For administrators: Getting started with the application web interface

The intended audience of this section are personnel who install and administer Kaspersky Anti Targeted Attack Platform and manage PCN and SCN servers and tenants in

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Kaspersky Anti Targeted Attack Platform Interface

The application is managed through the web interface. Sections of the application web interface differ depending on the role of the user: Administrator or Senior security officer / Security officer/Security auditor.

The window of the application web interface contains the following:

• Sections in the left part and in the lower part of the application web interface window.
• Tabs in the upper part of the application web interface window for certain sections of the application.
• The workspace in the lower part of the application web interface window.

Sections of the application web interface window

The application web interface for the Administrator role contains the following sections:

• Dashboard. Contains Kaspersky Anti Targeted Attack Platform Monitoring data.
• Operation mode. Contains information about PCN and SCN servers and about tenants in distributed solution and multitenancy mode.
• Endpoint Agents. Contains information about connected computers with the Kaspersky Endpoint Agent component and their settings.
• Reports: Activity log. Contains information about the logging settings for user activity in the application web interface.
• Settings. Contains the settings of the server with the Central Node component.
• Sensor servers. Contains information about connected Sensor components and their settings.
• Sandbox servers. Contains information about the connection of the Central Node component to Sandbox components.
• External systems. Contains information about application integration with mail sensors.

Workspace of the application web interface window

The workspace displays the information you choose to view in the sections and on the tabs of the application web interface window. It also contains control elements that you can use to configure how the information is displayed.

Users with the Security auditor role can also view these sections of the application web interface.

Monitoring the performance of the application

You can monitor application operation using the widgets in the Dashboard section of the application web interface window. You can add, delete, and move widgets, configure the display scale of widgets, and select the data display period.

About widgets and layouts

You can use widgets to monitor application operation.

A layout is the appearance of the workspace of the application web interface window in the Dashboard section. You can add, delete, and move widgets in the layout.

The following widgets are available in the application:

• Processed. Displays the processing status for traffic coming from the Sensor component and the Endpoint Agent component to the server with the Central Node component.
• Queues. Displays information on the number and volume of objects waiting to be scanned by application modules and components.
• Sandbox processing time. Displays the average time taken to receive the scan results after objects were scanned by the Sandbox component.

If you are using the distributed solution and multitenancy mode, the section displays information about the tenant and server that you chose.

Selecting a tenant and a server to manage in the Dashboard section

If you are using the distributed solution and multitenancy mode, before using the Dashboard section, you must select the tenant and server whose data you want to view.

To select a tenant and server for which you want to display data in the Dashboard section:

1. In the upper right part of the application web interface window, click the arrow next to the server name.
2. In the drop-down list, select the tenant and server from the list.

Data for the selected server is displayed. If you want to select a different tenant and server, repeat the steps to select a tenant and server.

Adding a widget to the current layout

To add a widget to the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click Widgets.
5. In the Manage widgets window that opens:
   • If you want to add the Queues widget, turn on the toggle switch next to the name of this widget.
   • If you want to add the Sandbox processing time widget, turn on the toggle switch next to the name of this widget.
   • If you want to add the Processed widget, click next to the name of this widget.

The selected widget is added to the current layout.

Moving a widget in the current layout

To move a widget in the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Select the widget that you want to move within the layout.
5. Left-click and hold the upper part of the widget to drag and drop the widget to a different place in the layout.
6. Click Save.

The current layout is saved.

Removing a widget from the current layout

To remove a widget from the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click the icon in the upper right corner of the widget that you want to remove from the layout.

   The widget is removed from the workspace of the application web interface window.

5. Click Save.

The widget is removed from the current layout.

Saving a layout to PDF

To save a layout to PDF:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Save as PDF.

   This opens the Saving as PDF window.

4. In the lower part of the window, in the Layout drop-down list, select the page orientation.
5. Click Download.

   The layout in PDF format is saved to the hard drive of your computer in the downloads folder of the browser.

6. Click Close.

Configuring the data display period in widgets

You can configure the display of data in widgets for the following periods:

• Day
• Week
• Month

To configure the display of data in widgets for a day (from 00:00 a.m. to 11:59 p.m.):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Day.
3. In the calendar to the right of the Day period name, select the date for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To configure the display of data on widgets for a week (Monday through Sunday):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Week.
3. In the calendar to the right of the Week period name, select the week for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To display data display in widgets for a month (calendar month):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Month.
3. In the calendar to the right of the Month period name, select the month for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

Monitoring the receipt and processing of incoming data

In the Processed widget, you can assess the processing status of data coming from the Sensor component and the Endpoint Agent component to the server with the Central Node component, and track data processing errors.

To select the component (Sensor or Endpoint Agent) for which you want to assess incoming data, use the drop-down list to the right of the Processed widget name.

You can select the type of data display in the drop-down list to the right of the component name (Sensor or Endpoint Agent):

• Current load—The last 5 minutes.
• Selected period. In this case, you can also configure the period for which data is displayed in widgets.

The left part of each widget displays the legend for colors used in the widget itself.

If the Current load data display type is selected, the average data processing rate over the past 5 minutes is displayed to the right of the key.

If the Selected period data display type is selected, to the right of the key you will see the average rate of incoming traffic to the server with the Central Node component and the number of objects processed during the selected period.

Monitoring the queues for data processing by application modules and components

You can use the Queues widget to assess the status of data processing by the

Data transfer in the queue is measured in messages.

You can select the type of data display in the drop-down list to the right of the Queues widget name:

• Current load—The last 5 minutes.
• Selected period. In this case, you can also configure the period of data display on widgets.

The left part of the widget displays the legend for colors used in the widget.

The Queues widget displays the following data:

• Number of messages and Data volume processed by application modules and components:
  • YARA—blue.
  • Sandbox—violet.
  • AM Engine—green.
• Unprocessed – amount of unprocessed data indicated by vertical red lines.

When you hover the mouse cursor over a widget, you see a pop-up window that displays the status of data processing by the YARA and AM Engine application modules and the Sandbox component, as well as the amount of unprocessed data during a specific time period.

Monitoring the processing of data by the Sandbox component

The Sandbox processing time widget displays the average time elapsed from the moment data is sent to one or multiple Sandbox component servers (including the time spent in the queue before getting sent) to the moment when the Sandbox processing results are displayed in the web interface of Kaspersky Anti Targeted Attack Platform for the selected period.

You can increase the rate at which data is processed by the Sandbox component and the throughput of the Sandbox component by increasing the number of servers with the Sandbox component and by distributing the data to be processed among those servers.

Viewing the working condition of modules and components of the application

If modules or components of the application encounter errors that the administrator is advised to look at, a yellow warning box is displayed in the upper part of the Dashboard section of the application web interface.

Users with the Local administrator, Administrator, or Security auditor roles can gain access to information about the working condition of the Central Node, PCN, or SCN server that the user is currently managing.

Users with the Senior security officer, Security officer, or Security auditor roles can gain access to the following information about the working condition:

• If you are using a standalone Central Node server, the user can access information about the working condition of the Central Node server which the user is currently managing.
• If you are using the distributed solution and multitenancy mode, and the user is managing an SCN server, the user can gain access to information about the working condition of that SCN server for tenants to whose data the user has access.
• If you are using the distributed solution and multitenancy mode, and the user is managing the PCN server, the user can gain access to information about the working condition of the PCN server and all SCN servers connected to that server, for tenants to whose data the user has access.

For details about the working condition of application modules and components,

click View details to open the System health window.

In the System health window, one of the following icons is displayed depending on the working condition of the application modules and components:

• if the modules and components of the application are working normally.
• An icon with the number of problems (for example, ) if problems are found that the administrator is recommended to pay attention to. In this case, detailed problem information is displayed in the right part of the System health window.

The System health window contains the following sections:

• Component health contains information on the operational status of application modules and components, quarantine, and database update on all servers where the application is running.

  Example: If the databases of one or more application components have not been updated in 24 hours, the icon is displayed next to the name of the server on which the application modules and components are installed. To resolve the problem, make sure that update servers are accessible. If you are using a proxy server to connect to update servers, make sure the proxy server has no errors pertaining to the connection to Kaspersky Anti Targeted Attack Platform servers.

• Processed—Status of receiving and processing incoming data. The status is generated based on the following criteria:
  • State of receiving data from servers with the Sensor component, from the server or virtual machine with the mail sensor, from hosts with the Endpoint Agent component.
  • Information about exceeding the maximum allowed time that objects wait in the queue to be scanned by application modules and components.
• Connection with servers—Status of the connection between the PCN server and connected SCN servers (displayed if you are using the distributed solution and multitenancy mode).

If problems are detected with the performance of application modules or components and you cannot resolve those problems on your own, please contact Kaspersky Technical Support.

Managing Central Node, PCN, or SCN servers using the application web interface

You can use the application web interface to perform the following actions with the server on which the Central Node component is installed:

• Configure the date and time on the server.
• Power off and restart the server.
• Generate or upload a server certificate that you can prepare on your own.
• Configure the network settings of the server.
• Monitor the disk space usage on the server.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

Configuring the date and time on the server

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the date and time on the server.

1. In the window of the application web interface, select the Settings section, Date and time subsection.
2. In the Time zone drop-down list, select the time zone of the physical location of the server with the Central Node component.

