1

No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

2
 No
t to
be
co
pi
•
•
•

ed
or
re
di
st
rib
ut
ed

3
 ed
ut
ib r
st
di
Why another EDR?
re
or
First, because of market expectations.
ed
pi
co
be
tto
No

4
 ed
ut
r ib
st
di
re
If you take a look at market researches by Gartner, Forrester, and other analyst firms, you will see that all of
or
them say almost the same thing: endpoint protection platforms (EPP) by various vendors already include
endpoint detection and response (EDR) tools. Therefore, endpoint security solutions by Kaspersky must
also have EDR functionality.
ed
pi
co
be
tto
No

5
 ed
ut
r ib
st
di
re
Second, Kaspersky already has an EDR solution within the Kaspersky Anti Targeted Attack (KATA)
or
platform, but there are two significant barriers to using Kaspersky Endpoint Detection and Response
(KEDR) for most customers:
1. Considerable investments in the infrastructure
2. High level of employees’ expertise required to make effective use of the obtained information
ed
pi
co
be
tto
No

6
 ed
ut
ib
• • •
• • •

r
• • •
• •

st
• •
• •
• •
•

di
•
•
•
•

re
To better understand why we need another EDR solution, let's figure out which organizations are our
or
customers and which solutions we already offer them. We can group customers according to the maturity
level of their information security (IS) strategy. We consider 3 maturity levels: low, medium and high.
At the low maturity level of an information security strategy, the customer typically does not have a
dedicated information security department. It is the Information Technology (IT) department that protects
the organization’s data assets.
ed

In practice, such companies rarely investigate IS incidents: they have neither resources nor qualifications.
At the medium maturity level of an information security strategy, the customer already has a small
dedicated group (typically, a few information security specialists) within the IT department. This group of
employees is responsible for the information security of the organization. It should be specifically noted that
pi

only a few employees (rather than a fully staffed information security department) are responsible for
information security at mid-level companies.
Security officers regularly investigate incidents, but typically respond to threat alerts rather than actively
co

hunt for indicators of an attack in the company's infrastructure.

At the high level of the information security strategy, the customer already has a fully staffed department of
highly skilled security officers who focus exclusively on information security issues. These teams are
usually named SOC (Security Operations Center), CERT (Computer Emergency Response Team), or
CSIRT (Computer Security Incident Response Team).
be

The information security department continuously reviews data from various information systems,
regardless of whether there are current alerts about new threats or not.
Based on the above, companies have different requirements for endpoint security solutions at different
maturity levels:
At the low maturity level of information security strategy, a customer devotes most of the time to
managing their systems, while administering protection is being put aside. For this reason, a security
to

solution must have a high detection rate for various threats and a high level of automation (prevention and
rollback of malicious actions).
Preferred security software types: Endpoint Protection Platform
At the middle maturity level of an information security strategy, customers also need high threat
detection rates, but automation recedes into the background. The customer’s employees have adequate
t

competence to not only administer the security software, but also to receive and analyze information about
No

threats to understand which information security incidents require additional response and which do not. If
an information security incident requires an immediate response, the security officer should have all the
necessary tools at hand.
Preferred security software types: Endpoint Detection and Response
At the high maturity level of the customer's information security strategy, everything that was
mentioned in the previous two levels is also of interest, and additionally customers want tools to analyze

7
 aggregate data for threat hunting. They need full visibility into what's happening on the network.

ed
This requires powerful tools for collecting and correlating data from various networked devices and
organization's information assets. In addition, the customers map their data to data acquired from
threat intelligence resources. This is necessary to detect anomalies in real time, even when there
are no threat alerts by protection solutions.

ut
Preferred security software types: eXtended Detection and Response

r ib
st
di
re
or
ed
pi
co
be
to
t
No

7
 ed
ut
r ib
st
di
re
We can also group the customers by the volume of infrastructure investments: low, medium and high
or
ed
pi
co
be
tto
No

8
 ed
ut
•

ib
•

r
•

st
•

di
•

re
Low level. Companies that are not ready to invest at all for some reason.
or
For example, because of a limited IT budget. The company cannot afford to buy expensive servers and
develop a local infrastructure.
For this reason, the company will consider cloud solutions that are much cheaper to maintain than locally
deployed computing resources.
ed

Even if an organization has sufficient budget, but most of its infrastructure is cloud-based, it is easier to
expand it in the cloud rather than to migrate to a local infrastructure.
Medium level. Companies that are willing to invest only to a certain extent:
limited IT budget. For some companies, there is no difference between building a local or cloud
infrastructure. Hybrid use cases are suitable for these companies.
pi

High level. Companies that are willing to spend a lot of resources on infrastructure and its protection.
These companies are often not ready to move their infrastructure to the cloud; they would rather develop a
purely on-premises infrastructure because they do not trust third parties when it comes to storing or
co

transferring their data and their customers' data. Such organizations may include, for example, government
authorities in some regions. Also, in some countries, laws prohibit companies from transferring their
customers' data to third parties, and they have to develop their own infrastructure.
be
tto
No

9
 ed
ut
ib
• • •
• • •
• • •

r
• •
• •

st
• •
• •
•
•

di
•
•
•

re
Willingness to invest into an on-premises infrastructure does not necessarily correlate with the maturity of
or
the corporate IS strategy. To better profile customers, we will consider these factors independently.
So, let's plot investments versus IS maturity level and check which Kaspersky solutions are right for which
types of companies.
ed
pi
co
be
tto
No

10
 ed
ut
r ib
st
di
re
At the bottom of the spectrum, there is Kaspersky Endpoint Security for Business (KESB), naturally. This is
or
our main offering on the EPP market; it does not require significant infrastructure investments or
exceptional management expertise. It is managed by local IT, and most of the security actions are taken
automatically.
KATA (Kaspersky Anti Targeted Attack platform) absolutely logically goes to the opposite corner of the
ed

chart. This solution requires powerful servers, is deployed locally, and therefore involves significant
infrastructure investments. In the case of Kaspersky Endpoint Detection and Response (KEDR), a high
level of employees’ expertise maximizes the value of the solution.
There is a lot of empty space between these solutions, with companies that are either unwilling to invest
into infrastructure, or have medium IS maturity level, or both.
pi

Kaspersky partly covers these needs with services. For example, Threat Intelligence helps information
security experts in their work, requires absolutely no infrastructure and is managed by Kaspersky experts.
Kaspersky also offers another service to companies that do not have highly qualified personnel for
co

analyzing incidents: Managed Detection and Response (MDR). In this solution, Kaspersky employees
analyze customer’s data and advise on how to respond to an incident: which incident to consider more
important, how best to handle it, and which tools to use.

