Managing tasks

Users with the Senior security officer role creating tasks on a server have unlimited (root) access rights for all hosts with the Endpoint Agent component that are connected to that server.

In the web interface of the application, users with the Senior security officer role can manage files and applications on hosts by creating and removing tasks.

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Global—Created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
• Local—Created on the SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.

Get file, Get process memory dump, Get NTFS metafiles, Get disk image, Get memory dump tasks run only on the specified host, regardless of the application operating mode.

The maximum task execution time is 24 hours. If the task did not complete in this time, execution is paused.

Users with the Senior security officer role can manage all tasks for tenants to whose data they have access.

Users with the Security officer role do not have access to tasks.

Users with the Security auditor role can view the task table and information about the selected task.

Viewing the task table

The tasks table contains a list of created tasks and is in the Tasks section of the application web interface window. You can view all tasks or only tasks created by you (current user).

You can show or hide tasks created by you using the Only mine toggle switch in the upper right corner of the window. The display of tasks created by the current user is enabled by default.

The tasks table contains the following information:

• Time—Task creation date and time.
• Type is the type of the task depending on the operating mode of the application and the server on which the task was created.

  Tasks may be one of the following types:

  • Global—Created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
  • Local—Created on the SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
• Name—Task name.

  Clicking the link with the name of the task type opens a list in which you can select one of the following actions:

  • Filter by this value.
  • Exclude from filter.
  • Copy value to clipboard.
• Details—full path to the file or data stream for which the task was created, or the path to a shared network resource.

  Clicking the link containing information about the path to the file or data stream opens a list in which you can select one of the following actions:

  • Filter by this value.
  • Exclude from filter.
  • Copy value to clipboard.
• Servers—Name of the server with the PCN or SCN role on which the task is being run.

  This field is displayed if you are using the distributed solution and multitenancy mode.

• Hosts—Name of the host on which the task is run.

  This field is displayed only if you are using a standalone Central Node server.

• Created by—Name of the user who created the task.

  If only tasks created by the current user are displayed, this column is not displayed.

• State—Task completion status.

  A task can have one of the following statuses:

  • Pending.
  • In process.
  • Completed.

Viewing information about a task

To view task details:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Select the task for which you want to view information.

This opens a window containing information about the task.

The window can contain the following information depending on the task type:

• State—Task completion status.
• Description is the task description.
• File path—Path to the file or data stream.
• Information type—Type of the collected data.
• Registry key—Path to the registry key that you want to get.
• Process ID—Process identifier.
• Mask—Mask of files that are included in the data list.
• Metafiles—NTFS metafiles that you want to get.
• Volume—name of the drive from which you want to receive metafiles, disk image, or memory dump.
• Share path—path to a shared network resource.
• Stored file—link to the file received as a result of the task execution.
• Maximum nesting level—Maximum nesting level of folders which the application searches for files.
• Exclusions—Folders in which searching and scanning files is prohibited.
• Scan scope—Folders which are scanned by YARA rules.
• Action—Action that was performed for the service.

  The application supports the following operations with services:

  • Start.
  • Stop.
  • Pause.
  • Resume.
  • Delete.
  • Modify startup type.
• Maximum scan duration—Maximum task execution time, after which the scan is stopped.
• SHA256—SHA256 hash of the file that you want to receive.
• Run as—Option to run the application using the name of the local system.
• Created by—Name of the user who created the task.
• Tenant—Name of the tenant. Displayed only when you are using the distributed solution and multitenancy mode.
• Time created—Time when the task was created.
• Time completed—Task completion time.
• Report—Task result on selected hosts.

Creating a get file task

You can retrieve a file from selected hosts with the Endpoint Agent component. To do so, you must create a get file task.

The file to be downloaded must not exceed 100 MB. If the file exceeds 100 MB, the task finishes with an error.

To create a get file task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select File in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. File path—Path to the file that you want to receive.

      If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.

      You can also specify the path to an

      alternate data stream

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      of this file. In this case, you receive only the files of the specified stream.

      When creating a task, the application does not check if the specified path to the file that you want to receive is valid.

   2. MD5/SHA256—MD5- or SHA256 hash of the file that you want to receive. This field is optional.
   3. If you do not want to scan the file, clear the Send for scanning check box.

      The check box is selected by default.