   You can specify the country and time zone by selecting the relevant region on the map under the drop-down lists.

   Selecting a region on the map is not available in Kaspersky Anti Targeted Attack Platform 6.0.4.

3. In the NTP servers section:
   • If you want to add a new
     NTP server

     Precision time server using the Network Time Protocol.

     :
     1. Click Add.
     2. In the field that opens, enter the IP address or domain name of the NTP server.
     3. Click the button to the right of the field.
   • If you want to edit the IP address or domain name of the NTP server, click the button in the line containing the server.
   • If you want to delete an NTP server, click the button in the line containing the server.
4. Click Apply.

The date and time of the server will be configured.

Generating or uploading a TLS certificate of the server

If you are already using a server TLS certificate, generating or uploading a new certificate causes the currently used certificate to be removed and replaced with the new certificate.

You must enter the data of the new certificate everywhere the old certificate was used.

If you replace the TLS certificate, you will need to:

• Reauthorize mail sensors (KSMG, KLMS) on Central Node.
• Reconfigure the connection of Central Node, PCN, and SCN to Sandbox.
• Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent.

Make sure to delete all Endpoint Agent host isolation rules. Connection with isolated hosts will be lost and you will not be able to manage them.

You can generate a new certificate in the web interface: of the Central Node server or upload a certificate that you have created independently.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To generate a TLS certificate for a Central Node server:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the application web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Generate.

   This opens the action confirmation window.

4. Click Yes.

Kaspersky Anti Targeted Attack Platform generates a new TLS certificate. The page is automatically refreshed.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.

You can choose to prepare the TLS certificate on your own and upload it using the Kaspersky Anti Targeted Attack Platform web interface.

The TLS certificate file prepared for upload must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.

  The application does not support other formats of certificates.

  If you have prepared a certificate in a different format, you must convert it to the PEM format.

• The private key length must be 2,048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

Upload the TLS certificate in the web interface of the PCN or SCN server to which you want to upload the certificate.

To upload an independently prepared TLS certificate using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the application web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Upload.

   This opens the file selection window.

4. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

The TLS certificate is added to the Kaspersky Anti Targeted Attack Platform.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.

Downloading the TLS certificate of the server

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To download the TLS certificate of the server:

1. In the window of the application web interface, select the Settings section, Certificates subsection.
2. In the Server certificate section, click Download.

The server certificate file will be saved in the downloads folder of the browser.

Assigning a server DNS name

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To assign the server name to be used by DNS servers:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. Enter the full domain name of the server into the Server name (FQDN) field.

   Specify the server name in FQDN format (for example: host.domain.com or host.domain.subdomain.com).

3. Click Apply.

The server name will be assigned.

Configuring DNS settings

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure DNS:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. In the DNS settings group, enter the IP addresses of the DNS servers in the DNS servers field.
3. Click Apply.

The DNS settings will be configured.

Configuring settings of the network interface

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the network interface:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. Select the network interface whose settings you want to configure.

   This opens the Edit network interface window.

3. In the State settings group, select one of the following options:
   • Disabled.
   • Enabled, using DHCP server if you want the settings received from the DHCP server to be used for the network interface.
   • Enabled, manual configuration if you want the manually configured network interface to be used.
4. If you selected Enabled, manual configuration, specify values for the following parameters:
   1. In the IP field, specify the IP address of the network interface.
   2. In the Subnet mask field, specify the subnet mask of the network interface.
   3. In the Gateway text box, enter the IP address of the gateway.
5. Click Save.

The settings of the network interface will be configured.

Configuring the default network route

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the default network route:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. In the Network route settings group, in the Network interface drop-down list, select the network interface for which you want to configure the network route.
3. In the Gateway text box, enter the IP address of the gateway.
4. Click Apply.

The default network route will be configured.

Configuring proxy server connection settings

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the proxy server connection:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. In the Proxy server settings group, set the toggle switch to Enabled.
3. In the Host field, specify the URL of the proxy server.
4. In the Port field, specify the port for connecting to the proxy server.
5. In the User name field, specify the user name for authentication on the proxy server.
6. In the Password field, specify the password for authentication on the proxy server.
7. If you do not want to use a proxy server when connecting to local addresses, select the Bypass proxy server for local addresses check box.
8. Click Apply.

The proxy server connection settings will be configured.

Configuring the mail server connection

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The application can send notifications about alerts and system performance. To do so, you must configure the settings of the server used for sending notifications.

To configure the server for sending notifications:

1. In the main window of the application web interface, select the Settings section, Notifications subsection.
2. Go to the Mail server configuration tab.
3. In the Host field, specify the IP address of the mail server.
4. In the Port field, specify the port for connecting to the mail server.
5. In the Email from field, specify the email address from which the notifications will be sent.
6. If you want to enable authentication on the mail server, select the Use SMTP authentication of message recipients check box.
7. In the User name field, specify the user name for authentication on the server used for sending notifications.
8. In the Password field, specify the password for authentication on the server used for sending notifications.
9. If you want to use TLS encryption when sending notifications, select the Use TLS encryption check box.
10. If you want to validate the certificate of the mail server, select the Validate TLS encryption check box.

    The Certificate fingerprint field displays the fingerprint of the mail server certificate.

    If the Validate TLS encryption check box is not selected, the application will consider any certificate of the mail server as trusted.

11. Click Apply.

The settings of the server used for sending notifications will be configured.

Selecting operating systems to use when scanning objects in Sandbox

You can select a set of operating systems that will be used to generate tasks for scanning objects using the Sandbox component. On the Sandbox server, you must install virtual machines with operating systems that match the configured set.

To select the set of operating systems:

1. Select the Sandbox servers section in the window of the application web interface.
2. Go to the Settings tab.
3. Under OS set, select one of the following options:
   • Windows 7, Windows 10.
   • CentOS 7.8, Windows 7, Windows 10.
   • Astra Linux 1.7, Windows 7, Windows 10.
   • Custom.
4. If you selected Custom, under Set composition, select the check boxes next to the operating systems that you want to include in the set.

   Custom operating systems are displayed in the list if virtual machines with these operating systems are installed on the Sandbox server. Preset operating systems are always displayed in the list, but if virtual machines running these operating systems are not deployed, the Unknown status is displayed next to the name of the operating system.

Kaspersky Anti Targeted Attack Platform will create tasks for scanning objects in Sandbox in accordance with the selected set.

If the set of operating systems installed on the Sandbox server does not match the set selected on the Central Node server, objects are not sent to be scanned by that Sandbox server. If multiple Sandbox servers are connected to the Central Node server, the application sends objects to those Sandbox servers whose installed operating systems match the set selected on Central Node.

You can change the set of operating systems in the course of using the application. In this case, you need to make sure that the configuration of the Sandbox server satisfies hardware requirements.

In distributed solution and multitenancy mode, the settings of the operating system set configured on the PCN server are not applied to SCN servers connected to that PCN server. You can select the set of operating systems for each PCN and SCN server individually.

Managing the Sensor component

The Sensor component receives data from network traffic and mail traffic.

You can install the Sensor and Central Node components on the same server or on separate servers. The Sensor component installed on a standalone server must be connected to the server with the Central Node component. A connection request is created during component installation.

If the Sensor component is installed on the same server as the Central Node component, you can configure the Sensor component in the web interface of Kaspersky Anti Targeted Attack Platform. If the Sensor component is installed on a standalone server, in the web interface of Kaspersky Anti Targeted Attack Platform, you can only process connection requests from this component and view information about the component in the table of servers with the Sensor component. Other component settings can be edited in the administrator menu.

If you are using the distributed solution and multitenancy mode, perform the necessary actions to connect to PCN or SCN servers.

Viewing the table of servers with the Sensor component

The table of servers with the Sensor component is located in the Sensor servers section of the application web interface window.

The Certificate fingerprint field displays the fingerprint of the TLS certificate of the Central Node server.

The Server list table contains the following information:

• IP/name—IP address or domain name of the server with the Sensor component.
• Type—Type of Sensor component. Possible values:
  • Central Node—The Sensor component is installed on the same server as the Central Node component.
  • Remote—The Sensor component is installed on a different server or a mail sensor is used as the Sensor component.
• Certificate fingerprint—Fingerprint of the TLS certificate used to establish an encrypted connection between servers with the Sensor and Central Node components.
• KSN/KPSN—Status of the connection to the KSN/KPSN reputation databases.
• SPAN—Status of SPAN traffic processing.
• SMTP—Status of integration with a mail server via SMTP.
• ICAP—Status of integration with a proxy server via ICAP.
• POP3—Status of integration with a mail server via POP3.
• State—Status of the connection request.

Processing a connection request from the Sensor component

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can accept, decline, or revoke a previously accepted connection request from the Sensor component.

To process a connection request from the Sensor component:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table displays the already connected Sensor components, and connection requests.

2. In the line containing the connection request of the Sensor component, perform one of the following actions:
   • If you want to connect the Sensor component, click the Accept button.
   • If you do not want to connect the Sensor component, click the Reject button.
3. In the confirmation window, click Yes.

The connection request from the Sensor component will be processed.

Configuring the maximum size of a scanned file

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the maximum size of a scanned file:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the maximum size of a scanned file.

