you to configure the following settings:

  • IOC collection

    To configure IOC collection:

    1. In the IOC collection group of settings click Browse.
    2. In the context menu, do one of the following:
      • Select the Select folder item to add a group of IOC files to the IOC collection.
      • Select the Select file item to add one IOC file to the IOC collection.
    3. Depending on your choice, do one of the following in the window that opens:
      • Specify the path to the folder with IOC files and click OK.
      • Specify the path to IOC file and click Open.

      If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

    4. To view the list of all IOC files that are included in the IOC collection, as well as to get information about each IOC file, click View.

      The Select folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.

    5. Click OK to save the changes and close the Select folder window.
    6. To export the created IOC collection, click Export.

      In the window that opens, specify the name of the file and select the folder where you want to save it.

    7. Click the Save button.

      The application creates a ZIP file in the specified folder.

  • Data types (IOC documents) to be analyzed during IOC scan

    To select data types (IOC documents) that you want to analyze during IOC scan and configure the additional scan settings:

    1. Click the Configure IOC terms and documents button.

      The IOC terms and documents window opens.

    2. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.

      Depending on the loaded IOC files, some check boxes may be disabled.

      Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.

    3. To configure additional settings for the selected ProcessItem IOC document:
      1. Click the Advanced (ProcessItem) button.

        The ProcessItem document scan settings window opens.

      2. In the Indicators group of settings, select data that you want to analyze during the task execution.
      3. Click OK to save the changes and close the ProcessItem document scan settings window.
    4. To configure additional settings for the selected FileItem IOC document:
      1. Click the Advanced (FileItem) button.

        The FileItem document scan settings window opens.

      2. On the Scan areas tab, select data that you want to analyze during the task execution.
      3. On the Scan areas tab, select the areas on protected device drives where to look for indicators of compromise.

        You can select one of the predefined areas, or specify the paths to the desired areas manually.

      4. On the Exclusions tab, select the Apply exclusions check box and specify the paths to the areas on the protected device drives that do not need to be scanned during the task execution.
      5. Click OK to save the changes and close the FileItem document scan settings window.
    5. To configure additional settings for the selected RegistryItem IOC document:
      1. Click the Advanced (RegistryItem) button.

        The RegistryItem document scan settings window opens.

      2. Specify the Windows registry keys to be scanned during the task execution.

        You can select to scan predefined registry keys or specify the list of required registry keys manually.

      3. Click OK to save the changes and close the RegistryItem document scan settings window.
    6. To configure additional settings for the selected EventLogItem IOC document:
      1. Click the Advanced (EventLogItem) button.

        The EventLogItem document scan settings window opens.

      2. To ignore the events that were logged before the specified moment, select the Scan only events logged during the specified period check box and specify date and time.
      3. If necessary, in the bottom of the window, edit the predefined list of channels that are analyzed during the task execution.
      4. Click OK to save the changes and close the EventLogItem document scan settings window.
    7. Click OK to save the changes and close the window.

    The saved settings will be applied when the task is executed.

  • Retrospective IOC scan

    Retrospective IOC scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.

    The Retrospective IOC scan mode is available only for Standard IOC Scan tasks.

    To enable the Retrospective IOC scan mode:

    1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
    2. Specify the time interval.

      During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.

    If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.

  • Application actions on IOC detection

    To configure Kaspersky Endpoint Agent actions on IOC detection:

    1. In the Actions section, select the Take response actions when indicator of compromise is found check box.
    2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
    3. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

    When configuring the task settings in Kaspersky Security Center Administration Console, the Do not perform actions on critical system files check box is available only if the Quarantine and delete response action is selected for the task (this setting can be configured only in Kaspersky Security Center Web Console).

