In the Script arguments field, specify options or event field values that must be passed to the script. You can use single quotes to specify unescaped characters in options. Arguments of each script are described in expandable boxes.onDemandScan.py performs a Critical Areas Scan.
The onDemandScan script automatically creates and runs the Critical Areas Scan task when certain KUMA events are detected. By default, Kaspersky Endpoint Security checks kernel memory, running processes, and boot sectors.
Limitations
If the Kaspersky Sandbox or KATA Sandbox solution is deployed, after updating the management plug-in to version 12.9, you need to re-establish the background connection between Kaspersky Security Center Web Console and the Administration Server. This is necessary to update user rights to the new EDR action functionality for threat responsein KUMA.
Arguments
To configure the Critical Areas Scan task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--recursive true|false enables or disables the recursive scanning mode. This argument must be specified manually.
--path is a space-delimited list of files and folders for Custom Scan.
You can also select a predefined scan scope. Kaspersky Endpoint Security has the following predefined objects for configuring the scan scope:
- My mail.
Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST).
- System memory.
- Startup objects.
Memory occupied by processes and executable files of applications that run at operating system startup.
- Boot sectors.
Boot sectors of hard drives and removable media.
- System Backup.
Contents of the System Volume Information folder.
- All external devices.
- All hard drives.
- All network drives.
To do this, in the onDemandScan script, for the "enabled" setting of the relevant scan scope, set the value to True or False:
defaultPreset = [
{"enabled": False, "path": "%personal%", "recursive": True,
"type": ScanObjectType.Folder.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.Email.value},
{"enabled": True,
"path": "", "recursive": True, "type": ScanObjectType.SystemMemory.value},
{"enabled": True,
"path": "", "recursive": True, "type": ScanObjectType.StartupObjectsAndRunningProcesses.value},
{"enabled": True,
"path": "", "recursive": True, "type": ScanObjectType.DiskBootSectors.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.SystemBackupStorage.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.AllRemovableDrives.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.AllFixedDrives.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.AllNetworkDrives.value}
Example
python3 onDemandScan.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --recurive false --path 'C:\Program Files (x86)\Example Folder'
The onDemandScan script automatically creates and runs the Critical Areas Scan task when certain KUMA events are detected. By default, Kaspersky Endpoint Security checks kernel memory, running processes, and boot sectors.
Limitations
If the Kaspersky Sandbox or KATA Sandbox solution is deployed, after updating the management plug-in to version 12.9, you need to re-establish the background connection between Kaspersky Security Center Web Console and the Administration Server. This is necessary to update user rights to the new EDR action functionality for threat responsein KUMA.
Arguments
To configure the Critical Areas Scan task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--recursive true|false enables or disables the recursive scanning mode. This argument must be specified manually.
--path is a space-delimited list of files and folders for Custom Scan.
You can also select a predefined scan scope. Kaspersky Endpoint Security has the following predefined objects for configuring the scan scope:
- My mail.
Files related to the operation of the Outlook mail client: data files (PST), offline data files (OST).
- System memory.
- Startup objects.
Memory occupied by processes and executable files of applications that run at operating system startup.
- Boot sectors.
Boot sectors of hard drives and removable media.
- System Backup.
Contents of the System Volume Information folder.
- All external devices.
- All hard drives.
- All network drives.
To do this, in the onDemandScan script, for the "enabled" setting of the relevant scan scope, set the value to True or False:
defaultPreset = [
{"enabled": False, "path": "%personal%", "recursive": True,
"type": ScanObjectType.Folder.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.Email.value},
{"enabled": True,
"path": "", "recursive": True, "type": ScanObjectType.SystemMemory.value},
{"enabled": True,
"path": "", "recursive": True, "type": ScanObjectType.StartupObjectsAndRunningProcesses.value},
{"enabled": True,
"path": "", "recursive": True, "type": ScanObjectType.DiskBootSectors.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.SystemBackupStorage.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.AllRemovableDrives.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.AllFixedDrives.value},
{"enabled": False,
"path": "", "recursive": True, "type": ScanObjectType.AllNetworkDrives.value}
Example
python3 onDemandScan.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --recurive false --path 'C:\Program Files (x86)\Example Folder'
ioCScan.py searches for indicators of compromise.
