Managing Kaspersky Endpoint Agent host information

Kaspersky Endpoint Agent is installed on individual computers (hereinafter also referred to as "hosts") in the IT infrastructure of the organization. The program continuously monitors processes running on those hosts, active network connections, and files that are being modified.

Users with the Senior security officer, Security officer, Security auditor, Local administrator, or Administrator role can assess how regularly data is received from hosts on which Kaspersky Endpoint Agent is installed, on the Endpoint Agents tab of the program web interface window for tenants to whose data the user has access. If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Users with the Local administrator and Administrator roles can configure the display of how regularly data is received from hosts with Kaspersky Endpoint Agent installed, for tenants to whose data they have access.

If suspicious network activity is detected, users with the Senior security officer role can isolate from the network any host with Kaspersky Endpoint Agent, for tenants to whose data the user has access. In this case, the connection between the server with the Central Node component and a host with Kaspersky Endpoint Agent is not interrupted.

To provide support in case of problems with Kaspersky Endpoint Agent, Technical Support staff may ask you to perform the following actions for debugging purposes (including in Technical Support Mode):

• Activate collection of extended diagnostic information.
• Modify the settings of individual program components.
• Modify the settings for storing and sending the obtained diagnostic information.
• Configure network traffic to be intercepted and saved to a file.

Technical Support staff will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, and other resources) and inform you about the scope of data obtained for debugging purposes. The retrieved diagnostic information is saved on the user's computer. The retrieved data is not automatically sent to Kaspersky.

The operations listed above should be performed only when instructed by and under the supervision of Technical Support experts. Unsupervised changes to program settings performed in ways other than those described in this manual or according to the instructions of Technical Support experts can slow down or crash the operating system, reduce computer security, or compromise the availability and integrity of data being processed.

Viewing the Kaspersky Endpoint Agent host table on a standalone Central Node server

The table of Kaspersky Endpoint Agent hosts is located in the Endpoint Agents section of the program web interface window.

The table can display the following data:

• Number of hosts and activity indicators of Kaspersky Endpoint Agent:
  • Critical inactivity is the number of hosts from which latest data was received a very long time ago.
  • Warning is the number hosts from which latest data was received a long time ago.
  • Normal activity is the number of hosts from which latest data was recently received.
• Host—Name of the host with Kaspersky Endpoint Agent.
• Servers— Name of the server to which the Kaspersky Endpoint Agent host is connected.
• IP—IP address of the host where Kaspersky Endpoint Agent is installed.
• OS—Version of the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Version—Version of Kaspersky Endpoint Agent installed.
• Activity—Activity indicator of Kaspersky Endpoint Agent. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.

Clicking the link with the host name opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Run the following tasks:
  • Kill process.
  • Delete file.
  • Kill by unique PID.
  • Get file.
  • Get forensics.
  • Quarantine file.
  • Run program.
• New prevention rule.
• Isolate from network.
• Find events.
• Find alerts.
• Copy value to clipboard.

The list of available actions depends on the Kaspersky Endpoint Agent type (for Windows or Linux), version, and activity indicator.

Clicking the link with the IP opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Find alerts.
• Copy value to clipboard.

Clicking a link in any other column of the table opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Copy value to clipboard.

Configuring the Kaspersky Endpoint Agent host table display

You can show or hide columns and change the order of columns in the table of Kaspersky Endpoint Agent hosts.

To configure Kaspersky Endpoint Agent host table display:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. In the heading part of the table, click .
3. This opens the Customize table window.
4. If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.

   If you want to hide a parameter in the table, clear the check box.

   At least one check box must be selected.

5. If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click and move the row to its new place.
6. If you want to restore default table display settings, click Default.

Click Apply. Kaspersky Endpoint Agent host table display is displayed.

Viewing information about a host

To view information about a Kaspersky Endpoint Agent host:

1. Select the Endpoint Agents section in the window of the program web interface.
2. Select the host for which you want to view information.

This opens a window containing information about the host.

The window contains the following information:

• Recommendations group:
  • Clicking the Alerts link opens the Alerts section with the search condition containing the selected host.
  • Clicking the Events link opens the Threat Hunting section with the search condition containing the selected host.
  • Clicking the Events affected by prevention rules link opens the Threat Hunting section with the search condition containing the selected host and the Blocked application (prevention rule) event type.

  The Events affected by prevention rules link is not displayed in the information for hosts with Kaspersky Endpoint Agent for Linux.

• On the Details tab, the Host section displays the following information:
  • Name—Name of the host with Kaspersky Endpoint Agent.
  • IP—IP address of the host where Kaspersky Endpoint Agent is installed.
  • OS—Version of the operating system on the host with the Kaspersky Endpoint Agent program installed.
• On the Details tab, the Endpoint Agent section displays the following information:
  • Version—Version of Kaspersky Endpoint Agent installed.
• Activity—Activity indicator of Kaspersky Endpoint Agent. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.
• Server—Name of the SCN or PCN server. Only displayed in distributed solution and multitenancy mode.
• Connected to server—Name of the Central Node server.
• Last connection—time of the last connection to the Central Node, SCN, or PCN server.
• License key status—For example, "OK".
• On the Prevention rules tab, you can see MD5 or SHA256 hashes for files that were prevented from running or opening on the host. The following information is displayed:
  • Name—Name of the file.
  • State—State of the prevention rule.
  • Hash—Hashing algorithm.

  The Prevention rules tab is not displayed in the information for hosts with Kaspersky Endpoint Agent for Linux.