Previously, Kaspersky did not have a solution for customers who have the expertise to respond to IS
be

incidents and are willing to invest to some extent in their infrastructure. In 2019, we released Kaspersky
Sandbox, which improves detection of advanced threats; however, this solution is also largely automated
and the customers still cannot use their own expertise. In 2020, we released Kaspersky EDR Optimum,
which includes Kaspersky Endpoint Security and can be used together with Kaspersky Sandbox.
This solution provides additional capabilities to companies with middle maturity levels of their information
security strategy.
to

Sure, there are no hard boundaries between different solutions, and many companies may choose between
two or more (Kaspersky EDR Optimum, Kaspersky MDR Optimum, Kaspersky MDR Expert, Kaspersky
EDR, etc.) different solutions to perform similar tasks. The choice will depend on the customer’s
preferences: their expertise (how much time they are willing to spend analyzing the data, etc.) and how
t

much money they are willing to invest.

No

11
 No
t to
be
co
pi
•
•
•

ed
or
re
di
st
rib
ut
ed

12
 ed
ut
r ib
st
di
re
We can single out two groups among the available solutions:
or
• Optimum framework is grouped around Kaspersky Endpoint Security for Business (endpoint protection
platform + Kaspersky Security Center)
• Expert framework is a solution group based on the KATA platform
ed
pi
co
be
tto
No

13
 ed
ut
r ib
st
di
Let's take a closer look at what makes them different.
re
or
The main point of differentiation is the central server that receives data and which also acts as the solution’s
interface.
In the Optimum framework, the primary server is Kaspersky Security Center (KSC).
Typically, the administrator uses Kaspersky Security Center to manage Kaspersky Endpoint Security (KES)
ed

and other EPP products, but if we add the Endpoint Detection and Response Optimum component to
Kaspersky Endpoint Security 11.7 (or the Kaspersky Endpoint Agent component to Kaspersky Security for
Windows Server 11), the administrator gets the ability to manage Kaspersky EDR Optimum functionality.
Kaspersky Endpoint Security (KES) / Kaspersky Security for Windows Server (KSWS) begins sending
additional telemetry (information related to threat detection) to the Administration Server. This configuration
pi

will also enable the administrator to remotely (using Kaspersky Security Center) isolate a device from the
network and perform other response actions, for example, kill a process, delete a file, run a task that scans
computers for indicators of compromise (IoC), etc.
co

You can also add Kaspersky (Standalone) Sandbox to the optimum framework and integrate it with the
other components of the solution. To integrate with Kaspersky Sandbox, install the Kaspersky Sandbox
component of Kaspersky Endpoint Security 11.7 on the endpoints. This component will enable Kaspersky
Endpoint Security to send suspicious files to Kaspersky Sandbox. With such a solution, you can automate
be

response to a threat: If Kaspersky Sandbox detects a threat, Kaspersky Endpoint Security can create an
IoC scan task and launch it via Kaspersky Security Center on managed devices without involving the
administrator. In case of Kaspersky Security for Windows Server 11, the same Kaspersky Endpoint Agent
component provides integration with Kaspersky Sandbox.

Note: If older versions of applications are used (earlier than Kaspersky Security Center 13.2 and Kaspersky
to

Endpoint Security 11.7 / Kaspersky Security for Windows Server 11), both Kaspersky Endpoint Security
and Kaspersky Security for Windows Server interact with Kaspersky Security Center and Sandbox via a
standalone application Kaspersky Endpoint Agent.

In the expert framework, the primary server is a KATA Central Node. This server is responsible for network
t

traffic analysis in the KATA structure; it also acts as a network sensor and collaborates with KATA Sandbox
No

to analyze files and hyperlinks.

Although both solutions feature a server with Sandbox functionality, these are different Sandbox
implementations that are not interchangeable. KATA/KEDR can interact only with KATA Sandbox.
Kaspersky EDR Optimum can interact only with Kaspersky (Standalone) Sandbox. In the future, KATA
Sandbox and Kaspersky Sandbox are planned to be interchangeable for the customers’ convenience, to
enable customers migrate from one solution to the other.

14
 The Kaspersky EDR solution requires that Kaspersky Endpoint Security or Kaspersky Security for

ed
Windows Server with the Endpoint Agent component must be installed on the network endpoints,
or only Kaspersky Endpoint Agent if the customer uses a third-party EPP solution.

In the expert platform, all the data is sent to the central node. The security officer uses the KATA

ut
Central Node console to search for anomalies and respond to a detected threat. Third-party EPP
solutions do not send their malicious activity detection data to the central KATA node.

If the customer wants to analyze not only the telemetry that Kaspersky Endpoint Agent collects, but

ib
also threat detection events, they need to uninstall their third-party protection application and
Kaspersky Endpoint Agent and then install Kaspersky Endpoint Security or Kaspersky Security for
Windows Server with the Endpoint Agent component on their endpoints.

r
st
Although Kaspersky Security Center and Kaspersky security solutions are not strictly required for
the expert framework, they enhance the Kaspersky EDR capabilities and greatly simplify
management.

di
re
or
ed
pi
co
be
to
t
No

14
 ed
ut
r ib
st
di
re
Let us consider Kaspersky EDR Optimum and Kaspersky EDR Optimum + Kaspersky Sandbox as optimum
or
framework; and Kaspersky EDR, as expert framework.
All three solutions support deployment in an on-premises infrastructure.
Only Kaspersky EDR Optimum supports cloud installation: all Kaspersky EDR Optimum functionality is
available in Kaspersky Security Center Cloud Console.
ed

Kaspersky Endpoint Security 11.7 with Endpoint Detection and Response Optimum or Kaspersky Security
for Windows Server 11 with Endpoint Agent must be installed to implement Kaspersky EDR Optimum
functionality on the endpoints. If the customer wants to use Kaspersky Sandbox in addition to the EPP
solution, the Kaspersky Sandbox component of Kaspersky Endpoint Security 11.7 must be installed on the
pi

endpoints. The components can be installed only on Windows operating systems. Integration with third-
party security software is not supported.
co