The iocScan script automatically creates and runs the IOC Scan task when certain KUMA events are detected. The IOC Scan task allows detecting indicators of compromise on the computer and performing threat response actions.
Kaspersky Endpoint Security uses IOC files to search for indicators of compromise. IOC files contain a set of indicators that are matched against events to generate detections. IOC files must conform to the OpenIOC standard.
Limitations
By default, Kaspersky Endpoint Security performs the IOC scan only in critical areas of the computer, such as the Downloads folder, the Desktop, the temporary files folder of the operating system, and others.
By default, the following event logs are selected: Application Event Log, System Event Log, and Security Event Log.
Arguments
To configure the IOC Scan task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--iocZip is the path to the ZIP archive with base64-encoded IOC files that you want to use for the scan. Required argument. This argument must be specified manually.
--isolateHost true|false specifies whether the computer must be isolated from the network when an indicator of compromise is detected to prevent the spread of the threat. Required argument. This argument must be specified manually.
--quarantineObject true|false specifies whether the malicious object must be deleted when an indicator of compromise is detected. Before deleting an object, Kaspersky Endpoint Security creates a backup copy of it in case you need to restore the object later. Kaspersky Endpoint Security then quarantines the backup copy. Required argument. This argument must be specified manually.
--scanCriticalAreas true|false specifies whether the Critical Areas Scan task must be run when an indicator of compromise is detected. By default, Kaspersky Endpoint Security checks kernel memory, running processes, and boot sectors. Required argument. This argument must be specified manually.
Example
python3 iocScan.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --iocZip './ioc.zip' --isolateHost true --scanCriticalAreas true --quarantineObject true
quarantineFile.py quarantines a file
The quarantineFile script automatically creates and runs the Move file to quarantine task when certain events are received in KUMA. Quarantine is a special local storage on your computer. A user can quarantine files that the user considers dangerous for the computer. Quarantined files are stored in encrypted form and do not pose a threat to the security of the device.
Limitations
The [[QsTqyVYz]]Move file to quarantine[[]] task has the following limitations:
- The file size may not exceed 100 MB.
- System Critical Objects (SCO) cannot be quarantined. SCOs include files required for the functioning of the operating system and the Kaspersky Endpoint Security application.
Arguments
To configure the [[QsTqyVYz]]Move file to quarantine[[]] task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--path is the path to the file. Required argument. The script gets this argument from the event.
--md5hash is the MD5 hash of the file. The script gets this argument from the event.
--sha256hash is the SHA256 hash of the file. The script gets this argument from the event.
Examples
python3 quarantineFile.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\File.txt'
python3 quarantineFile.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\' --sha256hash 123456789101234567890123456789012
deleteFile.py deletes a file
The deleteFile script automatically creates and runs the Removing file task when certain KUMA events are detected. For example, you can remotely delete a file when responding to threats.
Limitations
System Critical Objects (SCO) cannot be deleted. SCOs include files required for the functioning of the operating system and the Kaspersky Endpoint Security application.
Arguments
To configure the Removing file task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--searchInSubfolders true|false specifies whether subfolders must be traversed in search for the file. Required argument. This argument must be specified manually.
--path is the path to the file. Required argument. The script gets this argument from the event.
--md5hash is the MD5 hash of the file. The script gets this argument from the event.
--sha256hash is the SHA256 hash of the file. The script gets this argument from the event.
Examples
python3 deleteFile.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\File.txt' --searchInFolders false
python3 deleteFile.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path '1' --searchInFolders false --sha256hash 123456789101234567890123456789012
getFile.py gets a file
The getFile script automatically creates and runs the Receive a file task when certain events are received in KUMA. For example, you can configure it to fetch an event log file that a third-party application creates. The tasks saves the file in the quarantine. Quarantine is a special local storage on your computer. You can use the Web Console to download this file to your computer from the quarantine (Operations → Storages → Quarantine). On the user's computer, the file remains in its original folder.
Limitation
The file size may not exceed 100 MB.
Arguments
To configure the Receive a file task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--path is the path to the file. Required argument. The script gets this argument from the event.
--md5hash is the MD5 hash of the file. The script gets this argument from the event.
--sha256hash is the SHA256 hash of the file. The script gets this argument from the event.