   4. Description is the task description. This field is optional.
   5. Host is the name or IP address of the host.

      You can specify only one host.

4. Click Add.

The get file task will be created. The task runs automatically after it is created.

A file received through this task will be placed in Storage. If the get file task completed successfully, you can download the received file to your local computer.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.

You can also download the file from the task report window.

To download the file from the task report window:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Open the get file task that you want to download.
3. In the Report section, click the name or IP address of the host.

   This opens a window containing information about the file.

4. Click Download.

The file will be saved to your local computer in the browser's downloads folder.

Users with the Security auditor role cannot create get file tasks.

Users with the Security officer role do not have access to tasks.

Creating a forensic collection task

You can get lists of files, processes, and autorun points from selected Endpoint Agent hosts. To do so, you must create a forensic collection task.

To create a forensic collection task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select Forensics in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
      • Processes list if you want to get a list of processes running on the host at the time of the task execution.
      • Autorun points list if you want to get a list of autorun points.

        The autorun points list includes information about applications added to the startup folder or registered in the Run keys of the registry, as well as applications that are automatically run at startup of a host with the Endpoint Agent component and when a user logs in to the operating system on the specified hosts.

        List of supported autorun points

        Kaspersky Endpoint Agent supports gathering data for the following autorun points:

        • Logon.
        • Run.
        • Explorer.
        • Shell.
        • Office.
        • Internet Explorer.
        • Tasks.
        • Services.
        • Drivers.
        • Telephony.
        • Cryptography.
        • Debuggers.
        • COM.
        • Session Manager.
        • Network.
        • LSA.
        • Applications.
        • Codecs.
        • Shellex.
        • WMI.
        • Unspecified.

        Kaspersky Endpoint Security supports collecting the aforementioned autorun points as well as the following:

        • BootLog
        • Browsers
        • DriverLog
        • EfiLoader
        • GroupPolicy
        • Logon.
        • OsLoader
        • OsUpdate
        • Printer
        • Process
        • Scheduler
      • File list if you want to get a list of files stored in the selected folder or in all host folders at the time of the task execution.
   2. If you have selected the File list check box, in the Source type group of settings, select one of the following options:
      • All local disks if you want the list of files to include files stored in all folders on local disks at the time of the task execution.
      • Directory if you want the file list to include files stored in the specified folder and its subfolders at the time when the task is run.
   3. If you selected Directory, in the Start directory field, specify the path to the folder from which the file search should start.

      You can use the following prefixes:

      • System environment variables.
      • User-defined environment variables.

        When using user-defined environment variables, the list of files includes information about files in folders of all users who have set the specified environment variables. If user-defined environment variables override system environment variables, the list of files includes information about files in folders based on the values of system environment variables.

   4. In the Hosts field, enter the IP address or name of the host to which you want to assign the task.

      You can specify multiple hosts.

      If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the forensics collection task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.10 and later. Getting a list of autorun points is only supported on hosts with Kaspersky Endpoint Agent for Windows 3.12 and higher.

      If necessary, you can specify the following search criteria for files in folders:

      • Mask is the mask of files to be included in the list of files.
      • Alternative data streams is the check box that enables recording information about alternate data streams in the file list.

        If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.

        The check box is selected by default.

      • Maximum nesting level is the maximum nesting level of folders in which the application searches for files.
      • Exclusions is the path to the folders in which you want to prohibit the search for information about files.
      • Description is the task description.
4. Click Add.

The forensic collection task is created. The task runs automatically after it is created.

As a result of the task, the application places a ZIP archive in Storage; the archive contains a file with the selected data. If the task completed successfully, you can download the archive to your local computer.

Users with the Security auditor role cannot create forensic collection tasks.

Users with the Security officer role do not have access to tasks.

Creating a registry key retrieval task

You can retrieve a registry key from selected hosts with the Endpoint Agent component. To do so, you must create a registry key retrieval task.

To create a registry key retrieval task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select Registry key in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Registry key is the registry key that you want to get.

      You can enter the registry key in one of the following formats:

      • Relative to the root key.

        For example, \REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.

      • Relative with full name of the root key.

        For example, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.

      • Relative with an abbreviation instead of the full name of the root key.

        For example, HKLM\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.

      If you want to get data from HKEY_CURRENT_USER, you must specify HKEY_USERS and the SID of the user: HKEY_USERS\<SID of the user>.