   This opens the Sensor component settings page.

3. Select the General settings section.
4. If you want the application to scan files of any size, select the Unlimited check box.
5. If you want to set a maximum size for files that the application will scan:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a file.
   3. In the drop-down list to the right of the field, select the unit of measurement.
6. Click Apply.

The maximum size of a scanned file will be configured.

Configuring receipt of mirrored traffic from SPAN ports

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure receipt of mirrored traffic from SPAN ports:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the receipt of mirrored traffic from SPAN ports.

   This opens the Sensor component settings page.

3. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

4. In the row of the network interface from which you want to configure the receipt of mirrored traffic, set the toggle switch in the SPAN traffic scanning column to Enabled.
5. In the Capture thread drop-down list, select the stream that will process this network interface.
6. In the Select CPU drop-down list, select the processor that will process the network traffic.
7. Click Apply.

The receipt of mirrored traffic from SPAN ports will be configured.

Selecting network protocols for receiving mirrored traffic from SPAN ports

Kaspersky Anti Targeted Attack Platform can receive and process mirrored traffic, and extract objects and protocol metadata. You can configure receipt of mirrored traffic from SPAN ports.

To select network protocols for receiving mirrored traffic from SPAN ports:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure traffic capture → Setup capture protocols section using the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

   This opens a window where you can enable or disable receipt of mirrored traffic from SPAN ports for the following network protocols:

   • DNS
   • FTP
   • HTTP
   • HTTP2
   • SMTP
   • SMB
   • NFS

     To analyze NFS traffic, you must mount the NFS partition and specify the version of the protocol.

     Example: for NFS v.4: mount -t nfs -o vers=4 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir for NFS v.3: mount -t nfs -o vers=3 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir

   If receipt of mirrored traffic from a SPAN port via a network protocol is enabled, [x] is displayed to the right of the network protocol name. If receiving mirrored traffic from a SPAN port is disabled for a particular network protocol, [ ] is displayed to the right of the name of that protocol.

   By default, receipt of mirrored traffic from SPAN ports is enabled for all network protocols except HTTP2.

4. If you want to enable or disable the receipt of mirrored traffic from SPAN ports for a particular network protocol, select that using the ↑, ↓ keys and press ENTER.
5. Select the line containing Apply and Exit and press ENTER.

Network protocols for receiving mirrored traffic from SPAN ports are selected.

Configuring integration with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over SMTP:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via SMTP.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled.
5. In the Destination domains field, specify the name of the mail domain or subdomain. The application will scan email messages sent to mailboxes of the specified domains.

   To disable a domain or subdomain, enclose it in the !domain.tld form.

   If you leave the mail domain name blank, the application will receive messages sent to any email address.

6. In the Clients field, specify the IP addresses of hosts and/or masks of subnets (in CIDR notation) with which the application is allowed to interact over the SMTP protocol.

   To disable a host or subnet, enclose the address in the !host form.

   If you leave this field blank, the application will receive the following messages:

   • From any email addresses if you specified email domains in the Destination domains field.
   • From a mail server in the same subnet as the server with the Sensor component if no domain is indicated in the Destination domains field.
7. If you want the application to receive messages of any size, in the Message size limit settings group, select the Unlimited check box.
8. If you want to set a maximum allowed size of incoming messages:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a message.
   3. In the drop-down list to the right of the field, select the unit of measurement.
9. Click Apply.

Integration with a mail server via SMTP will be configured. The application will scan email messages received over the SMTP protocol according to the defined settings.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with the mail server.

To configure fault-tolerant integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Configuring TLS encryption of connections with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure TLS encryption of connections with the mail server over SMTP:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure TLS encryption of connections with the mail server over the SMTP protocol.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled if it is disabled.
5. In the Client TLS security level settings group, select one of the following options:
   • No TLS encryption.

     The application will not employ TLS encryption of connections with a mail server.

   • Allow TLS encryption for incoming messages.

     The application will support TLS encryption of the connection, but encryption will not be mandatory.

   • Require TLS encryption for incoming messages.

     The application will receive messages only over encrypted channels.

6. Click the Download TLS certificate button to save the TLS certificate of the server with the Sensor component on the computer in the browser's downloads folder.

   This certificate is required for authentication on the mail server.

7. In the Requesting client TLS certificate settings group, select one of the following options:
   • Do not request.

     The application will not verify the TLS certificate of the mail server.

   • Request.

     The application will request a TLS certificate from the mail server, if one is available.

   • Require.

     The application will receive messages only from those mail servers that have a TLS certificate.

8. Click Apply.

TLS encryption of connections with the mail server over the SMTP protocol will be configured.

Configuring integration with a proxy server via ICAP

Integration with a proxy server over ICAP with feedback allows you to prevent malicious objects from entering the corporate LAN and prevent users of the host from visiting malicious or phishing websites. Kaspersky Anti Targeted Attack Platform acts as an ICAP server, and your proxy server acts as an ICAP client. The proxy server sends ICAP requests to the ICAP server. The ICAP server runs a scan and returns the result to the proxy server. If any threats are detected, a notification HTML page is displayed to the user on the host.

Enabling and disabling integration with a proxy server via ICAP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

When a standalone proxy server is used, Kaspersky Anti Targeted Attack Platform does not provide encryption of ICAP traffic or authentication of ICAP clients by default. The application administrator must take steps to ensure a secure network connection between your proxy server and Kaspersky Anti Targeted Attack Platform by using traffic tunneling or iptables.

To enable or disable integration with a proxy server via ICAP on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Click the localhost Sensor component.

   This opens the Sensor component settings page.

3. Select the ICAP integration with proxy server section.
4. In the Settings> <name of the server with the Sensor component> section, in the State field, do one of the following:
   • If you want to enable integration with a proxy server via ICAP, move the toggle switch to Enabled.

     By default, the toggle switch is in the Disabled position.

   • If you want to disable integration with a proxy server via ICAP, move the toggle switch to Disabled.
5. The Host field displays the URL of the Response Modification (RESPMOD) service that processes inbound traffic; the URL has the following format: icap://<host>:1344/av/respmod, where <host> is the IP address of the server where the Sensor component is installed. To configure integration with Kaspersky Anti Targeted Attack Platform, copy this URL and paste it in the settings of the proxy server that your organization used.

Integration with a proxy server via ICAP is enabled.

To enable or disable integration with a proxy server via ICAP on an individual server with the Sensor component:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window, in that window, select the Enabled line and press the ENTER key.

   [x] is displayed to the right of the Enabled setting.

5. In the settings of your proxy server, enter the URL from the RESPMOD field.

Integration with the proxy server and an individual server with the Sensor component via ICAP is configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with a proxy server.

To configure the high availability integration with the proxy server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the proxy server settings.

Integration with the proxy server will be configured based on the domain name. The proxy server will communicate with a random server in the cluster. If this server fails, the proxy server will communicate with another healthy server in the cluster.

Enabling or disabling real-time scanning of ICAP traffic

You can enable or disable real-time scanning of ICAP traffic if integration with a proxy server via ICAP is enabled.

If real-time scanning of ICAP traffic is enabled, Kaspersky Anti Targeted Attack Platform sends information about scanned objects to the ICAP client in real time. This helps prevent downloading malicious objects and clicking untrusted links.

To enable or disable real-time scanning of ICAP traffic on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Click the localhost Sensor component.
3. Select the ICAP integration with proxy server section.

   When integration is enabled in the Settings > <Sensor server name>, the Real-time scanning section is displayed.

4. Under Real-time scanning, select one of the following options:
   • Disabled.

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Enabled, standard ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files remain available while they are being scanned by the Sandbox component.

   • Enabled, advanced ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files are unavailable while they are being scanned by the Sandbox component.

5. Click Apply.
6. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, the Host field displays the URL of the Request Modification (REQMOD) service that processes outbound traffic in the following format: icap://<host>:1344/av/reqmod, where <host> is the IP address of the server where the Sensor component is installed. To configure integration with Kaspersky Anti Targeted Attack Platform, copy this URL and paste it in the settings of the proxy server that your organization used.

Real-time scanning of ICAP traffic is enabled or disabled.

To enable or disable real-time scanning of ICAP traffic on an individual server with the Sensor component installed:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window; in that window, make sure that [x] is displayed to the right of the Enabled setting.
5. Select one of the following options:
   • Disable real-time scanning.

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Standard ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Anti-Malware Engine and YARA modules.

   • Advanced ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules.

6. Select an option and press ENTER. (O) is displayed to the right of the selected option.

   To select a row, you can use the ↑ and ↓ keys. The selected row is highlighted in red.

7. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, specify the URL from the REQMOD field in the settings of your proxy server.

Real-time scanning of ICAP traffic on an individual server with the Sensor component is enabled or disabled.

If you enabled real-time scanning of ICAP traffic, scanning does not work if integration with the proxy server is disabled. All ICAP traffic scanning settings are saved. When you re-enable integration with the proxy server, ICAP traffic scanning is also enabled.

Configuring real-time scanning of ICAP traffic

Real-time ICAP traffic scanning on standalone servers with the Sensor component can only be configured in Technical Support Mode. To perform actions in Technical Support Mode, we recommend contacting Technical Support.

