Managing Endpoint Agent host information

The application that is used as the Endpoint Agent component is installed on individual computers (hereinafter also referred to as "hosts") in the IT infrastructure of the organization. The application continuously monitors processes running on those hosts, active network connections, and files that are being modified.

Users with the Senior security officer, Security officer, Security auditor, Local administrator, or Administrator role can assess how regularly data is received from hosts with the Endpoint Agent component on the Endpoint Agents tab of the web interface window of the Central Node server for tenants to whose data the user has access. If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Users with the Local administrator and Administrator roles can configure the display of how regularly data is received from hosts with Endpoint Agent for tenants to whose data they have access.

If suspicious network activity is detected, users with the Senior security officer role can isolate from the network any host with Kaspersky Endpoint Agent, for tenants to whose data the user has access. In this case, the connection between the server with the Central Node component and a host with the Endpoint Agent component will not be interrupted.

In order to provide support in case of problems with the Endpoint Agent component, Technical Support staff may ask you to perform the following actions for debugging purposes (including in Technical Support Mode):

• Activate collection of extended diagnostic information.
• Modify the settings of individual application components.
• Modify the settings for storing and sending the obtained diagnostic information.
• Configure network traffic to be intercepted and saved to a file.

Technical Support staff will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, and other resources) and inform you about the scope of data obtained for debugging purposes. The retrieved diagnostic information is saved on the user's computer. The retrieved data is not automatically sent to Kaspersky.

The operations listed above should be performed only when instructed by and under the supervision of Technical Support experts. Unsupervised changes to application settings performed in ways other than those described in this manual or according to the instructions of Technical Support experts can slow down or crash the operating system, reduce computer security, or compromise the availability and integrity of data being processed.

Selecting a tenant to manage in the Endpoint Agents section

If you are using the distributed solution and multitenancy mode, prior to using the Endpoint Agents section, you must select the tenant whose data you want to view.

To select a tenant to manage in the Endpoint Agents section:

1. In the upper part of the application web interface menu, click the arrow next to the name of the tenant.
2. In the drop-down list, select a tenant.

Data for the selected tenant is displayed. If you want to select a different tenant, repeat the steps to select the tenant.

Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server

The table of hosts with the Endpoint Agent component is located in the Endpoint Agents section of the application web interface window.

The table can display the following data:

• Number of hosts and activity indicators of the Endpoint Agent component:
  • Critical inactivity is the number of hosts from which latest data was received a very long time ago.
  • Warning is the number hosts from which latest data was received a long time ago.
  • Normal activity is the number of hosts from which latest data was recently received.
• Host—Name of the host with the Endpoint Agent component.
• Servers—Names of servers to which the host with the Endpoint Agent component is connected.

  This field is displayed if you are using the distributed solution and multitenancy mode.

• IP—IP address of the computer where the Endpoint Agent component is installed.
• OS—Version of the operating system that is installed on the computer with the Endpoint Agent component.
• Version is the version of the application that is used in the role of the Endpoint Agent component.
• Activity—Activity indicator of the Endpoint Agent component. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.
• Last connection for the date and time of the last connection of the Endpoint Agent component to the Central Node server.

Clicking a link in a column of the table opens a list in which you can select one of the following actions:

• Filter by this value.
• Exclude from filter.
• Copy value to clipboard.

Viewing information about a host

To view information about a host with the Endpoint Agent component:

1. Select the Endpoint Agents section in the window of the application web interface.
2. Select the host for which you want to view information.

This opens a window containing information about the host.

The window contains the following information:

• In the Host section:
  • Name is the name of the host with the Endpoint Agent component.
  • IP is the IP address of the host where the Endpoint Agent component is installed.
  • OS is the version of the operating system on the host with the Endpoint Agent component installed.
  • Server—Name of the SCN or PCN server. Only displayed in distributed solution and multitenancy mode.
• In the Endpoint Agent section:
  • Version is the version of the application that is used in the role of the Endpoint Agent component.
  • Activity is the activity indicator of the Endpoint Agent component. Possible values:
    • Normal activity for hosts from which latest data was recently received.
    • Warning for hosts from which latest data was received a long time ago.
    • Critical inactivity for hosts from which latest data was received an extremely long time ago.
  • Connected to server—Name of the Central Node, SCN, or PCN server to which the host is connected.
  • Last connection—time of the last connection to the Central Node, SCN, or PCN server.
  • License key status is the status of the license key of the application that is used as the Endpoint Agent component.

The following action is available by clicking the links with the host name and its IP address: Copy value to clipboard.

Filtering and searching hosts with the Endpoint Agent component by host name

To filter or search for hosts with the Endpoint Agent component by host name:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. If you want to display only isolated hosts, select the Show isolated Endpoint Agents only check box.
4. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
5. In the entry field, specify one or several characters of the host name.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network

To filter or search for hosts with the Endpoint Agent component that are isolated from the network:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. Select the Show isolated Endpoint Agents only check box.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names

If you are using the distributed solution and multitenancy mode, you can filter or find hosts with the Kaspersky Endpoint Agent component based on the names of PCN and SCN servers to which those hosts are connected.

