Kaspersky Anti Targeted Attack Platform

Page top

Sensor component

The following modules of Kaspersky Anti Targeted Attack Platform run on each server hosting the Sensor component:

Sensor. Receives data from network and mail traffic and sends the data for processing to the server with the Central Node component.
Intrusion Detection System (hereinafter also referred to as IDS). Scans the Internet traffic for signs of intrusions into the corporate IT infrastructure.
KSN. Checks the reputation of files and URL addresses in the Knowledge Base of Kaspersky Security Network on behalf of Kaspersky Anti Targeted Attack Platform and provides information about categories of websites (for example, malicious website, phishing website).
Kaspersky Security Network (hereinafter also "KSN") is an infrastructure of online services that provides access to Kaspersky's online Knowledge Base with information on the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky programs to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

If you do not want to participate in KSN, you can use Kaspersky Private Security Network (hereinafter also referred to as KPSN). KPSN is a solution that allows users to access the reputation databases of Kaspersky Security Network and other statistical data without actually sending data from their own computers to Kaspersky Security Network.
URL Reputation. Detects malicious and phishing URL addresses, and URL addresses that were previously used by hackers in targeted attacks against and intrusions into the corporate IT infrastructure.

A Sensor component can also be a mail sensor, which is a server or virtual machine on which the Kaspersky application Kaspersky Secure Mail Gateway (KSMG) or Kaspersky Security for Linux Mail Server (KLMS) is installed. These applications send email messages to Kaspersky Anti Targeted Attack Platform for processing. Based on the results of processing of email messages in Kaspersky Anti Targeted Attack Platform, KSMG and KLMS may block the transfer of messages.

The Sensor component can also be used as a proxy server for outgoing connections from Kaspersky Endpoint Agent.

If KSMG or KLMS is being used as a Sensor component, scan exclusion lists configured for message recipients and MD5 checksums of files are not transmitted to KSMG and KLMS and are not applied when messages are processed by KSMG and KLMS.

See also

Page top

Central Node component

The component can be deployed on one server or as a fault-tolerant cluster that consists of 2 roles: storage servers and processing servers.

Fault tolerance is achieved through duplication of data between the storage servers and the redundancy of computing resources: if one server fails, its functions are performed by another server with the same role. Meanwhile, the Kaspersky Anti Targeted Attack Platform continues to work.

The following program modules, kernels and technologies run on each server or cluster with the Central Node component:

Anti-Malware Engine (hereinafter also referred to as AM or AM Engine). Scans files and objects for viruses and other threats to the corporate IT infrastructure using anti-virus databases.
Mobile Attack Analyzer (also referred to as MAA). Scans executable files in the APK format in the cloud infrastructure using a machine learning technology. As a result of the scan, Kaspersky Anti Targeted Attack Platform receives information about detected threats or absence of threats.
YARA. Scans files and objects for signs of targeted attacks on the corporate IT infrastructure using YARA Rules databases created by users of Kaspersky Anti Targeted Attack Platform.
Targeted Attack Analyzer (hereinafter also referred to as TAA or TA Analyzer). Analyzes and monitors network activity of software installed on computers of the corporate LAN using TAA (IOA) rules. Searches for signs of network activity that the user of Kaspersky Anti Targeted Attack Platform is advised to direct his/her attention, as well as signs of targeted attacks to the corporate IT infrastructure.
KSN. Checks the reputation of files and URL addresses in the Knowledge Base of Kaspersky Security Network on behalf of Kaspersky Anti Targeted Attack Platform and provides information about categories of websites (for example, malicious website, phishing website).

See also

Page top

Sandbox component

Virtual images of the following operating systems are started on servers hosting the Sandbox component:

Windows XP SP3, 32-bit.
Windows 7, 64-bit.
Windows 10, 64-bit.
CentOS 7.8.

The Sandbox component starts objects in these operating systems and analyzes the behavior of the objects to detect malicious activity and signs of targeted attacks to the corporate IT infrastructure.

By default, the maximum file size scanned by the Sandbox module is 100 MB. You can configure scan settings in the administrator menu of the program management console.

The maximum level of nesting for scanned archives is 32.

The maximum number of objects that can be in queue to be scanned by the Sandbox component per day is 10,000 objects. When this limit is reached, the program deletes 10% of the objects that have been queued for scanning the longest and replaces them with new objects queued for scanning. The deleted objects are saved in the program with the status NOT_SCANNED.

See also

Page top

Kaspersky Endpoint Agent component

The component is represented by Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Agent for Linux programs. The programs are installed on workstations and servers in the IT infrastructure of the organization (hereinafter also referred to as "corporate LAN computers" or "computers"). On these computers, the programs continually monitor processes, active network connections, and files being modified, and send this monitoring data to the Central Node server.

Computers where the programs are installed must satisfy hardware and software requirements of Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Agent for Linux.

See also