You can configure real-time ICAP traffic scanning on a server with the Central Node and Sensor components for anti-virus scanning of data. Scan results are displayed to the user of the host on a notification HTML page.

To configure real-time ICAP traffic scanning:

1. In the window of the application web interface, select the Settings section, ICAP traffic scanning subsection.

   The ICAP traffic scanning settings page is displayed.

   By default, under Notifications, pages corresponding to the following events are loaded:

   • The page uploaded in the Link blocked field is displayed if a threat is detected at the address requested by the user.
   • The page uploaded in the File blocked field is displayed if a threat is detected in a scanned file.
   • The page uploaded in the Scan file field is displayed if a file scan is started. If the file is safe, the user can click a link to download the file.
   • The page uploaded in the File expired field is displayed if the file was scanned, but the storage duration for that file has expired.

   By default, HTML pages from the distribution kit are loaded in Kaspersky Anti Targeted Attack Platform. You can upload your own notification pages and configure how they must be displayed. The size of a notification page must not exceed 1.5 MB. If the uploaded notification page is larger than 1.5 MB, an error is displayed.

2. Under File block threshold, in the Sandbox detection severity field, select a value from the drop-down list. These values correspond to the possible impact of the alert on the security of a computer or your corporate network based on the expert opinion of Kaspersky.

   This setting can take one of the following values:

   • High for a high importance alert. This option is selected by default.
   • Medium for a medium-importance alert.
   • Low for a low-importance alert.
3. Under Scan timeout, in the Timeout field, specify the time after which the link to the scanned file is unblocked and downloading the scanned file becomes possible.

   The default value is 10 minutes. You can set any value greater than 1 minute.

4. Click Apply.

The scan is performed with the specified settings.

Configuring raw network traffic recording

With Kaspersky Anti Targeted Attack Platform, you can save raw network traffic for investigation and detection of malicious activity within the perimeter of your corporate LAN. With raw network traffic recording, you can perform retrospective analysis of network events and investigate the actions of hackers. Raw network traffic is saved as dumps in PCAP format.

To save raw network traffic, you need to enable and configure raw network traffic recording.

Enabling and configuring raw network traffic recording on a server with the Sensor and Central Node components installed

If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server that you want to configure.

To enable and configure raw network traffic recording on a server with the Central Node and Sensor components installed:

1. Connect and configure external storage.
2. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

3. Select the Sensor component with the name localhost.

   This opens the Sensor component settings page.

4. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

5. Go to the Traffic recording tab.
6. In the Record traffic field, set the toggle switch to Enabled.

   By default, the toggle switch is in the Disabled position.

   Raw network traffic recording on the server with the Central Node and Sensor components installed is enabled. Raw traffic recording settings are displayed.

   By default, raw network traffic is saved to the /mnt/kaspersky/nta/dumps directory. You cannot change the directory for raw network traffic recording. You can view raw network traffic dumps in the /data/ volumes/dumps directory.

7. If necessary, edit raw network traffic recording settings:
   1. Under Dump storage size, in the Maximum storage size field, specify the maximum size of raw traffic dumps to be stored in dump storage.

      The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected disk must have at least the amount of free disk space listed above.

      If the size of dumps in dump storage exceeds the Maximum storage size value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.

      If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the Maximum storage size change.

   2. If you want to restrict data capture in raw network traffic, under Traffic filtering upon saving, in the State field, set the toggle switch to Enabled. Traffic filtering can reduce the size of dumps in dump storage and facilitate traffic analysis.

      If you have set the toggle switch in the State field to Enabled, enter the filtering rule in the BPF filtering rule field. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502

   3. If you want to set a storage duration for raw network traffic dumps, under Dump storage duration, in the State field, set the toggle switch to Enabled. In the Store for field, enter the raw network traffic dump storage duration in days. Raw network traffic dumps that are stored longer than the specified duration are deleted from the storage.
   4. Click Apply.

Raw network traffic recording on the server with the Sensor and Central Node components is performed in accordance with the specified settings.

The First saved dump field displays the date and time of the first saved raw network traffic dump, and the Last saved dump field displays the date and time of the last raw network traffic dump.

Enabling and configuring raw network traffic recording on a standalone server with the Sensor component

To enable raw network traffic recording on a standalone server with the Sensor component:

1. Connect and configure external storage.
2. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
3. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press Enter.

4. Go to the Program settings → Configure traffic capture section.

   To select a row, you can use the ↑, ↓, and Enter keys. The selected row is highlighted in red.

5. This opens a window, in that window, select the Enabled traffic storage line and press Enter.

   [x] is displayed to the right of the title of the line.

   Raw network traffic recording on the standalone server with the Sensor component will be enabled.

6. If necessary, edit raw network traffic recording settings:
   1. Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.

      The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space. If the number entered in this field exceeds the free disk space on the connected drive, an error is displayed.

   2. Select the OK button and press Enter.
   3. Select the Traffic capture BPF-filter line and press Enter. This opens a window; in that window, enter the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502.

   4. Select the OK button and press Enter.
   5. Select the Traffic storage duration (in days) line and press Enter. This opens a window; in that window, enter the storage duration for raw network traffic dumps in the storage, in days.
   6. Select the OK button and press Enter.

Raw network traffic recording on the standalone server with the Sensor component is performed in accordance with the specified settings.

Configuring integration with a mail server via POP3

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over POP3:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via POP3.

   This opens the Sensor component settings page.

3. Select the POP3 integration section.
4. Set the toggle switch next to the State parameter to Enabled.
5. In the Mail server field, specify the IP address of the mail server with which you want to configure integration.
6. In the Port field, specify the port for connecting to the mail server.
7. In the Receive every field, specify the mail server connection frequency (in seconds).
8. If you want to use TLS encryption of connections with the mail server via POP3, select the Use TLS encryption check box.
9. In the User name field, specify the account name used for accessing the mail server.
10. In the Password field, specify the password for accessing the mail server.

    The mail server must support Basic Authentication.

11. In the TLS certificate drop-down list, select one of the following options:
    • Accept any.
    • Accept untrusted self-signed.
    • Accept only trusted.

    When establishing a connection with an external mail server, it is recommended to configure the acceptance of only trusted TLS certificates. If you accept untrusted TLS certificates, protection of the connection against

    MITM attacks

    Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.

    cannot be guaranteed. Even though the acceptance of trusted TLS certificates also cannot guarantee protection of the connection against MITM attacks, it is the most secure of the supported methods for integration with a mail server over the POP3 protocol.

12. If necessary, in the Cipher suite field, modify the OpenSSL settings used when establishing a connection with the mail server via POP3.

    You can view reference information on OpenSSL by clicking the Help link.

13. Click Apply.

Integration with the mail server via POP3 will be configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with the mail server.

To configure high availability integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Managing the cluster

This section contains information about managing the cluster servers.

Viewing the table of servers of the cluster

To view the table of cluster servers:

1. In a browser on any computer on which access to the Central Node server has been allowed, enter the IP address of any server in the Central Node cluster or the fully qualified domain name (FQDN) of the cluster into the the address bar of your browser.

   To ensure uninterrupted access to the program web interface, you can configure the Round Robin function on the DNS server. To do this, log in to the web interface of the first healthy server of the Central Node cluster.

   An input window for account credentials of the Kaspersky Anti Targeted Attack Platform user opens.

2. Enter the administrator user name "admin" and the password that was set during installation of the application.
3. Select the Local administrator check box.
4. Click Log in.

   This opens a web interface window in which you can manage application sizing.

5. Go to the Cluster section.

A window with a table will open.

The table contains the following information:

• Server type—server type depending on its role in the cluster.

  The following values can be displayed:

  • Storage.
  • Processing.
• Status—server status.

  The following values can be displayed:

  • Connected.
  • Not connected.
• Host name—server name.
• IP— IP address of the server.
• RAM—RAM load level of the server.
• CPU—CPU load level of the server.
• Action—Actions that you can perform with the server.

  The following action is available: Delete.

Adding a server to a cluster

To add a server to the cluster, you need to start the installation of Kaspersky Anti Targeted Attack Platform on this server and follow the steps to install the components. The added server is displayed in the cluster server list.

Increasing the disk space on the storage server

You can increase the disk space on an operational storage server by installing an additional disk.

To increase the disk space of the storage server by means of an additional disk, you need to contact Technical Support.

The server is configured in Technical Support Mode.

Decommissioning servers

To decommission an operational server, you need to contact Technical Support.

If a server fails, you can decommission it on your own.

To decommission an inoperable processing server:

1. Add a new processing server to the cluster.
2. Remove the server from the cluster.
3. Configure the sizing of the application for the new configuration.

The processing server will be decommissioned.

To decommission an inoperable storage server:

1. Add a new storage server to the cluster.
2. Contact Technical Support to remove the inoperable server from the cluster.

The storage server will be decommissioned.

Removing a server from a cluster

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

A removed server cannot be restored. Make sure that the selected server is not operational.

To remove a server from the cluster:

1. Log in to the web interface for sizing management.
2. Go to the Cluster section.
3. In the Action column, click the Delete link opposite the server that you want to remove.
4. Click Proceed.

The removal process will start. Removal may take about a day. Information about the removed server will not be displayed in the table of servers.

After removing the server, you can reconfigure the servers in the cluster or add a server with the same role to maintain the same level of application performance.