The expert framework can be deployed in two ways. The first option is to use third-party security solutions,
in which case Kaspersky Endpoint Agent must be installed on the endpoints. The other option is to use
Kaspersky protection solutions: Kaspersky Endpoint Security or Kaspersky Security for Windows Server
with the Endpoint Agent component.
be

The system requirements for Kaspersky EDR Optimum are quite low; you only need to install the
Kaspersky Security Center 11.7 on a physical or virtual server. The Kaspersky Security Center server does
not need to be powerful since all calculations and data interception and processing take place on the
endpoints; only data required for reports and incident cards are sent to the administration server.
In the case of Kaspersky EDR Optimum + Kaspersky Sandbox, you need a rather powerful server for
Kaspersky Sandbox.
to

Kaspersky EDR requires a powerful server for Central Node and, depending on the license, another
powerful server for Sandbox.
t
No

15
 ed
ut
r ib
st
di
re
Kaspersky EDR Optimum enriches detection events generated by other Kaspersky Endpoint Security
or
components with telemetry data and creates a malicious activity detection alert. The alert card displays the
threat development chain and changes that were made to the computer. These technical details should be
sufficient to assist the security officer in analyzing the incident. The security officer consults an alert card to
determine whether the incident needs to be investigated and whether a response is required.
ed

The optimum framework does not provide search for events detected by the EDR component, and no
correlation either. Security officers deal with each incident separately.
You can easily find similar events using any telemetry attribute in the expert framework. Kaspersky EDR
has a searchable telemetry database (a database of events from all network endpoints) where you can run
pi

complex queries to find indicators of compromise and attack.

Only the expert framework permits mapping dangerous activities to the MITRE ATT&CK matrix.
Kaspersky EDR Optimum provides links to the OpenTIP portal where you can find additional information
co

about files and hyperlinks. In the expert framework, Kaspersky EDR provides links to the paid TIP portal, to
VirusTotal and to the threats.kaspersky.com information portal.
Both solutions enable you to remotely get / delete / quarantine a file, run an application or execute a
command.
be
tto
No

16
 ed
ut
r ib
st
di
Additional threat detection capabilities.
re
or
Kaspersky EDR Optimum does not provide extra detection capabilities; it only supplies Kaspersky Endpoint
Security with additional context. Kaspersky EDR includes a specialized Targeted Attack Analyzer (TAA)
that runs on the Central Node and detects indicators of attacks in real time. Kaspersky supplies customers
with a set of attack indicators through the update engine; customers can additionally create their own rules
ed

to search telemetry events for indicators of attacks or compromise.

Both solutions permit searching network hosts for indicators of compromise. Customers can import IoC
from third-party sources, create their own IoC and run IoC scan tasks on the endpoints.
Kaspersky Sandbox that belongs to the optimum framework allows you to completely automatically create
indicators of compromise based on Sandbox detections and create IoC scan tasks to search network
pi

endpoints for these indicators. There is no similar feature in the expert framework as of now (may be added
in future versions).
co
be
tto
No

17
 ed
ut
r ib
st
di
Attack containment capabilities
re
or
All solutions have the ability to block files; what makes the difference is how easily you can do it through the
solution interface.
Kaspersky EDR Optimum cannot automatically block suspicious files. Upon detection, the security officer
has to add a suspicious file to the prevention list manually. If you add Kaspersky Sandbox to the optimum
ed

framework, blocking via the Kaspersky Sandbox cache becomes available. (If an endpoint sends a file for
scanning and it turns out to be malicious, this information will be added to the Kaspersky Sandbox cache;
all devices will synchronize with Kaspersky Sandbox and take information about the files to be blocked from
the cache. This way, the malicious file will be blocked throughout the whole organization.)
In Kaspersky EDR, a similar capability is implemented in KATA 3.7.1. KATA 3.7 patch 1 can automatically
pi

create block rules based on Sandbox detections.

As of now, Kaspersky EDR can upload information about malicious files detected during Sandbox analysis
co

to the Kaspersky Private Security Network (KPSN) reputation database. As a result, all Kaspersky security
applications deployed in the organization will block the detected objects.
Kaspersky EDR Optimum + Kaspersky Sandbox provide the ability to automatically create and run an EPP
scan task or an IoC scan task when a threat is detected. In Kaspersky EDR, if a threat is detected, the
security officer must investigate it manually on the target device.
be

All Kaspersky solutions can isolate an endpoint from the network. Kaspersky EDR Optimum can isolate a
device from the network automatically as a response to IoC detection by an IoC scan task.
tto
No

18
 ed
ut
r ib
st
di
Sandbox capabilities
re
or
Kaspersky EDR Optimum does not include a sandbox, but the customer can purchase a separate license,
install a Kaspersky Sandbox server, and use the two solutions together. A similar approach is implemented
in Kaspersky Endpoint Detection and Response: there is a standard license without Sandbox, and there is
an advanced license that includes Sandbox.
ed

Kaspersky EDR cannot automatically send a file for analysis to Sandbox, while Kaspersky EDR Optimum +
Kaspersky Sandbox provide this capability.
In the optimum framework, Kaspersky Sandbox operates as follows: if Kaspersky Endpoint Security does
not detect a threat using malware databases or behavior analysis, it requests the file's reputation from
Kaspersky Security Network; if there is no information about the file in Kaspersky Security Network,
pi

Kaspersky Endpoint Security sends the file to the Sandbox for an additional check.
Only Kaspersky EDR permits sending files to Sandbox manually. In this case, we mean uploading a file
from the solution interface directly to Sandbox.
co

Kaspersky EDR Optimum + Kaspersky Sandbox and Kaspersky EDR equally enable you to upload files via
an API (application programming interface).

In terms of added value, Kaspersky EDR has an advantage because it can generate a detailed report on
the results of file scanning in the Sandbox rather than simply provide information whether the file is
be

malicious or clean.
Also, Sandbox uses 3 types of virtual machines when processing suspicious files in the expert framework:
Windows XP, 7 and 10. The optimum framework uses Windows 7 and Windows 10.
tto
No

19
 No
t to
be
co
pi
•
•
•

ed
or
re
di
st
rib
ut
ed

20
 ed
ut
r ib
st
di
re
Endpoint Protection Platform (EPP)—solutions that provide comprehensive protection for endpoints,
or
workstations, servers and mobile devices. Today's EPP solutions feature classic antivirus functionality as
well as other security technologies such as software behavior analysis, patch management, personal
firewalls, application start and device connection control, disk and file encryption, etc.
Another characteristic feature of EPP solutions is maximal automation when handling detected threats.
ed

Developers try to create these solutions so that the user could achieve the best possible result with minimal
effort and time. As a result, the solution does not confront administrators with too much information about
threats and reports only the actions that it takes against malicious objects: detected, disinfected, deleted or
blocked. This approach used to be quite reasonable; but threats that EPP solutions face have changed.
pi

An increase in targeted attacks, fileless attacks and attacks where illegal activities are performed using
legitimate software have changed the requirements for endpoint protection systems: Developers search for
new technologies that improve detection of advanced threats and speed up response, thereby reducing the
co

likelihood of successful attacks.