  • Task start schedule

    To configure the schedule settings for IOC Scan task:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, Every week or On application launch.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
      5. Click OK.
  • Running the task from a Kaspersky Security Center user account

    To select Kaspersky Security Center user account, under which you want to run the task,

    perform one of the following actions in the group of settings for selecting an account to start the task:

    • Select the default account and click Next.
    • Enter the name and password of the user whose account permissions will be used to start the task.
  • Task name

    The task name cannot be longer than 100 characters long and cannot contain special characters ("* <>? \: |).

Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.

If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.

See also

Requirements for IOC files

Supported IOC terms

Configuring Standard IOC Scan task

IOC collection export

Viewing IOC Scan task execution results
Page top
[Topic 194313]

Configuring Standard IOC Scan task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To configure the Standard IOC Scan task settings:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    The list of tasks is displayed in the workspace.

  3. Open the settings of the required task in one of the following ways:
    • Double-click the task name.
    • Open the policy context menu and select Properties.
    • Select a task and click Configure task in the right part of the window.

    The Properties: <Task name> window will open.

  4. In the left part of the window, select the group of settings that you want to configure.
  5. In the right part of the window, make the necessary changes and click Apply, and then click OK.

    Configuration of the Standard IOC Scan task settings is now finished.

You can configure the following task settings:

  • Task name

    Do the following:

    1. Select the General section.
    2. Change the task name in the top line.

  • Storage time for the task execution results on the Administration Server

    Do the following:

    1. Select the Notification section.
    2. Make sure, that the On the Administration Server for (days) check box is selected in the Save information about results section, and specify for how many days you want to store the task execution results.

      By default, task execution results are stored on the Administration Server for 7 days.

  • IOC collection

    To configure IOC collection:

    1. In the IOC collection group of settings click Browse.
    2. In the context menu, do one of the following:
      • Select the Select folder item to add a group of IOC files to the IOC collection.
      • Select the Select file item to add one IOC file to the IOC collection.
    3. Depending on your choice, do one of the following in the window that opens:
      • Specify the path to the folder with IOC files and click OK.
      • Specify the path to IOC file and click Open.

      If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

    4. To view the list of all IOC files that are included in the IOC collection, as well as to get information about each IOC file, click View.

      The Select folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.

    5. Click OK to save the changes and close the Select folder window.
    6. To export the created IOC collection, click Export.

      In the window that opens, specify the name of the file and select the folder where you want to save it.

    7. Click the Save button.

      The application creates a ZIP file in the specified folder.

  • Retrospective IOC scan

    Retrospective IOC scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.

    The Retrospective IOC scan mode is available only for Standard IOC Scan tasks.

    To enable the Retrospective IOC scan mode:

    1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
    2. Specify the time interval.

      During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.

    If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.

  • Application actions on IOC detection

    To configure Kaspersky Endpoint Agent actions on IOC detection:

    1. In the Actions section, select the Take response actions when indicator of compromise is found check box.
    2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
    3. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

    When configuring the task settings in Kaspersky Security Center Administration Console, the Do not perform actions on critical system files check box is available only if the Quarantine and delete response action is selected for the task (this setting can be configured only in Kaspersky Security Center Web Console).

  • Data types (IOC documents) to be analyzed during IOC scan

    To select data types (IOC documents) that you want to analyze during IOC scan and configure the additional scan settings:

    1. Open the Advanced section.
    2. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.

      Depending on the loaded IOC files, some check boxes may be disabled.

      Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.

    3. To configure additional settings for the selected ProcessItem IOC document:
      1. Click the Advanced (ProcessItem) button.

        The ProcessItem document scan settings window opens.

      2. In the Indicators group of settings, select data that you want to analyze during the task execution.
      3. Click OK to save the changes and close the ProcessItem document scan settings window.
    4. To configure additional settings for the selected FileItem IOC document:
      1. Click the Advanced (FileItem) button.

        The FileItem document scan settings window opens.

      2. On the Scan areas tab, select data that you want to analyze during the task execution.
      3. On the Scan areas tab, select the areas on protected device drives where to look for indicators of compromise.