Starting up and shutting down the cluster

To shut down or start the cluster, we recommend contacting Technical Support. Do not shut down or start the cluster if you encounter problems with application health.

If you want to power off the healthy servers in the cluster, you must first shut down the cluster to avoid data loss.

To shut down a cluster:

1. In a browser on any computer on which access to the Central Node server has been allowed, enter the IP address of the server with the Central Node component into the browser's address bar.

   If you are using the high availability version of the application, you can enter the IP address of any server of the Central Node cluster or the fully qualified domain name (FQDN) of the cluster.

   To ensure uninterrupted access to the program web interface, you can configure the Round Robin function on the DNS server. To do this, log in to the web interface of the first healthy server of the Central Node cluster.

   An input window for account credentials of the Kaspersky Anti Targeted Attack Platform user opens.

2. Enter the administrator user name "admin" and the password that was set during installation of the application.
3. Select the Local administrator check box.
4. Click Log in.

   This opens a web interface window in which you can manage application sizing.

5. Go to the Cluster section.
6. Click the Shut down button.

The main components of the application are stopped. You can now power off the cluster servers.

To start up the cluster servers:

1. Disconnect power to the servers if it has not been previously disconnected.
2. Power on the storage server.
3. Power up the remaining servers.

The cluster servers will start up.

The scaling management web interface becomes available when more than half of the cluster servers are started. For example, if there are 7 servers in the cluster, the web interface will be available when 4 servers of the cluster are powered on.

Powering off servers in a cluster

If necessary, you can power off a server in the cluster in one of the following ways:

• End the session in the application menu.
• Power off the server over SSH or through the terminal.

To power off the server over SSH or through the terminal:

1. Sign in to the management console of the server that you want to power off over SSH or through a terminal.
2. Run the shutdown -h now command.

The server is powered off.

High availability of the application is not guaranteed when a server in the cluster is powered off.

The recommended interval between powering on a server and powering off another server is 6 hours.

Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers

Maintaining a high load on the CPU and RAM of the Central Node and Sensor servers may prevent application components from working.

You can configure maximum values for the CPU and RAM loads on Central Node and Sensor servers; if these are exceeded, the upper part of the Dashboard section of the application web interface for users with the Senior security officer, Security officer, Administrator, or Local administrator roles displays a yellow warning box. You can also configure notifications to be sent to one or more email addresses and an SNMP protocol connection for sending information about the CPU and RAM load to external systems that support this protocol.

If you have deployed the Central Node and Sensor components as a cluster, warnings are displayed separately for each server in the cluster.

Users with the Senior security officer or Security officer role can also create rules for sending notifications. In this case, sending notifications correctly requires configuring maximum allowed load values for the CPU and RAM of servers, as well as notification settings on the server.

In existing rules for sending notifications about application components, the CPU load and RAM load notifications are enabled automatically if the All check box is selected under Components when the rule is created.

Configuring the maximum allowable CPU and RAM load of the Central Node and Sensor servers

In the distributed solution and multitenancy mode, you need to set the maximum allowed load values for the CPU and RAM load of each Central Node server from which you want to receive notifications. If you use a Central Node cluster, you can configure these settings on any cluster server.

To configure the maximum allowed load on the CPU and RAM of the Central Node and Sensor servers:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. Under Monitoring:
   • In the Warning of CPU usage above N % for M min field, enter the maximum allowed CPU usage and time period for which the maximum load can be maintained.

     By default, the maximum CPU load is 95% for 5 minutes.

   • In the Warning of RAM usage above N % for M min field, enter the maximum allowed RAM usage and time period for which the maximum usage can be maintained.

     By default, the maximum RAM usage is 95% for 5 minutes.

3. Click Apply.

The maximum allowed load of server CPU and RAM will be configured. If one of the values is exceeded on the Central Node and/or Sensor server, in the upper part of the Dashboard section of the application web interface for users with Senior security officer, Security officer, Administrator, or Local administrator role, a yellow warning box is displayed.

Configuring the SNMP protocol connection

You can send information about the CPU and RAM load on Central Node and Sensor servers to external systems that support the SNMP protocol. To do so, you must configure the connection for the protocol.

If the Central Node component is deployed as a cluster, data about the CPU and RAM load of each server in the cluster is sent to external systems.

To configure the SNMP protocol connection on the Central Node server:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. Under SNMP, select the Use SNMP check box.
3. In the Protocol version field, select a protocol version:
   • v2c.
   • v3.
4. If you selected the v2c protocol version, in the Community string field, enter the password that will be used for connecting to Kaspersky Anti Targeted Attack Platform.
5. If you selected v3:
   1. In the Authentication protocol field, select one of the following options for checking the accuracy and integrity of data sent to the external system:
      • MD5.
      • SHA256.
   2. In the User name field, enter the user name.
   3. In the Password field, enter the password for authentication.

      User name and password configured in the User name and Password fields must match the user name and password configured when creating the account in the external system. If the credentials do not match, the connection cannot be established.

   4. In the Privacy protocol field, select an encryption type:
      • DES.
      • AES.
   5. In the Password field, enter the encryption password.

      The password configured in this field must match the password configured in the external system.

Protocol connection on the Central Node server is configured. If the request for data is successfully processed, the server of the external system displays information about CPU and RAM load of the Central Node server.

To configure the SNMP protocol connection on the Sensor server:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   The application component administrator menu is displayed.

3. Follow steps 2 through 5 of the instructions above.

Protocol connection on the Sensor server is configured. If the request is successfully processed, the server of the external system displays information about CPU and RAM load of the Sensor server.

In distributed solution and multitenancy mode, SNMP connection settings for each PCN, SCN, and Sensor server must be configured separately.

Description of MIB objects of Kaspersky Anti Targeted Attack Platform

The tables below provide information about

Information about hard drive, CPU, and RAM load of Central Node and Sensor servers

Information about hard drive, CPU, and RAM load of Central Node and Sensor servers

Page top

Managing Endpoint Agent host information

The application that is used as the Endpoint Agent component is installed on individual computers (hereinafter also referred to as "hosts") in the IT infrastructure of the organization. The application continuously monitors processes running on those hosts, active network connections, and files that are being modified.

Users with the Senior security officer, Security officer, Security auditor, Local administrator, or Administrator role can assess how regularly data is received from hosts with the Endpoint Agent component on the Endpoint Agents tab of the web interface window of the Central Node server for tenants to whose data the user has access. If you are using the distributed solution and multitenancy mode, the web interface of the PCN server displays the list of hosts with the Endpoint Agent component for the PCN and all connected SCNs.

Users with the Local administrator and Administrator roles can configure the display of how regularly data is received from hosts with Endpoint Agent for tenants to whose data they have access.

If suspicious network activity is detected, users with the Senior security officer role can isolate from the network any host with Kaspersky Endpoint Agent, for tenants to whose data the user has access. In this case, the connection between the server with the Central Node component and a host with the Endpoint Agent component will not be interrupted.

In order to provide support in case of problems with the Endpoint Agent component, Technical Support staff may ask you to perform the following actions for debugging purposes (including in Technical Support Mode):

• Activate collection of extended diagnostic information.
• Modify the settings of individual application components.
• Modify the settings for storing and sending the obtained diagnostic information.
• Configure network traffic to be intercepted and saved to a file.

Technical Support staff will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, and other resources) and inform you about the scope of data obtained for debugging purposes. The retrieved diagnostic information is saved on the user's computer. The retrieved data is not automatically sent to Kaspersky.

The operations listed above should be performed only when instructed by and under the supervision of Technical Support experts. Unsupervised changes to application settings performed in ways other than those described in this manual or according to the instructions of Technical Support experts can slow down or crash the operating system, reduce computer security, or compromise the availability and integrity of data being processed.

Selecting a tenant to manage in the Endpoint Agents section

If you are using the distributed solution and multitenancy mode, prior to using the Endpoint Agents section, you must select the tenant whose data you want to view.

To select a tenant to manage in the Endpoint Agents section:

1. In the upper part of the application web interface menu, click the arrow next to the name of the tenant.
2. In the drop-down list, select a tenant.

Data for the selected tenant is displayed. If you want to select a different tenant, repeat the steps to select the tenant.

Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server

The table of hosts with the Endpoint Agent component is located in the Endpoint Agents section of the application web interface window.

The table can display the following data:

• Number of hosts and activity indicators of the Endpoint Agent component:
  • Critical inactivity is the number of hosts from which latest data was received a very long time ago.
  • Warning is the number hosts from which latest data was received a long time ago.
  • Normal activity is the number of hosts from which latest data was recently received.
• Host—Name of the host with the Endpoint Agent component.
• Servers—Names of servers to which the host with the Endpoint Agent component is connected.

  This field is displayed if you are using the distributed solution and multitenancy mode.

• IP—IP address of the computer where the Endpoint Agent component is installed.
• OS—Version of the operating system that is installed on the computer with the Endpoint Agent component.
• Version is the version of the application that is used in the role of the Endpoint Agent component.
• Activity—Activity indicator of the Endpoint Agent component. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.
• Last connection for the date and time of the last connection of the Endpoint Agent component to the Central Node server.