To filter or search for hosts with the Endpoint Agent component by the names of PCN and SCN servers:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Servers link to open the filter configuration window.
3. Select check boxes next to names of servers by which you want to filter or search for hosts with the Endpoint Agent component.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by computer IP address

To filter or search for hosts with the Endpoint Agent component by IP address of the computer on which the application is installed:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the IP link to open the filter configuration window.
3. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
4. In the entry field, specify one or several characters of the computer IP address. You can enter the IP address or subnet mask in IPv4 format (for example, 192.0.0.1 or 192.0.0.0/16).
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer

To filter or search for hosts with the Endpoint Agent component by version of the operating system installed on the computer:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the OS link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
4. In the entry field, specify one or several characters of the operating system version.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by component version

You can filter hosts by version of the application that is used in the role of the Endpoint Agent component.

To filter or search for hosts with the Endpoint Agent component by component version:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Version link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
4. In the entry field, specify one or more characters of the version of the application that is used as the Endpoint Agent component.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by their activity

To filter or search for hosts with the Endpoint Agent component by their activity:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Activity link to open the filter configuration window.

   Select check boxes next to one or multiple activity indicators:

   • Normal activity, if you want to find hosts from which the last data was recently received.
   • Warning, if you want to find hosts from which the last data was received a long time ago.
   • Critical inactivity, if you want to find hosts from which the last data was received an extremely long time ago.
3. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Quickly creating a filter for hosts with the Endpoint Agent component

To quickly create a filter for hosts with the Endpoint Agent component:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Do the following to quickly add filter conditions to the filter being created:
   1. Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
   2. Left-click it.

      This opens a list of actions to perform on the value.

   3. In the list that opens, select one of the following actions:
      • Filter by this value, if you want to include this value in the filter condition.
      • Exclude from filter, if you want to exclude the value from the filter condition.

3. If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.

The table displays only those hosts that match the filter criteria you have set.

Resetting the filter for hosts with the Endpoint Agent component

To clear the Endpoint Agent host filter for one or more filtering criteria:

1. Select the Endpoint Agents section in the window of the application web interface.
2. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only those hosts that match the filter criteria you have set.

Configuring activity indicators of the Endpoint Agent component

Users with the Local administrator and Administrator roles can define what durations of inactivity of the application that is used as the Endpoint Agent component are to be considered normal, low, or very low activity, and can configure the activity indicators for the application. Users with the Security auditor role can only view the settings of application activity indicators. Users with the Senior security officer or Security officer role can see activity indicators that you configured for the Endpoint Agent component in the Activity field of the Endpoint Agent host table in the Endpoint Agents section of the application web interface.

To configure activity indicators for the Endpoint Agent component:

1. Sign in to the application web interface under the Local administrator, Administrator or Senior security officer account.
2. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
3. In the fields under the section name, enter the number of days of inactivity of hosts with the Endpoint Agent component that you want to display as Warning and Critical inactivity.
4. Click Apply.

Activity indicators of the Endpoint Agent component are configured.

Removing hosts with the Endpoint Agent component

To remove one or more hosts from the Endpoint Agents table:

1. Select the Endpoint Agents section in the window of the application web interface.
2. Select check boxes next to one or more hosts that you want to remove. You can select all hosts by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Delete.
4. This opens the action confirmation window; in that window, click Yes.

The selected hosts are removed from the Endpoint Agents table.

When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:

• You cannot create a task, prevention rule, or network isolation rule for a removed host.
• If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.

  If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.

• If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.

  When this host reconnects to the Central Node, the rule is reapplied to this host.

• The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform Quarantine.

  When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform Quarantine are not restored. You can avoid Quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.

• If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in task window is inactive because the file cannot be restored on a removed host.

Event search by the name of the removed host remains available.

Page top

Automatic removal of inactive hosts

You can enable or disable the automatic removal of inactive hosts from the Endpoint Agents table. Inactive hosts are hosts that have not connected to the Central Node server for the configured time.

To enable or disable the automatic removal of hosts from the Endpoint Agents table:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
2. Under Delete inactive hosts automatically, do the following:
   • If you want to enable this functionality, move the Delete hosts toggle switch to Enabled.
   • If you want to enable this functionality, move the Delete hosts toggle switch to Disabled.
3. If you have enabled this functionality, in the Delete after field, specify the number of days after which hosts that have not connected to the Central Node component must be considered inactive.

   The minimum value is 1 and the maximum value is 365.

Automatic removal of inactive hosts is enabled or disabled.

If the value specified in the Delete after field is less than the values specified in the Warning and/or Critical inactivity fields under Activity indicators, hosts are removed earlier than an inactivity warning is displayed in the Dashboard section.

When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:

• You cannot create a task, prevention rule, or network isolation rule for a removed host.
• If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.

  If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.

• If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.

  When this host reconnects to the Central Node, the rule is reapplied to this host.

• The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform quarantine.

  When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform quarantine are not restored. You can avoid quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.

• If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in the task window is inactive because the file cannot be restored on a removed host.

Event search by the name of the removed host remains available.

Page top

Supported interpreters and processes

Kaspersky Endpoint Agent application monitors the execution of scripts by the following interpreters:

• cmd.exe
• reg.exe
• regedit.exe
• regedt32.exe
• cscript.exe
• wscript.exe
• mmc.exe
• msiexec.exe
• mshta.exe
• rundll32.exe
• runlegacycplelevated.exe
• control.exe
• explorer.exe
• regsvr32.exe
• wwahost.exe
• powershell.exe
• java.exe and javaw.exe (only if started with the –jar option)
• InstallUtil.exe
• msdt.exe
• python.exe
• ruby.exe
• rubyw.exe

Information about the processes monitored by Kaspersky Endpoint Agent application is presented in the table below.

Processes and the file extensions that they open