Targeted attacks are cyberattacks that aim to compromise a particular system or object. Targeted attacks
may have various vectors, be carried out in several stages and use legal software. It is extremely difficult to
detect this type of threats due to the targeted nature of the attackers’ actions.
be

Fileless attacks are carried out within the device's RAM. These attacks do not leave traces of their activity
in the file system. It is difficult for EPP solutions to detect such attacks because historically EPP solutions
are file-oriented systems that have developed from classic antivirus applications based on the assumption
that all or at least the majority of attacks on endpoint devices are implemented through infected files.
Let’s sum up what needs improvement in today’s EPP solutions:
• Visibility—events and reports only show the fact of detecting a malicious object and the action that the
to

EPP system has or has not performed on that object. This representation of a malicious object does not
allow you to evaluate the attack vector and understand at what stage it was stopped. For example, an
encryption attempt was detected and blocked. The event shows what program was trying to encrypt
files. But it is difficult to understand whether this action was legitimate or not, and it is impossible to track
the entire chain of events that had led to this action based only on the EPP data. In other words, if the
t

encryption attempt was illegitimate, you need to spend additional time and resources to understand what
No

chain of actions and changes in the system had led to this attempt, which can be critical in this situation.
An attack vector in this case is a sequence of actions and changes in the system that make up the
attack. The attack vector determines how attackers deliver malicious payload to the computer.
• Too complicated—when analyzing a threat, it is very important to determine the stage at which the
attack was detected (for example, initial access, lateral movement or collection), as this will determine
the incident priority and the response scenario. This is very difficult (and often even impossible) to

21
 achieve using only EPP tools and events without detailed analysis of the attacked computer’s

ed
logs and use of third-party utilities
• Too slow—EPP systems lack mechanisms that allow the user to scrutinize an incident and
quickly respond. As a result, even if a threat has been detected and blocked, the administrator
cannot be fully confident that everything is all right in the system: the attack is completely

ut
neutralized, all its consequences have been eliminated, there are no unauthorized changes in
the operating systems or applications, and no data has leaked.

r ib
st
di
re
or
ed
pi
co
be
to
t
No

21
 ed
ut
r ib
st
di
re
Kaspersky Endpoint Detection and Response Optimum is a Kaspersky product that requires the respective
or
license. Functionally, Kaspersky Endpoint Detection and Response Optimum extends the capabilities of the
Kaspersky Endpoint Security for Business solution.
Kaspersky EDR Optimum enables security officers to:
• Analyze the causes of an incident
• Contain the spread of a threat: Isolate a device, prevent execution of suspicious objects
ed

• React to a threat in real time: get a file from an endpoint for additional analysis, delete or quarantine a
file, remotely kill a process or run a program to further clean up the computer
• Create indicators of compromise (IoC) and search for them
pi
co
be
tto
No

22
 ed
ut
r ib
st
di
re
Kaspersky EDR Optimum works in close integration with other components of Kaspersky Endpoint Security
or
/ Kaspersky Security for Windows Server.
Kaspersky Security Center provides centralized management, while Kaspersky Endpoint Security or
Kaspersky Security for Windows Server installed on the endpoints automatically detect and neutralize
threats.
ed

Kaspersky EDR Optimum adds the following capabilities to Kaspersky Endpoint Security for Business:
• Provides additional information concerning threat detection and helps the administrator and analyst
understand what had happened on the endpoint before the alert and whether additional response is
required
• Permits taking real-time measures to contain the threat: isolate the endpoint from the network and
pi

quarantine the objects involved in the incident for further analysis

• Allows you to block files, scripts and documents
• Enables you to create and run IoC scan tasks on the managed devices based on telemetry or using
co

third-party resources that publish IoC information (for example, securelist.com or other public sources)
• In IoC scan tasks, you can set up automatic response that Kaspersky Endpoint Detection and Response
will perform if the indicators of compromise are detected: additionally scan the computer using the
security solution, quarantine a file, isolate the computer from the network
be
tto
No

23
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

24
 ed
ut
r ib
st
di
re
If Kaspersky Endpoint Security for Business has not been deployed on the company's network, the plan for
or
deploying Kaspersky EDR Optimum is as follows:
1. Install Kaspersky Security Center version 13.2 with the web console. An on-premises Kaspersky
Security Center requires a database server. Alternatively, you can use Kaspersky Security Center
Cloud Console.
ed

2. Adjust the settings of the EPP installation package:

• Kaspersky Endpoint Security for Windows 11.7: select to install the Endpoint Detection and
Response Optimum component
• Kaspersky Security for Windows Server 11: select to install the Kaspersky Endpoint Agent
pi

component
Then create and run a remote installation task to install the Network Agent and the modified installation
package of the endpoint security application.
co

3. Add the Kaspersky EDR Optimum activation code or key file to the storage on the Kaspersky Security
Center Administration Server and enable automatic distribution for it

Installation of Kaspersky Security Center and subsequent deployment of the Network Agent and endpoint
be

security applications is described in the first unit of technical training KL 002 Kaspersky Endpoint Security
and Management and in technical training KL 024 Kaspersky EDR Optimum.