Clicking a link in a column of the table opens a list in which you can select one of the following actions:

• Filter by this value.
• Exclude from filter.
• Copy value to clipboard.

Viewing information about a host

To view information about a host with the Endpoint Agent component:

1. Select the Endpoint Agents section in the window of the application web interface.
2. Select the host for which you want to view information.

This opens a window containing information about the host.

The window contains the following information:

• In the Host section:
  • Name is the name of the host with the Endpoint Agent component.
  • IP is the IP address of the host where the Endpoint Agent component is installed.
  • OS is the version of the operating system on the host with the Endpoint Agent component installed.
  • Server—Name of the SCN or PCN server. Only displayed in distributed solution and multitenancy mode.
• In the Endpoint Agent section:
  • Version is the version of the application that is used in the role of the Endpoint Agent component.
  • Activity is the activity indicator of the Endpoint Agent component. Possible values:
    • Normal activity for hosts from which latest data was recently received.
    • Warning for hosts from which latest data was received a long time ago.
    • Critical inactivity for hosts from which latest data was received an extremely long time ago.
  • Connected to server—Name of the Central Node, SCN, or PCN server to which the host is connected.
  • Last connection—time of the last connection to the Central Node, SCN, or PCN server.
  • License key status is the status of the license key of the application that is used as the Endpoint Agent component.

The following action is available by clicking the links with the host name and its IP address: Copy value to clipboard.

Filtering and searching hosts with the Endpoint Agent component by host name

To filter or search for hosts with the Endpoint Agent component by host name:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. If you want to display only isolated hosts, select the Show isolated Endpoint Agents only check box.
4. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
5. In the entry field, specify one or several characters of the host name.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network

To filter or search for hosts with the Endpoint Agent component that are isolated from the network:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. Select the Show isolated Endpoint Agents only check box.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names

If you are using the distributed solution and multitenancy mode, you can filter or find hosts with the Kaspersky Endpoint Agent component based on the names of PCN and SCN servers to which those hosts are connected.

To filter or search for hosts with the Endpoint Agent component by the names of PCN and SCN servers:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Servers link to open the filter configuration window.
3. Select check boxes next to names of servers by which you want to filter or search for hosts with the Endpoint Agent component.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by computer IP address

To filter or search for hosts with the Endpoint Agent component by IP address of the computer on which the application is installed:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the IP link to open the filter configuration window.
3. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
4. In the entry field, specify one or several characters of the computer IP address. You can enter the IP address or subnet mask in IPv4 format (for example, 192.0.0.1 or 192.0.0.0/16).
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer

To filter or search for hosts with the Endpoint Agent component by version of the operating system installed on the computer:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the OS link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
4. In the entry field, specify one or several characters of the operating system version.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by component version

You can filter hosts by version of the application that is used in the role of the Endpoint Agent component.

To filter or search for hosts with the Endpoint Agent component by component version:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Version link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contain.
   • Not contain.
4. In the entry field, specify one or more characters of the version of the application that is used as the Endpoint Agent component.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by their activity

To filter or search for hosts with the Endpoint Agent component by their activity:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Click the Activity link to open the filter configuration window.

   Select check boxes next to one or multiple activity indicators:

   • Normal activity, if you want to find hosts from which the last data was recently received.
   • Warning, if you want to find hosts from which the last data was received a long time ago.
   • Critical inactivity, if you want to find hosts from which the last data was received an extremely long time ago.
3. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Quickly creating a filter for hosts with the Endpoint Agent component

To quickly create a filter for hosts with the Endpoint Agent component:

1. Select the Endpoint Agents section in the window of the application web interface.

   This opens the table of hosts.

2. Do the following to quickly add filter conditions to the filter being created:
   1. Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
   2. Left-click it.

      This opens a list of actions to perform on the value.

   3. In the list that opens, select one of the following actions:
      • Filter by this value, if you want to include this value in the filter condition.
      • Exclude from filter, if you want to exclude the value from the filter condition.

3. If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.

The table displays only those hosts that match the filter criteria you have set.

Resetting the filter for hosts with the Endpoint Agent component

To clear the Endpoint Agent host filter for one or more filtering criteria:

1. Select the Endpoint Agents section in the window of the application web interface.
2. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only those hosts that match the filter criteria you have set.

Configuring activity indicators of the Endpoint Agent component

Users with the Local administrator and Administrator roles can define what durations of inactivity of the application that is used as the Endpoint Agent component are to be considered normal, low, or very low activity, and can configure the activity indicators for the application. Users with the Security auditor role can only view the settings of application activity indicators. Users with the Senior security officer or Security officer role can see activity indicators that you configured for the Endpoint Agent component in the Activity field of the Endpoint Agent host table in the Endpoint Agents section of the application web interface.

To configure activity indicators for the Endpoint Agent component:

1. Sign in to the application web interface under the Local administrator, Administrator or Senior security officer account.
2. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
3. In the fields under the section name, enter the number of days of inactivity of hosts with the Endpoint Agent component that you want to display as Warning and Critical inactivity.
4. Click Apply.

Activity indicators of the Endpoint Agent component are configured.

Removing hosts with the Endpoint Agent component

To remove one or more hosts from the Endpoint Agents table:

1. Select the Endpoint Agents section in the window of the application web interface.
2. Select check boxes next to one or more hosts that you want to remove. You can select all hosts by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Delete.
4. This opens the action confirmation window; in that window, click Yes.

The selected hosts are removed from the Endpoint Agents table.

When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:

• You cannot create a task, prevention rule, or network isolation rule for a removed host.
• If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.

  If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.

• If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.

  When this host reconnects to the Central Node, the rule is reapplied to this host.

• The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform Quarantine.

  When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform Quarantine are not restored. You can avoid Quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.

• If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in task window is inactive because the file cannot be restored on a removed host.

Event search by the name of the removed host remains available.

Page top

Automatic removal of inactive hosts

You can enable or disable the automatic removal of inactive hosts from the Endpoint Agents table. Inactive hosts are hosts that have not connected to the Central Node server for the configured time.

To enable or disable the automatic removal of hosts from the Endpoint Agents table:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
2. Under Delete inactive hosts automatically, do the following:
   • If you want to enable this functionality, move the Delete hosts toggle switch to Enabled.
   • If you want to enable this functionality, move the Delete hosts toggle switch to Disabled.
3. If you have enabled this functionality, in the Delete after field, specify the number of days after which hosts that have not connected to the Central Node component must be considered inactive.

   The minimum value is 1 and the maximum value is 365.

Automatic removal of inactive hosts is enabled or disabled.

If the value specified in the Delete after field is less than the values specified in the Warning and/or Critical inactivity fields under Activity indicators, hosts are removed earlier than an inactivity warning is displayed in the Dashboard section.

When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:

• You cannot create a task, prevention rule, or network isolation rule for a removed host.
• If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.

  If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.

• If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.

  When this host reconnects to the Central Node, the rule is reapplied to this host.

• The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform quarantine.

  When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform quarantine are not restored. You can avoid quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.

• If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in the task window is inactive because the file cannot be restored on a removed host.

Event search by the name of the removed host remains available.

Page top

Supported interpreters and processes

Kaspersky Endpoint Agent application monitors the execution of scripts by the following interpreters:

• cmd.exe
• reg.exe
• regedit.exe
• regedt32.exe
• cscript.exe
• wscript.exe
• mmc.exe
• msiexec.exe
• mshta.exe
• rundll32.exe
• runlegacycplelevated.exe
• control.exe
• explorer.exe
• regsvr32.exe
• wwahost.exe
• powershell.exe
• java.exe and javaw.exe (only if started with the –jar option)
• InstallUtil.exe
• msdt.exe
• python.exe
• ruby.exe
• rubyw.exe

Information about the processes monitored by Kaspersky Endpoint Agent application is presented in the table below.

Processes and the file extensions that they open

Configuring integration with the Sandbox component

You can connect one Sandbox component to multiple Central Node components.

The following procedure is used to configure the Sandbox component connection with the Central Node component:

1. Creating a request to connect to the Sandbox component

   You can create a request in the application web interface under an administrator account. If you have several Central Node components installed on the server, you need to create a request for each server with the Central Node component that you want to connect to the Sandbox component. If the Central Node component is deployed as a cluster, you can create a request for connection from any server in the cluster.

2. Processing a connection request in the Sandbox web interface

   You can accept or reject each request.

If you want to connect several Sandbox components to a single Central Node component, make sure that the Sandbox components you connect have the same set of operating systems used for scanning objects, and maximum number of simultaneously running virtual machines.

After configuring the connection, the Sandbox server needs 5 to 10 minutes to get ready for operation. During this time, the System health window of the application web interface display a warning: Default configuration error. When the server is ready for operation, the warning disappears.

Viewing the table of servers with the Sandbox component

Users with the Security auditor role can view the table of servers with the Sandbox component.

The table of servers with the Sandbox component is located in the Sandbox servers section, on the Servers tab of the application web interface window.

The Certificate fingerprint field displays the fingerprint of the TLS certificate of the Central Node server.

The Server list table contains the following information:

• IP and name—IP address or fully qualified domain name of the server with the Sandbox component.
• Certificate fingerprint—Certificate fingerprint of the server with the Sandbox component.
• Authorization—Status of the request to connect to the Sandbox component.
• Status—Status of the connection to the Sandbox component.