• On the Tasks tab, you can see which tasks were run on the host. The following information is displayed:
  • Time created—Task creation date and time.
  • Name—Task name.
  • Details—Full path to the file or data stream for which the task was created.
  • State—Task completion status.

Clicking the link with the host name opens a list in which you can select one of the following actions:

• Run the following tasks:
  • Kill process.
  • Delete file.
  • Get file.
  • Get forensics.
  • Quarantine file.
  • Run program.
• New prevention rule.
• Isolate from network.
• Find events.
• Find alerts.
• Copy value to clipboard.

  For hosts with Kaspersky Endpoint Agent for Linux, the list displayed by clicking the link with the host name includes only Get file, Run program, Find events, and Find alerts.

Clicking the link with the IP opens a list in which you can select one of the following actions:

• Find alerts.
• Copy value to clipboard.

Filtering and searching hosts with Kaspersky Endpoint Agent by host name

To filter or search for Kaspersky Endpoint Agent hosts by host name:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. If you want to display only isolated hosts, select the Show isolated Endpoint Agents only check box.
4. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
5. In the entry field, specify one or several characters of the host name.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent that have been isolated from the network

To filter or search for Kaspersky Endpoint Agent hosts that are isolated from the network:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. Select the Show isolated Endpoint Agents only check box.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by PCN and SCN server names

If you are using the distributed solution and multitenancy mode, you can filter or find hosts with the Kaspersky Endpoint Agent program based on the names of PCN and SCN servers to which those hosts are connected.

To filter or search for Kaspersky Endpoint Agent hosts by the names of PCN and SCN servers:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Servers link to open the filter configuration window.
3. Select check boxes next to names of servers by which you want to filter or search for hosts with the Kaspersky Endpoint Agent program.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by computer IP address

To filter or search for Kaspersky Endpoint Agent hosts by IP address:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the IP link to open the filter configuration window.
3. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the computer IP address. You can enter the IP address or subnet mask in IPv4 format (for example, 192.0.0.1 or 192.0.0.0/16).
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by operating system version on the computer

To filter or search for Kaspersky Endpoint Agent hosts by operating system version:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the OS link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the operating system version.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by Kaspersky Endpoint Agent version

To filter or search for Kaspersky Endpoint Agent hosts by Kaspersky Endpoint Agent version:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Version link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the version of the Kaspersky Endpoint Agent program.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent based on their activity

To filter or search for Kaspersky Endpoint Agent hosts by their activity:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Activity link to open the filter configuration window.
3. Select the check boxes next to one or more Kaspersky Endpoint Agent program activity indicators:
   • Normal activity, if you want to find hosts from which the last data was recently received.
   • Warning, if you want to find hosts from which the last data was received a long time ago.
   • Critical inactivity, if you want to find hosts from which the last data was received an extremely long time ago.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Quickly creating a filter for hosts with Kaspersky Endpoint Agent

To quickly create a filter for hosts with the Kaspersky Endpoint Agent program:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Do the following to quickly add filter conditions to the filter being created:
   1. Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
   2. Left-click it.

      This opens a list of actions to perform on the value.

   3. In the list that opens, select one of the following actions:
      • Add to filter, if you want to include this value in the filter condition.
      • Exclude from filter, if you want to exclude the value from the filter condition.

3. If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.

The table displays only those hosts that match the filter criteria you have set.

Resetting the hosts with Kaspersky Endpoint Agent filter

To clear the Kaspersky Endpoint Agent host filter for one or more filtering criteria:

1. Select the Endpoint Agents section in the window of the program web interface.
2. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only those hosts that match the filter criteria you have set.

Configuring activity indicators of Kaspersky Endpoint Agent

Users with the Local administrator and Administrator permissions can define what durations of inactivity of computers with Kaspersky Endpoint Agent correspond to normal, low, or very low activity, and can configure the activity indicators for Kaspersky Endpoint Agent program. Users with the Security auditor role can view the settings of activity indicators of Kaspersky Endpoint Agent. Users with the Senior security officer or Security officer role can see activity indicators that you configured for Kaspersky Endpoint Agent in the Activity field of the Kaspersky Endpoint Agent host table in the Endpoint Agents section of the program web interface.

To configure activity indicators for Kaspersky Endpoint Agent program:

1. Sign in to the program web interface under the Local administrator, Administrator or Senior security officer account.
2. In the window of the program web interface, select the Settings section, Endpoint Agents subsection.
3. In the fields under the section name, enter the number of days of inactivity of hosts with Kaspersky Endpoint Agent that you want to display as Warning and Critical inactivity.
4. Click Apply.

Activity indicators of Kaspersky Endpoint Agent will be configured.

Supported interpreters and processes

Kaspersky Endpoint Agent program monitors the execution of scripts by the following interpreters:

• cmd.exe
• reg.exe
• regedit.exe
• regedt32.exe
• cscript.exe
• wscript.exe
• mmc.exe
• msiexec.exe
• mshta.exe
• rundll32.exe
• runlegacycplelevated.exe
• control.exe
• explorer.exe
• regsvr32.exe
• wwahost.exe
• powershell.exe
• java.exe and javaw.exe (only if started with the –jar option)
• InstallUtil.exe
• msdt.exe
• python.exe
• ruby.exe
• rubyw.exe

Information about the processes monitored by Kaspersky Endpoint Agent program is presented in the table below.

Processes and the file extensions that they open