   2. Description is the task description. This field is optional.
   3. In the Hosts field, enter the name or IP address of the host to which you want to assign the task.

      You can specify multiple hosts.

      If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the registry key retrieval task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.13 and later.

4. Click Add.

The registry key retrieval task is created. The task runs automatically after it is created.

As a result of the task, the application places a ZIP archive in Storage; the archive contains a .reg file, which contains a list of all registry keys and values under the key that was specified when creating the task. You can download the archive to your local computer.

If the task results in an error, the archive file contains the description of the error.

Users with the Security auditor role cannot create this task.

Users with the Security officer role do not have access to tasks.

Creating an NTFS metafile retrieval task

You can retrieve NTFS metafiles from selected hosts with the Endpoint Agent component. To do so, you must create an NTFS metafile retrieval task.

To create an NTFS metafile retrieval task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select NTFS metafiles in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Metafiles is the list of metafiles that you can get using the task. Select the relevant metafile by selecting the corresponding check box.

      You can select multiple metafiles.

   2. Volume is the name of the disk from which you want to get metafiles.

      By default, the system disk is specified. You can enter the path to a different disk in the <drive letter>:format.

   3. Description is the task description. This field is optional.
   4. Hostis the name or IP address of the host to which you want to assign the task.

      You can specify only one host.

      If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the NTFS metafile retrieval task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.13 and later.

4. Click Add.

The NTFS metafile creation task is created. The task runs automatically after it is created.

When the task finishes, the application places a ZIP archive containing the selected metafiles in Storage. You can download the archive to your local computer.

If the task results in an error, the archive file contains the description of the error.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.

If downloading selected metafiles exhausts Storage capacity, objects in Storage will be rotated. If a metafile is larger than total Storage capacity, it is not downloaded

Users with the Security auditor role cannot create this task. Users with the Security officer role do not have access to tasks.

Creating a process memory dump retrieval task

You can retrieve a process memory dump from selected hosts with the Endpoint Agent component. To do so, you must create a process memory dump retrieval task.

To create a process memory dump retrieval task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select Process memory dump in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Process ID is the ID of the process for which you want to get a memory dump.
   2. MD5/SHA256 is the MD5 or SHA256 hash of the file of the process of which you want to get a memory dump. This field is optional.
   3. Description is the task description. This field is optional.
   4. Hostis the name or IP address of the host to which you want to assign the task.

      You can specify only one host.

      If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the process memory dump retrieval task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.13 and later.

4. Click Add.

The process memory dump retrieval task is created. The task runs automatically after it is created.

The task creates a ZIP archive in Storage, which contains a file with information about the process and a process memory dump file. You can download the archive to your local computer.

If the task results in an error, the archive file contains the description of the error.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.

Users with the Security auditor role cannot create this task.

Users with the Security officer role do not have access to tasks.

Creating a disk image retrieval task

You can retrieve a disk image from selected Kaspersky Endpoint Agent for Windows host. To do so, you must create an NTFS disk image retrieval task.

The resulting file can be saved only to a shared network resource.

To create a disk image retrieval task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select Disk image in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Share path—path to a shared network resource.

      You need to specify the path in the Universal Naming Convention (UNC) format: \\server\share\path.

      If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.

   2. User name—user name of the account used to access the shared network resource.
   3. Password—password of the account used to access the shared network resource.
   4. Under Disk type, select one of the following options:
      • Logical.
      • Physical.
   5. If you selected Logical, enter a% SystemDrive% variable or a drive letter without the colon and slash in the Volume field.
   6. If you selected Physical, enter the disk number in the Physical drive field.
   7. Select the Split file into parts check box if you want the file to be divided into multiple parts when saved.
   8. If you selected the check box, in the Part size, GB field, specify the minimum size of one part of the saved file.

      The minimum part size must be more than one gigabyte.

   9. Description is the task description. This field is optional.
   10. Host—the IP address or name of the host to which you want to assign the task.
4. Click Add.

The disk image retrieval task will be created. The task runs automatically after it is created.

The application places an archive containing a file or files in the EWF or RAW format in a network share. You can convert files from the RAW format to the EWF format.

If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.14 and later.

Users with the Security auditor role cannot create tasks.

Users with the Security officer role do not have access to tasks.