To deploy Kaspersky EDR Optimum, you only need to install and configure the corresponding component;
no other actions are required. For example, you do not need to open additional ports on the firewalls to
ensure that the solution is operational.
t to
No

25
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

26
 ed
ut
r ib
st
di
re
You can find all EPP detection events in the Report on threats in Monitoring & Reporting | Reports. As
or
soon as you install and enable the Endpoint Detection and Response Optimum / Kaspersky Endpoint
Agent component, new detection events will be enriched with additional information. In the Open incident
column, the View incident card link will appear, which allows you to consult the details of the detection
event.
ed

Old detection events—those that had been logged before the Endpoint Detection and Response
Optimum / Kaspersky Endpoint Agent component was enabled or installed—will not be enriched.
pi
co
be
tto
No

27
 ed
ut
r ib
st
di
re
All detection events are also displayed in Monitoring & Reporting | Alerts. In the Enrichment and
or
response column, an enriched event will have a More details link, which allows you to consult the
detection details.
You can enable or disable representation of the Alerts page in the web console interface options:
KSC\<<User name under which you have connected to the Administration Server>> | Interface
ed

options.
The Alerts page will be displayed automatically if you specify a Kaspersky EDR Optimum license
(activation code) in the Quick Start Wizard.
pi
co
be
tto
No

28
 ed
ut
r ib
st
di
re
From now on, let us describe Kaspersky EDR Optimum functionality through the example of Kaspersky
or
Endpoint Security 11.7.
When a malicious or suspicious object is detected, Kaspersky Endpoint Security may generate and send up
to five non-enriched events related to its detection and processing to the administration server. For
example, ‘malicious object detected’, ‘disinfection attempted’, ‘object blocked / quarantined / deleted’, etc. In
ed

other words, Kaspersky Endpoint Security generates an event for any action it takes about an object
(including the result) and sends it to the administration server.

Of course, from the user's point of view, it is time-consuming and inefficient to analyze so many events
related to just one object. The administrator is interested in what happened to the object in the end rather
pi

than in intermediate actions that Kaspersky Endpoint Security took or tried to take. Therefore, the report on
threats represents a single event that summarizes all information about the detected object and the action
that Kaspersky Endpoint Security finally took about it.
co

Such a detection event can be enriched with additional information (alert details).
be
tto
No

29
 ed
ut
r ib
st
di
What do details of a detection event include?
re
or
The upper part of the card displays the threat status: whether it has been blocked.

Below the action, the chain of pre-detection processes is visualized with their activities: created files,
ed

established connections, changes to the registry. The object originally detected by a protection technology
is highlighted in blue.

Then, information about the detected object is shown: object name and location on the device, category,
detection timestamp, etc. Endpoint data is also included: computer’s domain name, IP address, MAC
pi

address, operating system, device location in the Kaspersky Security Center group hierarchy.

At the very bottom, there are details about the process responsible for the malicious object: startup
co

parameters, process ID, privilege level and other information.

Detection details are stored on the administration server for 30 days and then deleted. Alert details are
displayed regardless of whether the device for which the enriched event was generated is currently online.
If details of a detection event do not exceed 1 MB, they will be stored on the administration server. If
be

exceed, some of the information will be stored on the administration server, and some, on the managed
device.
tto
No

30
 ed
ut
r ib
st
di
re
The Endpoint Detection and Response Optimum component does not generate detection events. It
or
enriches detection events of other Kaspersky Endpoint Security components with details (telemetry data),
thus forming an alert card. Therefore, we recommend that you do not disable any Kaspersky Endpoint
Security components.
Earlier versions of Kaspersky EDR Optimum require that the Behavior Detection and/or Adaptive
ed

Anomaly Control components be installed (to be able to obtain detection details), as well as the Firewall
component (to obtain data about network connections). Drivers that allow Kaspersky Endpoint Agent to
receive the required telemetry are installed with the abovementioned Kaspersky Endpoint Security
components.
Starting with Kaspersky Endpoint Security version 11.7, Kaspersky EDR Optimum does not require that any
pi

other Kaspersky Endpoint Security components be installed. All the necessary drivers are installed in the
system with the Endpoint Detection and Response Optimum component.
co
be
tto
No

31
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

32
 ed
•
•
•
•
•

ut
•
•
•

r ib
st
•

di
•

•
•

re
We’ve got an enriched detection event and found out where you can consult its details in the Kaspersky
or
Security Center web console and what data is represented there. Prior to analyzing details of a detection
event, let's study a diagram that shows the main response steps. This diagram will give us a clear
understanding of where we are, what has already been done and what actions need to be taken in the next
phase.
ed

This is a general plan. In practice, each organization must have its own plans and scenarios for handling
security incidents. These plans should consider event type and classification, specifics of the company's
business processes, nuances of the network architecture, capabilities of information security specialists and
software, etc.
pi

When analyzing detection details, you need to:

• Classify the incident—understand whether the detected activity is legitimate or not. If the activity is
co

illegitimate, find out the source of the attack and the stage at which it was detected; also, find the
devices that have already been attacked and those that may be exposed to the attack.
• Determine the priority of the incident. Depending on the collected information, determine the incident’s
importance, prepare a plan of action and assign a specialist or a team to investigate and handle the
incident.
be
t to
No

33
 ed
ut
r ib
st
di
re
The first thing to pay attention to is the threat status. In this example, you can see that Kaspersky Endpoint
or
Security successfully blocked the threat (the status is Success: Blocked. Next, analyze which executable
files were involved in the attack. To simplify incident analysis, the object that Kaspersky Endpoint Security
detected and blocked is highlighted in blue. Click an object in the threat formation chain to view detailed
information about the file.
ed

The following data is displayed:

• Execution date and time
• Used command line parameters. This part can be useful if a script was executed implicitly through
PowerShell or other interpreters
pi

• Process identifier (PID)

• Process’s integrity level reveals the privileges with which the process was run. The High integrity level
means that the process was started with full administrator permissions
co

• Information about the user who started the detected object

• MD5 and SHA256 checksums of the file
• The trust group of the file according to Kaspersky classification
be
tto
No

34
 ed
•

ut
r ib
st
di
re
To consult information about a detected file in the OpenTIP portal, click its MD5 or SHA256 checksum.
or
If the file has been detected for the first time or little information is available about it, it may mean that the
file is either a source of a targeted attack or a new, previously unknown threat. Lack of information about a
threat is always extremely dangerous. Give the highest priority to incidents with files unknown to Kaspersky
ed

experts.

If you doubt whether a file is legitimate, consult the OpenTIP portal.