Examples
python3 getFile.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\File.txt'
python3 getFile.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\' --md5hash 123456789101234567890123456789012
isolateHost.py isolates the computer from the network
The isolateHost script automatically isolates a computer from the network when certain KUMA events are detected.
Once Network Isolation is enabled, the application terminates all active TCP/IP network connections and blocks all new connections on the computer, except for the following connections:
- Connections specified in exclusions from Network Isolation
- Connections initiated by Kaspersky Endpoint Security services
- Connections initiated by the Kaspersky Security Center Network Agent
- Connections to the SVM and Integration Server if the application is being used in Light Agent mode
Arguments
To configure Network Isolation, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--action is the Network Isolation mode. Required argument. This argument must be specified manually. Possible values:
1 isolates the computer from the network.0 disables Network Isolation.
Example
python3 isolateHost.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --action 1
preventExecution.py prevents execution of objects
The preventExecution script automatically prevents objects from running when certain KUMA events are detected. Execution prevention for objects lets you control the running of executable files and scripts, as well as the opening of office format files. In this way, you can, for example, prevent the launch of applications that you consider unsafe. As a result, the spread of the threat may be stopped. Execution prevention for objects supports a certain set of office file extensions and a certain set of script interpreters. An execution prevention rule is a set of criteria that an application takes into account when responding to an object starting, such as when blocking an object from running. The application identifies files by their path or checksum using MD5 and SHA256 hashing algorithms.
Kaspersky Endpoint Security monitors the creation of new execution prevention rules and ignores duplicate rules. That is, if the launch of an object is already prevented, the application does not create a new rule. For this to be true, all of the parameters of the rule must match (path to the file and file hash), and the rule must be enabled.
Limitations
Execution prevention for objects has the following limitations:
- Prevention rules do not apply to files on CDs or ISO images. The application does not block the running or opening of such files.
- You cannot prevent an object from running if the object is a System Critical Object (SCO). SCOs include files required for the functioning of the operating system and the Kaspersky Endpoint Security application.
- We do not recommended creating more than 5000 execution prevention rules because this may make the system unstable.
Arguments
To configure Execution prevention for objects, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--hash is the MD5 hash of the file. Required argument. The script gets this argument from the event.
--path is the full path to the file, or the path to the file if you enter the file hash. Required argument. The script gets this argument from the event.
Example
python3 preventExecution.py --targetHost '422db51e-9383-46d4-b75d-f4d1d20fff2c' --path 'C:\test5\run10.exe' --hash '8806b7f358884a049675b42c5f75ba10'
startProcess.py starts a process.
The startProcess script automatically creates and runs the [[GFKn3ddr]]Start process[[]] task when certain KUMA events are detected. For example, you can remotely run a utility that creates a report about the computer's configuration. You can then use the Receive a file task to receive the created report file in the Kaspersky Security Center Web Console.
Arguments
To configure the [[GFKn3ddr]]Start process[[]] task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--executablePath is the path to the file. Required argument. You can pass this argument from the event or enter a value manually.
--arguments lists additional command line arguments for the process. These arguments must be specified manually.
--workingFolder is the path to the working folder of the process. This argument must be specified manually.
Example
python3 startProcess.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --executablePath 'c://a/a.exe'
terminateProcess.py terminates a process
The terminateProcess script automatically creates and runs the Terminate process task when certain KUMA events are detected. For example, you can remotely terminate an internet speed test utility that was launched by the Start process task.
If you want to prevent a file from running, you can configure the Execution prevention for objects component. You can prevent the execution of executable files, scripts, office format files.
Limitations
You cannot terminate processes of System Critical Objects (SCO). SCOs include files required for the functioning of the operating system and the Kaspersky Endpoint Security application.
Arguments
To configure the Terminate process task, you need to specify the following arguments for the script:
--targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.
--caseSensitive true|false enables or disables the case-sensitive mode when searching for the file. Required argument. This argument must be specified manually.
--path is the path to the file. Required argument. The script gets this argument from the event.
--md5hash is the MD5 hash of the file. The script gets this argument from the event.
--sha256hash is the SHA256 hash of the file. The script gets this argument from the event.
Examples
python3 terminateProcess.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\file.exe' --caseSensitive true
python3 terminateProcess.py --targetHost 004c7fcd-8940-4d62-8a94-911932dc861b --path 'C:\Folder\' --caseSensitive false --md5hash 123456789101234567890123456789012