        You can select one of the predefined areas, or specify the paths to the desired areas manually.

      4. On the Exclusions tab, select the Apply exclusions check box and specify the paths to the areas on the protected device drives that do not need to be scanned during the task execution.
      5. Click OK to save the changes and close the FileItem document scan settings window.
    5. To configure additional settings for the selected RegistryItem IOC document:
      1. Click the Advanced (RegistryItem) button.

        The RegistryItem document scan settings window opens.

      2. Specify the Windows registry keys to be scanned during the task execution.

        You can select to scan predefined registry keys or specify the list of required registry keys manually.

      3. Click OK to save the changes and close the RegistryItem document scan settings window.
    6. To configure additional settings for the selected EventLogItem IOC document:
      1. Click the Advanced (EventLogItem) button.

        The EventLogItem document scan settings window opens.

      2. To ignore the events that were logged before the specified moment, select the Scan only events logged during the specified period check box and specify date and time.
      3. If necessary, in the bottom of the window, edit the predefined list of channels that are analyzed during the task execution.
      4. Click OK to save the changes and close the EventLogItem document scan settings window.
    7. Click OK to save the changes and close the window.

    The saved settings will be applied when the task is executed.

  • IOC Scan task schedule

    To configure the schedule settings for IOC Scan task:

    1. In the Task schedule section, select the Run by schedule check box.
    2. In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, Every week or On application launch.
    3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
    4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
      1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
      2. In the Time and Date lists, select the date and time from which the schedule applies.
    5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
      1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
      2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
      3. If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
      4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
      5. Click OK.
  • Kaspersky Security Center user account to run the task

    To select Kaspersky Security Center user account, under which you want to run the task,

    perform one of the following actions in the group of settings for selecting an account to start the task:

    • Select the default account and click Next.
    • Enter the name and password of the user whose account permissions will be used to start the task.
  • Excluding groups of devices from the task scope

    To exclude groups of devices from the task scope, in the Exclusions from task scope section, select the groups of devices to which the task will not be applied.

    Only the subgroups of the administration group to which the task applies can be excluded.

Page top
[Topic 194314]

IOC collection export

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To export an IOC collection:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    A list of tasks appears.

  3. In the Run IOC Scan section, select the task in the list and right-click it to open the task action menu.
  4. Select the Properties menu item.

    The task properties window opens.

  5. Select the IOC Scan settings section.
  6. In the IOC collection section click Export.
  7. In the window that opens, specify the name of the file and select the folder where you want to save it.
  8. Click the Save button.

    The application creates a ZIP file in the folder you specified.

See also

Requirements for IOC files

Supported IOC terms

Creating and configuring Standard IOC Scan task

Configuring Standard IOC Scan task

Viewing IOC Scan task execution results
Page top
[Topic 195177]

Viewing IOC Scan task execution results

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To view the IOC Scan task execution results:

  1. Open Kaspersky Security Center Administration Console.
  2. In Kaspersky Security Center Administration Console tree, open the Tasks folder.

    The list of tasks is displayed in the workspace.

  3. Open the settings of the required task in one of the following ways:
    • Double-click the task name.
    • Open the policy context menu and select Properties.
    • Select a task and click Configure task in the right part of the window.

    The Properties: <Task name> window opens.

  4. Select the Results section.
  5. In the Show task results for the device list, select the devices for which you want to view the results of IOC Scan tasks.
  6. To view detailed information about a particular task, double-click it.
  7. To view detailed information about the detected indicator of compromise, click the Show card button.

    Detected IOC card contains information about objects that match the conditions of the processed IOC file, as well as the text of the matched branches or individual conditions from this IOC file.

    Viewing the Detected IOC card is not available for IOC files, for which no indicators of compromise were detected during scan.

See also

Requirements for IOC files

Supported IOC terms

Creating and configuring Standard IOC Scan task

Configuring Standard IOC Scan task

IOC collection export
Page top
[Topic 195119]