If a file pertains to a well-known threat, the OpenTIP portal will show detailed information: when the file was
pi

first detected, its format, size and the detection name.

co
be
tto
No

35
 ed
ut
r ib
st
di
re
As you continue to explore details of the detected malicious activity, you can see what files it created.
or
You should analyze these files too, because they can spread the threat within the organization, be
conducive to information leakage or start a malicious file when the system boots.
ed
pi
co
be
tto
No

36
 ed
ut
r ib
st
di
re
Information about injections typically shows executable files related to the attack. This information can be
or
useful when checking if any of these files remain on the target device.
Network connections that were established during the attack are also important.
ed
pi
co
be
tto
No

37
 ed
ut
r ib
st
di
You can check:
re
or
• Date and time when each connection was established
• Local and remote address and connection port. You can analyze the network connection log on the
proxy server to find out which other devices connected to the same address and the same port. This will
quickly give you the list of devices that may have been compromised
• The web address, referrer, user agent and request type (GET/POST) will only be displayed if the
ed

request was made using HTTP

You can find additional information about a detected remote address in the OpenTIP portal: check its
reputation, popularity, when it first appeared, who registered it and where.
pi

Bad reputation presumes that the address has already been seen in illegitimate actions. You can read
detailed information that will help understand the threats it was related to. This will help you promptly
co

estimate the risks related to this malicious activity for your corporate assets and network.

Pay special attention to the time when the address first appeared on the internet. All newly created
addresses should be treated with particular care, because this may be an indication of a targeted attack for
which the address was created.
be
tto
No

38
 ed
ut
r ib
st
di
re
Detection details also include information about the created keys and changes in the registry related to the
or
attack. Click any item to consult detailed information about it.
A lot of places in the registry may contain instructions to run objects at all stages of the operating system
start. When analyzing changes in the registry, pay utmost attention to the keys that have the yes value in
the Autorun point field. Such a key autostarts an object. Malware often modify the registry to launch their
ed

objects. In some cases, this can even be legitimate software with good reputation, which will aid in a certain
stage of the attack and make it difficult for the protection software to detect illegitimate activity.
pi
co
be
tto
No

39
 ed
ut
r ib
st
di
re
When investigating details of a detection event, you can also check whether parent processes are related to
or
the attack and whether they are suspicious or malicious. If the parent process is Windows Explorer, a web
browser or an email application, it most likely means that it was the user who carelessly executed the
malicious file. If the parent process is a file of which little is known, it may indicate a new unknown threat
and be a reason to proceed to threat containment.
ed

Event details help the analyst find out which processes preceded the detection and whether any
unprocessed parts of the threat remain on the endpoint.
pi
co
be
tto
No

40
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

41
 ed
•
•
•
•
•

ut
•
•
•

r ib
st
•

di
•

•
•

re
Once threat analysis is completed, begin to contain the threat to prevent it from propagating to other
or
corporate devices.
To contain a threat, it is recommended to:

• Isolate the compromised devices from the network

•
ed

Prevent execution of the objects related to the attack

• Quarantine suspicious files
• If necessary, retrieve objects for further analysis

In practice, we recommend that you take some of the containment actions almost immediately, before
pi

detailed analysis is completed. For example, if initial analysis of detection event’s details shows that the
device is attempting to establish numerous network connections to download or upload something, it makes
sense to immediately isolate the device from the network and prevent objects’ execution. Endpoint
co

Detection and Response Optimum permits doing this quickly and easily right from the alert card.
be
t to
No

42
 ed
ut
r ib
st
di
re
The administrator does not need to use third-party tools or switch between consoles to begin containing a
or
threat, because main commands are available in the detection card.
You can click the Isolate computer from the network button to strictly limit network activity of the device.
Isolation is performed by the tools available in Endpoint Detection and Response Optimum. Kaspersky
Endpoint Security will notify the user of the device.
ed

Not all connections get blocked; Endpoint Detection and Response Optimum has a built-in set of
exceptions for DNS requests, DHCP and processes related to Kaspersky applications: Kaspersky Security
Center, Kaspersky Security Center Network Agent, Kaspersky Endpoint Security, Kaspersky Security for
Windows Server. The administrator can also add custom exceptions via the Kaspersky Endpoint Security
policy.
pi
co
be
tto
No

43
 ed
ut
r ib
st
di
re
The isolation period is defined in the Kaspersky Endpoint Security policy. By default, a device is isolated for
or
8 hours. We recommend that you do not decrease this time so that a device remains isolated until the
specialists complete their investigation and cope with the threat.
ed
pi
co
be
tto
No

44
 ed
ut
r ib
st
di
re
In addition to the standard exceptions for DNS, DHCP and Kaspersky applications, the administrator can
or
configure custom ones either from scratch or using a set of predefined profiles.
ed
pi
co
be
tto
No

45
 ed
ut
r ib
st
di
re
The set of exception rules preconfigured in a profile is based on Microsoft recommendations for various
or
Microsoft services and solutions, such as Active Directory Domain Services, Microsoft SQL Server, Hyper-
V, Remote Desktop Services, etc.
If you need to connect to an isolated device using RDP or run a program on it when investigating an
incident, simply add Remote Desktop Services and Remote Procedure Call exceptions to the profile.
ed
pi
co
be
tto
No

46
 ed
ut
r ib
st
di
re
If the predefined rules are insufficient, the administrator can create custom exceptions for connections over
or
specific protocols and ports or for all connections established by the specified programs.
A rule allows you to configure the following settings:
• Connection direction—inbound, outbound or inbound/outbound
• Protocol—select a protocol from the list; alternatively, you can apply the rule to any protocols or specify
ed

a custom protocol
• Set local and remote ports and remote connection address
• Draw up a list of applications to which the rule will be applied
pi
co
be
tto
No

47
 ed
ut
r ib
st
di
re
In addition to quarantining suspicious files, the administrator can prevent them from running on the
or
endpoints. For this purpose, click the button Prevent execution in the file details pane; this will create the
respective prevention rule in the Kaspersky Endpoint Security policy.
A rule created from an alert card has the prefix “[KillChain] md5” in its name. By default, a prevention rule
uses the file’s MD5 hash sum.
ed

In this example, the prevention rule makes sense even though the protection solution detected and killed
the process.
First, the malicious activity detection details show that the same executable file is both a parent process
that was not detected and a child process that was detected. This means that the security solution detects
this malicious file only under some conditions rather than every time it is started. Since this file can perform
pi

malicious actions, it is best not to let it run at all.