Converting a file from RAW to EWF format

Kaspersky Endpoint Security saves the disk image in the RAW format. Files can also be compressed into an archive. A special Python script allows converting files from the RAW format to the EWF format. The script constantly looks for RAW files in the specified folder. If such files are detected, the script automatically converts the files to the EWF format.

convert_to_ewf_monitor.py script

For the script to work, the following software must be installed on the computer:

• The libewf library for accessing Expert Witness Compression Format (EWF) files.

  The libewf library is open source software.

  It is recommended to place the library files and the script file in the same folder.

• The Python interpreter.

To enable the conversion of disk image files:

1. Start the command line interpreter.
2. Change to the folder where the script is located.
3. Run the following command:

   py convert_to_ewf_monitor.py --source <full path to the source files folder> [additional settings]

   EWF conversion script parameters

   Parameter	Description
   --source <full path to folder>	The full path to the folder in which the script looks for source files. The script also looks for files in subfolders at the specified path. This is a mandatory parameter.
   --destination <full path to folder>	The full path to the folder where the script saves converted files. The folder structure is preserved. By default, the script saves converted files in the folder specified in the source parameter.
   --delete	Delete source files after successful conversion. If the conversion fails, the script skips deleting the source files and you can try again.
   --ewftool <full path to folder>	The full path to the ewfacquirestream.exe file. The path must include the file name. By default, the script attempts to locate the ewfacquirestream.exe file in the folder where the script is located.
   --name_mask <regular expressions>	Regular expressions to find source files to convert. You can use this option if you need to convert individual files. By default, the script looks for files using the ^diskdump_ regular expression.
   --convert_single_dump	Find a single file to convert. After successful conversion of the single file, the script exits.
   --workers_num <number of files>	The maximum number of source files that the script can convert at the same time. You can use this setting to optimize the performance of the script. By default, the script can convert up to four files at a time.
   --log_level <log level>	Logging level. By default, the script uses the DEBUG logging level.
   --log_path <full path to folder>	The full path for saving log files. The path must include the file name of the log file. By default, the script displays events on the interpreter console.

Page top

Creating a RAM dump retrieval task

You can retrieve a RAM dump from a selected host with the Endpoint Agent component. To do so, you must create a memory dump retrieval task.

The resulting file can be saved only to a shared network resource.

To create a memory dump retrieval task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Add button and select Memory dump in the Get data drop-down list.

   This opens the task creation window.

3. Configure the following settings:
   1. Share path—path to a shared network resource.

      You need to specify the path in the Universal Naming Convention (UNC) format: \\server\share\path.

      If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.

   2. User name—user name of the account used to access the shared network resource.
   3. Password—password of the account used to access the shared network resource.
   4. Description is the task description. This field is optional.
   5. Host—the IP address or name of the host to which you want to assign the task.
4. Click Add.

The RAM dump retrieval task is created. The task runs automatically after it is created.

As a result, the application places a RAW file or an archive that contains a RAW file on the shared network resource.

If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.14 and later.

Users with the Security auditor role cannot create tasks.

Users with the Security officer role do not have access to tasks.

Creating a process termination task

If you believe that a process running on the computer could threaten the security of the computer or the corporate LAN, you can terminate the process.

To create a process termination task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Kill process.

   This opens the task creation window.

3. Configure the following settings:
   1. File path —Path to the file of the process that you want to terminate.

      You can also specify the path to an alternate data stream of this file. In this case, only processes of the specified data stream will be terminated. The processes of the other streams of this file will be executed.

   2. MD5/SHA256—MD5- or SHA256 hash of the file of the process that you want to terminate. This field is optional.
   3. Description is the task description. This field is optional.
   4. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
4. Click Add.

The process termination task will be created. The task runs automatically after it is created.

Users with the Security auditor role cannot create process termination tasks.

Users with the Security officer role do not have access to tasks.

Creating a task to scan hosts using YARA rules

You can scan hosts with the Endpoint Agent component using YARA rules. To do so, you must create a Start YARA scan task. You can create the task:

• In the Tasks section.

  In this case, when creating the task, you must select YARA rules that you want to use to scan hosts.

• In the Custom rules section, YARA subsection.

  In this case, a task is created to scan hosts using selected YARA rules.

To create a task for scanning hosts with the Kaspersky Endpoint Agent component using YARA rules in the Tasks section:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Start YARA scan.