Users with the Security officer role cannot view the table of servers with the Sandbox component.

Creating a request to connect to the server with the Sandbox component

To create a request to connect to the server with the Sandbox component through the application web interface:

1. Select the Sandbox servers section in the window of the application web interface.
2. In the upper-right corner of the window, click the Add button.

   This opens the Sandbox server connection window.

3. In the IP field, specify the IP address of the server with the Sandbox component to which you want to connect.
4. Click Get certificate fingerprint.

   The workspace displays the fingerprint of the certificate of the server with the Sandbox component.

5. Compare the obtained certificate fingerprint with the fingerprint indicated in the Sandbox web interface in the KATA authorization section in the Certificate fingerprint field.

   If the certificate fingerprints match, perform the next steps of the instructions.

   If certificate fingerprints do not match, confirming the connection is not recommended. Make sure the data you entered is correct.

6. In the Name field, specify the Sandbox component name that will be displayed in the web interface of the Central Node component.

   This name is not related to the name of the host where the Sandbox is installed.

7. If you want to activate a connection with Sandbox immediately after connecting, select the Enable check box.
8. Click Add.

The connection request is displayed in the web interface of the Sandbox component.

Enabling and disabling a connection with the Sandbox component

To make a connection with the Sandbox component active or to disable it:

1. Select the Sandbox servers section in the window of the application web interface.

   The table of servers with Sandbox components is displayed.

2. In the row containing the relevant server in the Status column, perform one of the following actions:
   • If you want to activate a connection with the Sandbox component, set the toggle switch to Enabled.
   • If you want to disable a connection with the Sandbox component, set the toggle switch to Disabled.
3. Click Apply.

The connection with the Sandbox component will become active or will be disabled.

Deleting a connection with the Sandbox component

To delete a connection with the Sandbox component:

1. Select the Sandbox servers section in the window of the application web interface.

   This displays the table of computers on which the Sandbox component is installed.

2. Select the check box in the line containing the Sandbox component whose connection you want to delete.
3. In the upper-right corner of the window, click the Delete button.
4. In the confirmation window, click Yes.

The connection with the Sandbox component will be deleted.

Configuring integration with external systems

You can configure integration of Kaspersky Anti Targeted Attack Platform with external systems to scan files stored in those systems. Their scan results are displayed in the alerts table.

The role of an external system can be served by a mail sensor, such as Kaspersky Secure Mail Gateway or Kaspersky Security for Linux Mail Server. The mail sensor sends email messages to Kaspersky Anti Targeted Attack Platform for processing. Based on the results of processing of email messages in Kaspersky Anti Targeted Attack Platform, the mail sensor may block the transfer of messages.

Integration of Kaspersky Anti Targeted Attack Platform with external systems involves the following procedure:

1. Enter the integration settings and create an integration request from the external system.

   For more details about entering integration settings for the mail sensor, please refer to the Kaspersky Secure Mail Gateway Help or the Kaspersky Security for Linux Mail Server Help.

   To integrate other external systems, use the REST API.

2. Confirm integration for Kaspersky Anti Targeted Attack Platform

   External systems must use unique certificates for authorization on the server with the Central Node component. If this is the case, a single integration request will be displayed in the interface of Kaspersky Anti Targeted Attack Platform. To connect multiple external systems that have the same IP address, you must use a unique certificate for each external system.

   When using one certificate, you can configure integration with only one external system.

3. Check the connection between the external system and Kaspersky Anti Targeted Attack Platform

Viewing the table of external systems

The table of external systems is in the External systems section of the application web interface window. The table contains the following information:

• Sensor—IP address or domain name of the external system server.
• Type—Type of external system (mail sensor or other system).
• Name—Name of the integrated external system that is not a mail sensor.

  A dash is displayed in this column for a mail sensor.

• ID—ID of the external system.
• Certificate fingerprint—Fingerprint of the TLS certificate of the server with the external system used to establish an encrypted connection with the server hosting the Central Node component.

  The certificate fingerprint of the server with the Central Node component is displayed in the upper part of the window in the Certificate fingerprint field.

• State—State of the integration request.

Processing a request from an external system

To process an integration request from an external system:

1. Select the External systems section in the window of the application web interface.

   The Server list table displays the already connected external systems, and requests for integration with Kaspersky Anti Targeted Attack Platform from external systems.

2. In the line containing the integration request, perform one of the following actions:
   • If you want to configure integration with the external system, click the Accept button.
   • If you do not want to configure integration with the external system, click the Reject button.
3. In the confirmation window, click Yes.

The integration request from the external system will be processed.

Removing an external system from the list of those allowed to integrate

After you have accepted an integration request from an external system, you can remove it from the list of those allowed to integrate. If this is the case, the connection between Kaspersky Anti Targeted Attack Platform and the external system will be terminated.

To remove an external system from the list of systems allowed to integrate:

1. Select the External systems section in the window of the application web interface.

   The Server list displays the already added external systems and the requests to integrate with Kaspersky Anti Targeted Attack Platform from external systems.

2. Click the Delete button in the line containing the integration request from the external system that you want to remove.
3. In the confirmation window, click Yes.

The external system will be removed from the list of those allowed to integrate.

Configuring the priority for processing traffic from mail sensors

You can enable or disable the maximum priority for processing traffic from mail sensors.

To enable or disable the maximum priority for processing traffic from mail sensors:

1. Select the External systems section in the window of the application web interface.
2. Do one of the following:
   • Turn on the toggle switch next to the name of the Maximum scan priority parameter if you want to enable the maximum priority for processing traffic from mail sensors.
   • Turn off the toggle switch next to the name of the Maximum scan priority parameter if you want to disable the maximum priority for processing traffic from mail sensors.

The priority for processing traffic from mail sensors will be configured.

Configuring integration with Kaspersky Managed Detection and Response

Kaspersky Managed Detection and Response (hereinafter also "MDR") detects and prevents fraud in the client's infrastructure. MDR provides continuous managed protection and allows organizations to automatically discover hard-to-detect threats while freeing up IT security personnel to work on issues requiring their participation.

Kaspersky Anti Targeted Attack Platform obtains data and sends it to Kaspersky Managed Detection and Response using a Kaspersky Security Network stream. Therefore, participation in KSN is necessary for configuring integration with MDR.

Integration with MDR is only available if at least one KATA or EDR license is active. If only one license key (only KATA or only EDR) is added in the application statistics is limited to the functionality provided by that license. If both license keys are added in the application, complete statistics is sent.

Before configuring the integration of Kaspersky Anti Targeted Attack Platform with the MDR application, you must download an archive with the configuration file from the MDR portal.

Only the Local Administrator and the KATA Web Interface Administrator can configure the integration with MDR.

Enabling the MDR integration

Make sure that an active license key is added and participation in KSN is configured in the application. Otherwise the MDR integration is unavailable.

To enable integration with MDR:

1. Log in to the application web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Upload to upload the configuration file.

   This opens the file selection window.

4. Select the archive you downloaded during registration at the MDR portal and click Open.

   The following information about the MDR license is displayed in the window:

   • Serial number.
   • Expiration date.
   • Days remaining.

Integration with MDR is enabled. Integration settings configured in the configuration file are applied to all connected Sensor components. MDR starts using alert statistics sent via the KSN stream.

Disabling the MDR integration

To disable integration with MDR:

1. Log in to the application web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Delete file.
4. In the confirmation window, click Yes.

The configuration file is deleted and the MDR integration is disabled. Statistics is still sent to KSN servers, but this information is not used by MDR.

Replacing the MDR configuration file

To replace the MDR configuration file:

1. Log in to the application web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Replace file.

   This opens the file selection window.

4. Select a new archive containing a configuration file and click Open.

   MDR license information is updated in the application web interface.

The configuration file is replaced. New integration settings are applied to all connected Sensor components.

Configuring integration with an SIEM system

Kaspersky Anti Targeted Attack Platform can publish information about user actions in the application web interface as well as alerts to a

You can use

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with an external system using one of the following options:

• Using the Round Robin function.
• Configure the settings of the external system so that the external system switches between the IP addresses of the cluster servers if a network error occurs.

To configure fault-tolerant integration with an external system using the Round Robin function:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Enabling and disabling information logging to a remote log

You can configure the logging of information about user actions in the web interface and alerts to a remote log. The log file is stored on the server on which the SIEM system is installed. To write to the remote log, you must configure the integration with the SIEM system.

To enable or disable the logging of information about user actions in the web interface and alerts to the remote log:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. If you want to enable / disable the recording of information about user actions in the web interface to the remote log, do one of the following:
   • If you want to enable recording of information about user actions in the web interface, select the Activity log check box.
   • If you want to disable the recording of information about user actions in the web interface, clear the Activity log check box.
3. If you want to enable / disable the recording of information about alerts to the remote log, do one of the following:
   • If you want to enable recording of alert information, select the Alerts check box.
   • If you want to disable recording of alert information, clear the Alerts check box.

   You can select both check boxes simultaneously.

4. Click Apply in the lower part of the window.

Information logging in the remote log is enabled or disabled.

Users with the Security auditor role can only view information about remote logging settings.

Configuring the main settings for SIEM system integration

To configure the main settings for SIEM system integration:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. Select the Activity log and/or Alerts check boxes.