Second, it was the Behavior Detection module that blocked the child process. This technology may not be
available in some Kaspersky security solutions. Also, we know that many customers turn it off for the fear of
co

performance degradation even in those solutions where it is implemented. Thus, whether the detected
process can be stopped on other computers depends on the installed security software and its settings. To
run no risk, it makes sense to prevent file execution using Endpoint Detection and Response Optimum
that works in the same way on all devices.
For a prevention rule to work, remember to configure the Kaspersky Endpoint Security policy as follows:
be

execution prevention must be enabled; Block and write to report must be selected, and these settings
must be enforced (the lock must be closed in the respective area). By default, execution prevention is
disabled and the Log events only option is selected.
tto
No

48
 ed
ut
r ib
st
di
re
If you simply add a rule from an alert card, but do not enable prevention mode or change the action on
or
execution or opening of forbidden object, Endpoint Detection and Response Optimum will not block the
suspicious object.
At an attempt to run a file that matches a prevention rule, Kaspersky Endpoint Security informs the user that
the file is prohibited; the operating system shows another message that the file is inaccessible.
ed
pi
co
be
tto
No

49
 ed
ut
r ib
st
di
re
You can create prevention rules manually. Existing rules can be deleted, disabled, enabled and modified. A
or
rule allows you to block executables, scripts and Microsoft Office documents using an MD5 or SHA256
checksum and/or object path.
ed
pi
co
be
tto
No

50
 ed
ut
r ib
st
di
re
It makes sense to quarantine files that the security application does not consider to be dangerous but they
or
do not appear to be a part of the operating system or well-known software either. Typically, these files lack
a digital signature and are unpopular according to the OpenTIP portal. When you quarantine a file, it is
moved from its original folder to a special encrypted local storage of Kaspersky Endpoint Security.
Therefore, neither the user nor any processes will be able to run it again. However, if the investigation
ed

shows that the file is not dangerous, you will be able to restore it from the quarantine to the original folder.
To quarantine a file from an alert card, click the file name to open its details and click Move to Quarantine.
pi
co
be
tto
No

51
 ed
ut
r ib
st
di
re
You can quarantine only files that have a checksum in this manner. Kaspersky Endpoint Security calculates
or
checksums only for executable files. To copy or move non-executable files to the quarantine, you can
manually create and run the Get file and Move file to Quarantine tasks respectively. Specify the target
devices and the full path to the file (or its full path and checksum) in the task parameters.
ed
pi
co
be
tto
No

52
 ed
ut
r ib
st
di
re
The Get file and Move file to Quarantine tasks have similar settings, but different results. Get file puts a
or
copy of the file into the quarantine leaving the original file in place. The Move file to Quarantine task
relocates the original file to the quarantine.
Links to the quarantined files are displayed on the Quarantine page of Kaspersky Security Center web
console. You can download a file to examine it or send to Kaspersky for analysis.
ed
pi
co
be
tto
No

53
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

54
 ed
•
•
•
•
•

ut
•
•
•

r ib
st
•

di
•

•
•

re
Once a suspicious file is quarantined and its execution is prevented, the administrator does not need to
or
worry about attempts to run this file on this machine any more.

However, it is necessary to check if this suspicious file is present on other networked machines and get rid
of it if yes.
ed

The following tools serve this purpose:

• The IoC scan task searches computers for such files and can automatically quarantine them.
• The Delete file, Kill process and Run program tasks allow you to deal with a dangerous object in a
targeted manner. In particular, the Run program task allows you to supplement the response tools with
pi

any third-party utilities.

• The Web control component of Kaspersky Endpoint Security permits blocking specific connections.
You can use it to block access to addresses that a dangerous file contacted (after examining their
co

reputation in the OpenTIP portal).

be
tto
No

55
 ed
ut
r ib
st
di
re
IoC scanning is a very powerful tool that can help you find signs of malicious activity on your network
or
computers. You can create an IoC from an alert card, generate from open-source data (securelist.com), or
receive a ready file from a third-party IoC provider.
For example, an alert card may contain information about dropped files and created registry keys. It is
important for the administrator to understand if these files and registry keys are present on other computers,
ed

because this may mean that the malicious file has already been executed on other network computers that
may lack a properly configured security solution able to recognize and stop the attack.
You can easily create a standard description for an indicator of compromise right from the alert card. For
this purpose, open the All alert events tab, select the objects related to malicious activity and click the
Create IoC button.
pi

Not all of the files displayed on an alert card are indicators of compromise; there may be standard Windows
files as well.
co

Kaspersky EDR Optimum automatically generates indicators of compromise in the OpenIOC format from
the selected files and registry keys. A file is searched for by its MD5 checksum, while the search condition
for a registry key includes its full path, name and value of the variable in the registry. If the console does not
allow you to select some files on the All alert events list, it means that there is no information about their
be

MD5 checksums in the Kaspersky Security Center.

If you select multiple objects, a single indicator will be generated for them. It will consist of separate
conditions for each object. You can combine the conditions with logical OR or AND:
• OR means that a computer will be considered compromised if at least one condition is met; in other
words, if at least one of the selected objects is found.
• AND means that the computer will be considered compromised only if all of the selected objects (files
to

and registry keys) are found on it.

t
No

56
 ed
ut
r ib
st
di
re
You can save the generated IoC as a file or create an IoC scan task for the network computers
or
immediately. When you create a task, you can choose which actions it should perform when an IoC is
detected:
• Isolate the device from the network—use this response action cautiously, since sudden isolation may
disrupt the user’s work and even operation of the whole organization if an IoC is detected on a server
• Scan critical areas
ed

• Quarantine the file

pi
co
be
tto
No

57
 ed
ut
r ib
st
di
re
A group IoC scan task is created from the alert card. The task’s name will start with IoC Scan from alert
or
<threat name> <threat detection time>.
You can create multiple tasks from a single alert card. For example, select a group of indicators that have
high validity and make a task that will quarantine the respective files. For indicators with low validity, you
can create a task that will make the security solution scan the respective computers for threats. All tasks
ed

created from the same card get the same names by default; rename them to avoid confusion.
If an IoC scan task is created from an alert card, it scans only critical areas (temporary folders and
download folders of all the device users) by default. You can redefine the scan area in the task properties
and select to scan specific folders on a drive, the system drive, or all drives of the device.
IoC scan tasks created from an alert card are run once as soon as they are created.
pi
co
be
tto
No

58
 ed
ut
r ib
st
di
re
To check the task status and whether the indicators have been found on the computers, switch to the
or
Application Settings tab and open the IOC Scan Results section. You can find detailed results of IoC
scanning here: on which devices indicators were detected.
Click the IOC detected link to open the list of results for the respective computer. It contains all indicators
specified in the task. If an indicator was detected, the State column contains the matched link that opens a
ed

detailed detection card with the names of detected files (or other objects).
pi
co
be
tto
No

