Configuring EDR telemetry settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure:

• Exclusions

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  for EDR
  telemetry

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  about application processes, which Kaspersky Endpoint Agent processes and sends to a server with the KATA Central Node or Kaspersky Industrial CyberSecurity for Networks component.
• Optimization of the volume of EDR telemetry that Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.
• Exclusions for EDR telemetry about network communications, which Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.

Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for and optimization of the volume of EDR telemetry about application processes using Kaspersky Security Center Administration Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about application processes are available when Kaspersky Endpoint Agent is integrated with servers where KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data on excluded application processes to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

Optimization of the volume of EDR telemetry about application processes can be managed (enabled / disabled) when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

If optimization of the volume of EDR telemtry is enabled, Kaspersky Endpoint Agent does not send events with 102 (basic communications) and 8 (network activity of a process) codes for the Microsoft SMB protocol and the Network Agent process klnagent.exe regarding processes of applications on a server where Kaspersky Industrial CyberSecurity for Networks is installed.

To enable and configure exclusions for and optimization of the volume of EDR telemetry on application processes:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
     2. In the workspace, select the Devices tab.
     3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
     4. Select Properties in the device context menu.

        The device properties window opens.

     5. Select the Applications section.

        A list of Kaspersky applications installed on the device is displayed in the window.

     6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
        • Double-click the application name.
        • In the application context menu, select Properties.
        • Click the Properties button under the list of Kaspersky applications.

   • Open the policy properties window.
     1. Open Kaspersky Security Center Administration Console.
     2. In the console tree, open the Policies folder.
     3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
        • Double-click the policy name.
        • Select Properties in the policy context menu.
        • Select the Configure policy settings item in the right part of the window.

2. Select the EDR telemetry → Excluded processes section.
3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Configure optimization of the volume of EDR telemetry:

   When Kaspersky Endpoint Agent is integrated with servers where KATA Central Node is installed, optimization of the volume of EDR telemetry should always be enabled.

   • Disable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol, WinRM service, and the Network Agent process klnagent.exe.
   • Enable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to not send events with codes 102 (basic communications) and 8 (the process’s network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe.

   If the Use exclusions setting is disabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, regardless of the value of the Optimize the amount of telemetry setting.

5. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings:

      Exclusion settings are applied using a logical AND.

      To create an exclusion, specify the value in the Full path field and select at least one event type in the Use this exclusion for the following event types list.

      If the Network events value is selected for the Use this exclusion for the following event types criterion, specify the full path to the file in the Full path field.

      The object for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. For example, if you first configure exclusion for a specific application, and then install that application on the protected device, this exclusion will not be applied.

      1. In the Process information section, specify the values in the following fields:
         • Full path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
         • Command line text. Command line to run the object.
         • Parent folder path. The path to the folder where the file is located.
      2. In the File properties section, specify the values in the following fields:
         • File description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
         • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
         • File version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
      3. In the File checksums section, specify the values in the following fields:
         • MD5. MD5 hash of the file.
         • SHA256. SHA256 hash of the file.
      4. In the Use this exclusion for the following event types list, select at least one value:
         • File modification.
         • Network events.
         • Interactive input in the console.

           This event type is selected by default.

         • Loading the process module.
         • Changes in the Registry.
   3. Click OK to save the changes and close the Rule properties window.

      The new exclusion is created and displayed in the list of exclusions.

   4. If you need to export the exclusion list to an XML file, click the Export button.
   5. If you need to import the exclusion list from an XML file, click the Import button.
   6. If you need to modify an exclusion, click the Modify button.
   7. If you need to delete an exclusion from the list, select the exclusion and click the Delete button.
6. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
7. Click OK to save the changes.

Enabling and configuring exclusions for sent EDR telemetry about network communications

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for EDR telemetry using Kaspersky Security Center Administration Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about network communications are applied when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

To enable and configure EDR telemetry about network communications:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required device.
     2. In the workspace, select the Devices tab.
     3. Select the device for which you want to configure Kaspersky Endpoint Agent settings.
     4. Select Properties in the device context menu.

        The device properties window opens.

     5. Select the Applications section.

        A list of Kaspersky applications installed on the device is displayed in the window.

     6. Select Kaspersky Endpoint Agent and open its properties window in one of the following ways:
        • Double-click the application name.
        • In the application context menu, select Properties.
        • Click the Properties button under the list of Kaspersky applications.

   • Open the policy properties window.
     1. Open Kaspersky Security Center Administration Console.
     2. In the console tree, open the Policies folder.
     3. Select Kaspersky Endpoint Agent policy and open its properties window in one of the following ways:
        • Double-click the policy name.
        • Select Properties in the policy context menu.
        • Select the Configure policy settings item in the right part of the window.

2. Select the EDR telemetry → Excluded network communications section.
3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings.

      Exclusion settings are applied using a logical AND.

      1. In the Name field, enter the name of the exclusion.
      2. In the Direction drop-down list, select the direction of network traffic.
      3. In the Protocol drop-down list, select the network protocol.
      4. If you select a custom protocol, in the Number field, enter the network protocol number.
      5. Select the Local port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the remote device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      6. Select the Remote port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the local device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      7. Select the Local address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming exclusions (in the Direction drop-down list, Incoming is selected), enter the network address for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address of the remote device.

         For IP addresses, only addresses in IPv4 format are supported.

      8. Select the Remote address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the network address for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address for the local device.

         For IP addresses, only addresses in IPv4 format are supported.

      9. Create the list of application for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
         1. Select the Applications check box.
         2. In the field below, specify the path to the executable file of the application you want to add to the list. You can enter the path manually or with the help of the Browse button.
         3. Click the Add button.
         4. For each application you want to add to the list, repeat steps 2 and 3 of the guide.
         5. If necessary, remove an application from the list:
            1. Select the application in the list.
            2. Click the Delete button.
      10. Click OK to save the changes and close the Rule properties window.

          The new exclusion is created and displayed in the list of exclusions.

   3. If you need to modify an exclusion, click the Modify button.
   4. If you need to delete an exclusion, select the exclusion and click the Delete button.
5. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
6. Click OK to save the changes.