   You can select one check box or both check boxes.

3. In the Host/IP field, enter the IP address or host name of the server of your SIEM system.
4. In the Port field, enter the port number used for connecting to your SIEM system.
5. In the Protocol field, select TCP or UDP.
6. In the Host ID field, enter the host ID. The host with that ID is specified as the alert source in the log of the SIEM system.
7. In the Heartbeat field, enter the interval for sending messages to the SIEM system.
8. Click Apply in the lower part of the window.

The main settings of integration with the SIEM system will be configured.

Users with the Security auditor role can only view information about the SIEM system integration settings.

Uploading a TLS certificate

To upload a TLS certificate for encrypting the connection with the SIEM system:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. In the TLS encryption section, click the Upload button.

   This opens the file selection window.

3. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

   The TLS certificate is added to the application.

4. Click Apply in the lower part of the window.

The uploaded TLS certificate will be used to encrypt the connection with the SIEM system.

Enabling and disabling TLS encryption of the connection with the SIEM system

To enable or disable TLS encryption of the connection with the SIEM system:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. Select the Activity log and/or Alerts check boxes.

   You can select one check box or both check boxes.

3. In the TLS encryption section, perform one of the following actions:
   • Turn on the toggle switch next to the name of the TLS encryption parameter if you want to enable TLS encryption of the connection with the SIEM system.
   • Turn off the toggle switch next to the name of the TLS encryption parameter if you want to disable TLS encryption of the connection with the SIEM system.

   The toggle switch next to the name of the TLS encryption setting can be used only if a TLS certificate is loaded.

4. Click Apply in the lower part of the window.

TLS encryption of the connection with the SIEM system will be enabled or disabled.

Content and properties of syslog messages about alerts

Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.

The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.

The header of each syslog message about an alert contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Application name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Application version

  Current field value: 6.0.0-200.

• Alert type.

  See the table below.

• Event name.

  See the table below.

• Alert importance.

  Allowed field values: Low, Medium, High or 0 (for heartbeat messages).

• Additional information.

  Example: CEF:0|AO Kaspersky Lab| Kaspersky Anti Targeted Attack Platform |6.0.0-200|url_web| URL from web detected|Low|

The body of a syslog message about an alert matches the information about the alert that is displayed in the application web interface. All fields are presented in the "<key>=<value>" format. Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.

The keys, as well as their values contained in a message, are presented in the table below.

Information about an alert in syslog messages

Page top

Managing the activity log

Some user actions in the application web interface can cause errors in the operation of Kaspersky Anti Targeted Attack Platform. You can enable logging of user action information in the application web interface and if necessary, view the information by downloading log files.

Enabling and disabling the recording of information in the activity log

To enable or disable the logging of information about user actions in the Kaspersky Anti Targeted Attack Platform web interface to the activity log:

1. Select the Reports section, Activity log subsection in the window of the application web interface.
2. Do one of the following:
   • Set the Activity log toggle switch to the Enabled position if you want to enable the logging of information about user actions in the application web interface.
   • Set the Activity log toggle switch to the Disabled position if you want to disable the logging of information about user actions in the application web interface.

     This function is enabled by default.

Information is logged for 30 days in the user_actions.log file. After 30 days, the user_actions.log file is saved on the Central Node server in the /var/log/kaspersky/apt-base/ directory with the name user_actions.log<month>. A new file named user_actions.log is created to record information for the current month. Each file is retained for 90 days and then deleted.

To view activity log files, you must download them.

You can configure the logging of information about user activity in the application web interface to a remote log. The remote log is saved on the server on which a SIEM system is installed. The settings of integration with the SIEM system must be configured to write to the remote log.

In distributed solution mode, information about user actions in the application web interface is recorded in the log of the same server for which the users are managing the web interface. Information about the actions of PCN server users that affect the settings of SCN servers is recorded in the PCN server log.

Users with the Security auditor role can only view the settings for logging information to the activity log.

Downloading the activity log file

To download the activity log file:

1. Select the Reports section, Activity log subsection in the window of the application web interface.
2. Click Download.

Log files are saved on your local computer in your browser's downloads folder. The files are downloaded as a ZIP archive.

In distributed solution mode, you can download log files only for the server for which you are managing the web interface.

Content and properties of CEF messages about user activity in the web interface

The header of each message contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Application name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Application version

  Current field value: 6.0.0-200.

• Event type.

  See the table below.

• Event name.

  See the table below.

• Event importance.

  Current field value: Low.

  Example: CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|6.0.0-200|tasks|Managing tasks|Low|

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Updating application databases

Application databases (hereinafter also referred to as "databases") are files with records used by the application components and modules to detect events occurring in your organization's IT infrastructure.

Virus analysts at Kaspersky detect hundreds of new threats daily (including "zero-day" exploits), create records to identify them, and include them in database updates packages ("update packages"). Update packages consist of one or more files containing records to identify threats that were detected since the previous update package was released. We recommend that you regularly receive update packages. When the application is installed, the database release date is the same as the application release date, and therefore you must update the databases immediately after installing the application.

The application automatically looks for new update packages on Kaspersky update servers once every 30 minutes. By default, if for some reason application databases are not updated for 24 hours, Kaspersky Anti Targeted Attack Platform displays this information in the Dashboard section of the window of the application web interface.

If the version of Kaspersky Anti Targeted Attack Platform is not supported, databases are not updated. You can see which versions of the application are currently supported on the application lifecycle page.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may be unavailable in the territory of the USA.

Selecting a database update source

You can select the source from which the application will download database updates. The update source may be the Kaspersky server, or a network folder or local folder on one of the computers of your organization.

To select a database update source:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. In the Database update section, in the Update source drop-down list, select one of the following values:
   • Kaspersky update server.

     The application connects to Kaspersky update server over HTTP and downloads up-to-date databases.

   • Kaspersky update server (secure connection).

     The application connects to Kaspersky update server over HTTPS and downloads up-to-date databases. It is recommended to use HTTPS for database updates.

   • Custom server.

     The application connects to your FTP or HTTP server or to the folder with application databases on your computer to download up-to-date databases.

3. If you have selected Custom server, in the field under the name of this setting, enter the URL of the update package on your HTTP server or the full path to the folder on your computer containing the application database update package.
4. Click Apply.

The application database update source is applied.

Updating databases manually

To start the database update manually:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. In the Database update section, click the Start button.
3. Click Apply.

The application database update is started. The progress of the update will be displayed to the right of the button.

Creating a list of passwords for archives

The application does not scan password-protected archives. You can create a list of the most frequently encountered passwords for archives that are used when exchanging files within your organization. If you do so, the application will try passwords from the list when scanning an archive. If one of the passwords match, the archive will be unlocked and scanned.

The list of passwords set in application settings is also transmitted to the server with the Sandbox component.

To create a list of archive passwords:

1. In the window of the application web interface, select the Settings section, Passwords for archives subsection.
2. In the Passwords for archives field, enter the passwords that the application will use for password-protected archives.

   Enter each password on a new line. You can enter up to 50 passwords.

3. Click Apply.

The list of passwords for archives will be created. When scanning PDF files and files of Microsoft Word, Excel, and PowerPoint that are password protected, the application will use the passwords from the defined list.

Users with the Security auditor role can view the list of passwords for archives, but cannot edit it.

Configuring integration with ArtX TLSproxy 1.9.1

You can configure the integration of Kaspersky Anti Targeted Attack Platform with ArtX TLSproxy 1.9.1 to unwrap encrypted SSL/TLS traffic. Integrating Kaspersky Anti Targeted Attack Platform with ArtX TLSProxy 1.9.1 improves the security and performance of infrastructure.

To configure the integration of Kaspersky Anti Targeted Attack Platform with ArtX TLSproxy 1.9.1:

1. Specify and edit integration settings in ArtX TLSproxy 1.9.1.

   For more details on specifying and editing integration settings in ArtX TLSproxy 1.9.1, see the ArtX TLSproxy User Manual on the ArtX website.

2. Create the erspan.netdev file in the /etc/systemd/network directory with the following contents:

   [NetDev]

   Name=<name of the ERSPAN interface>

   Kind=erspan

   [Tunnel]

   Independent=true

   ERSPANIndex=<index or port number associated with the ERSPAN traffic source port>

   Local = <local fixed IP address of the network interface on which you are configuring ERSPAN traffic transmission>

   Remote = <IP address of the server hosting the Kaspersky Anti Targeted Attack Platform application on which you want to process ERSPAN traffic>

   Key = <Sequential number or key of the GRE header>. If not used, enter 0 as the value.

   SerializeTunneledPackets=true

3. Create the erspan.network file in the /etc/systemd/network directory with the following contents:

   [Match]

   Name=<name of the ERSPAN interface>

   [Network]

   Address = <local IP address of the network interface/network interface mask>

4. Restart the server with the Kaspersky Anti Targeted Attack Platform application on which you are configuring the integration with ArtX TLSproxy 1.9.1.
5. Go to the ArtX TLSproxy 1.9.1 application and specify the network interfaces that you configured.

The settings in the erspan.netdev and erspan.network files must match the settings that you specified in ArtX TLSproxy 1.9.1.

Integration with ArtX TLSproxy 1.9.1 is configured.