59
 ed
ut
r ib
st
di
re
The detection card shows which objects on the computer matched the IoC conditions. If the IoC consists of
or
several groups of conditions combined with the logical OR operator, the group whose conditions match the
found files (or other objects) will be highlighted.
ed
pi
co
be
tto
No

60
 ed
ut
r ib
st
di
re
You can export IoC from an alert card or scan task in OpenIoC format to keep previously detected threats
or
away from the corporate network.
To create an IoC scan task, in the Kaspersky Security Center task creation wizard, select Kaspersky
Endpoint Security for Windows on the Application drop-down list and select IoC Scan for the task type.
ed
pi
co
be
tto
No

61
 ed
ut
r ib
st
di
re
To add IoC files in the OpenIoC format, click the button Redefine IoC files; then in the window that opens,
or
click Add IoC files and specify the OpenIoC files. A single scan task can search for multiple indicators.
ed
pi
co
be
tto
No

62
 ed
ut
r ib
st
di
re
An IoC scan task automatically recognizes what type of data to look for. If you plan to search for files by
or
their hashsums, you can modify the scan scope. With the default settings, the task scans critical areas on
the device, meaning, temporary folders and download folders of all users.
You can customize the scan area and disable/enable searching the Windows registry.
ed
pi
co
be
tto
No

63
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

64
 ed
•
•
•
•
•

ut
•
•
•

r ib
st
•

di
•

•
•

re
The process of eliminating attack consequences and device recovery depends on many factors (destructive
or
impact of the malicious activity, the organization’s internal regulations, etc.) and may require complete
reinstallation of the operating system and software or some specific actions: removing malicious objects,
cleaning the registry, etc.
Let us study the case when some actions have been taken to eliminate an infection and the operating
ed

system has not been reinstalled. Before conducting detailed analysis and subsequent investigation, we
isolated the device on which the malicious activity had been detected from the corporate network; and now
when the threat has been eliminated, it's time to release it.
A computer can be isolated from the network manually from the alert card or automatically by an IoC scan
task. Regardless of how the computer was isolated (manually or automatically), it receives the tag Isolated
pi

from network.
To find all isolated computers, open Devices | Tags | Device tags and select the tag Isolated from
network. Click the View devices link to consult the list of isolated devices.
co
be
tto
No

65
 ed
ut
r ib
st
di
re
Note that removing the tag from the device properties is not enough to release the device! You must
or
disable isolation in the alert card or in the properties of Kaspersky Endpoint Security installed on the device.
ed
pi
co
be
tto
No

66
 ed
ut
r ib
st
di
re
To release a device, go to its properties, open Kaspersky Endpoint Security application settings, switch to
or
Application settings | Detection and Response, click Endpoint Detection and Response and then
click the button Unblock computer isolated from the network.
ed
pi
co
be
tto
No

67
 ed
•
•
•
•
•

ut
•
•
•

r ib
st
•

di
•

•
•

re
After an incident has been investigated, consider how to use the obtained information to improve network
or
security and streamline investigation and response processes.

For example, IoC scan tasks created when investigating various incidents might accumulate in the
Kaspersky Security Center console. Once an incident has been closed and indicators of compromise have
ed

been removed from the computers, it makes little sense to store a separate task for them. You can export
an IoC from a task to a file and add it to a general IoC scan task that runs once a week at a relatively free
time.
pi
co
be
tto
No

68
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

69
 ed
ut
r ib
st
di
re
You can expand and enhance the capabilities of Kaspersky EDR Optimum with Kaspersky Sandbox. To
or
integrate with Kaspersky Sandbox, install the Kaspersky Sandbox component of Kaspersky Endpoint
Security on the managed devices.
Integration with Kaspersky Sandbox improves detection of complex and unknown threats, and also permits
creating IoC scan tasks automatically without involving the administrator when Kaspersky Sandbox detects
ed

a threat.
To extend the Kaspersky EDR Optimum experience, take 7 simple steps:
1. Deploy Kaspersky Sandbox server
2. Specify the IP address and port of Kaspersky Security Center
3. Download the TLS certificate for connecting to the EPP application from the Kaspersky Sandbox server
pi

4. Install Kaspersky Sandbox (a component of Kaspersky Endpoint Security) on the managed devices
5. In Kaspersky Security Center, install the TLS certificate for connecting to the EPP application
6. In Kaspersky Security Center, specify the address of the Kaspersky Sandbox server to which the
co

Kaspersky Sandbox component will send files for analysis

7. Enable Kaspersky Sandbox integration in the Kaspersky Endpoint Security policy
After Kaspersky Sandbox has been installed, activated and configured, further integration activities are
performed in two stages.
First, connect Kaspersky Sandbox to Kaspersky Security Center. In the Kaspersky Sandbox web console,
be

open Connection to KSC, specify the IP address and port of Kaspersky Security Center and click
Connect. Kaspersky Sandbox will check accessibility of the Kaspersky Security Center and connect to it. If
Kaspersky Security Center is not accessible at the specified address and port, Kaspersky Sandbox will
inform you about this.
tto
No

70
 ed
ut
r ib
st
di
re
On the TLS certificates page, download the TLS certificate for connection to the EPP application.
or
That's where the first phase completes.
ed
pi
co
be
tto
No

71
 ed
ut
r ib
st
di
re
At the second stage, you need to connect Kaspersky Security Center and the Kaspersky Sandbox
or
component to the sandbox. Open another web browser window and go to the Kaspersky Security Center
web console.

Run the task Change application components to install the Kaspersky Sandbox component of
ed

Kaspersky Endpoint Security on the managed devices.

pi
co
be
tto
No

72
 ed
ut
r ib
st
di
re
Open the Kaspersky Endpoint Security for Windows policy and switch to Application settings | Detection
or
and Response. Open the Kaspersky Sandbox settings. Click the link Server connection settings and
install the downloaded TLS certificate for connection to the EPP application.
ed
pi
co
be
tto
No

73
 ed
ut
r ib
st
di
re
In the Kaspersky Sandbox servers area, click Add and specify the IP address of the Kaspersky Sandbox
or
server. Enable Integration with Kaspersky Sandbox. The second stage has been completed, Kaspersky
Security Center is integrated with Kaspersky Sandbox now.
ed
pi
co
be
tto
No

74
 No
t to
be
co
pi
ed
or
re
di
st
rib
ut
ed

75