Kaspersky Anti Targeted Attack Platform
5.0
English

Contents

Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules

If this functionality is enabled, the program can automatically send files from Kaspersky Endpoint Agent hosts for scanning with the Sandbox component in accordance with Kaspersky TAA (IOA) rules. Files are sent in accordance with the following principle:

  1. Kaspersky Anti Targeted Attack Platform checks the event database and marks events that match TAA (IOA) rules.
  2. If relevant conditions are found in TAA (IOA) rules, Kaspersky Anti Targeted Attack Platform sends files for scanning by the Sandbox component.

    Requests for scanning files by the Sandbox component are not displayed in the Kaspersky Anti Targeted Attack Platform web interface.

  3. Based on the results of the scan, the program can add alerts to the alert database.

    You can view alerts created in this way by filtering alerts by the DetailsAutosend to Sandbox attribute.

If automatic sending of files to be scanned by the Sandbox component is enabled, the volume of traffic processed by the component can become very large. If the Sandbox component server cannot support the increased load, some of the objects from the processing request queue are replaced with requests for processing files that are automatically sent for scanning.

To avoid dropping objects from the processing request queue, you can:

  • Deploy additional Sandbox servers.
  • Disable automatically sending files to be scanned by the Sandbox component.
  • Add to exclusions those TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.

    Information about rules that are most frequently used by Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component is displayed in the Sent to Sandbox by TAA rules widget. You can add this widget to your current layout.

    When you add a file to exclusions, event marking and creation of alerts in accordance with this rule is also stopped.

Files that can be automatically sent for scanning by the Sandbox component are listed in the following table.

List of files that can be automatically sent for scanning by the Sandbox component

Event type

File type

Process started

File of the started process and file of its parent process.

Module loaded

File of the loaded module and file of its parent process.

Connection to remote host

File of the parent process.

Blocked application (prevention rule)

File of the application that was blocked from running, and file of its parent process.

Document blocked

File of the document that was blocked from running, and file of its parent process.

File changed

Created, deleted, or modified file and file of the parent process.

System event log

File of the process (only for Linux).

Registry modified

File of the parent process.

Port listened

File of the parent process.

Driver loaded

File of the loaded driver.

Scan: detect

Detected file and file of its parent process (if any).

Scan: detect processing result

Detected file and file of its parent process (if any).

AMSI scan

File of the process.

Process: interpreted file run

File that was started and file of its parent process.

Process: console interactive input

File of the parent process.

Information about files sent for scanning by the Sandbox component is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.

In this section

Enabling and disabling the automatic sending of files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component
Page top
[Topic 226232]

Enabling and disabling the automatic sending of files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component

To enable or disable automatically sending files to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules:

  1. In the window of the program web interface, select the Settings section, Endpoint Agents subsection.
  2. Under Send files to Sandbox automatically:
    • Select the Send files check box if you want files to be sent automatically.

      This function is enabled by default.

    • Clear the Send files check box if you do not want files to be sent automatically.

      Disabling this functionality does not affect the functioning of TAA (IOA) rules; only automatic sending of files is disabled.

  3. Click Apply.

Automatically sending files to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules is enabled or disabled.

In

distributed solution
and
multitenancy mode
, settings for automatically sending files for scanning by the Sandbox component in accordance with Kaspersky TAA (IOA) rules configured on the PCN server are also applied on SCN servers connected to that PCN server. If necessary, you can enable or disable the automatic sending of files on each selected SCN server individually.

Page top
[Topic 226271]