   This opens the task creation window.

3. Configure the following settings:
   1. Select rules is the name of the rule. You can enter the name of the rule or a sequence of characters from the name of the rule, then select the rule in the list.

      You can add multiple rules.

   2. Scan is the scan scope. Select one of the following options:
      • RAM if you want to scan processes that are running at the time of the task execution.

        The application does not scan processes with a low priority.

      • Autorun points if you want to scan autorun points obtained from the Get forensics task.

        If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, this function is available only when integrated with Kaspersky Endpoint Agent 3.13 or later.

        To have autorun points scanned, you must specify hosts for which the Get forensics was previously run.

      • Specified directories if you want to scan files that are located in a specified folder and all its nested folders at the time of the task execution.
      • All local disks if you want to scan files stored in all folders on local disks at the time of the task execution.

        Scanning all local disks can cause high load on the host.

   3. If you selected RAM, if necessary, do the following:
      • In the Processes field, enter short names of processes or a mask of files that you want to scan.

        The application scans all processes with identical names that are running on the host.

        If the Processes field is left blank, the application scans all processes that were running at the time of the task execution, except processes with PID under 10 and processes listed in the Exclusions field.

      • In the Exclusions field, enter short names of processes or a mask of files that you want to exclude from scanning.

        If multiple processes with identical names are running on the host, the application excludes all such processes from scanning.

   4. If you selected Autorun points, in the Scan type field, select the scan type:
      • Quick.

        In this case, all autorun points are scanned, except COM objects.

      • Full.

        In this case, all autorun points are scanned, as well as files involved with them.

      If you are using Kaspersky Endpoint Security for Windows as the Endpoint Agent component, a full scan is performed regardless of the selected setting.

   5. If you selected Specified directories:
      • In the Specified directories field, specify the path to the directory in the format C:\<directory name>\*.
      • In the Exclusions field, specify the path to the directory in the format C:\<directory name>\*.
   6. Maximum scan duration is the maximum scan duration.

      When this time elapses, the scan is stopped even if some rules were not applied to scan the hosts. The task report contains results that are up-to-date at the moment when the scan was stopped.

   7. Description is the task description. This field is optional.
   8. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

        If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task for scanning Kaspersky Endpoint Agent hosts using YARA rules can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.12 and later. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent 3.12 and earlier versions of the application, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12.

To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Custom rules section, YARA subsection:

1. In the window of the application web interface, select the Custom rules section, YARA subsection.
2. Select check boxes to the left of rules that you want to use when scanning the hosts.

   A control panel appears in the lower part of the window.

3. Click Start YARA scan.
4. Carry out step 3 of the instruction above.

Task creation is complete. The task runs automatically after it is created.

If the scan detects any threats, Kaspersky Anti Targeted Attack Platform creates corresponding alerts.

Users with the Security auditor role cannot create a task for scanning hosts using YARA rules.

Users with the Security officer role do not have access to tasks.

Creating a service management task

You can remotely start, stop, pause, or resume a service, as well as remove a service or change its start type on selected hosts with the Endpoint Agent component. To do so, you must create a service management task.

To create a service management task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Service management.

   This opens the task creation window.

3. Configure the following settings:
   1. In the Service name field, enter the name of the service.
   2. In the MD5/SHA256 field, enter the MD5 or SHA256 hash of the service. This field is optional.

      If you enter the hash of a service that is loaded from a DLL, Kaspersky Anti Targeted Attack Platform simultaneously compares the specified hash with the hash of the service DLL and the hash of the svchost process.

   3. In the Action field, select the operation that you want to perform on the service.

      The application supports the following operations with services:

      • Start.
      • Stop.
      • Pause.
      • Resume.
      • Delete.
      • Modify startup type.

      When you remove a service, processes that the service has started keep running until the system is restarted or the process is terminated.

   4. If you selected Modify startup type, in the Startup type, select the start type for the service.
   5. Description is the task description. This field is optional.
   6. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

      If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.12 and later. Hosts running earlier versions of Kaspersky Endpoint Agent for Windows are displayed in the list of hosts, but cannot be selected.

4. Click Add.

The service management task is created. The task runs automatically after it is created.

Users with the Security auditor role cannot create service management tasks.

Users with the Security officer role do not have access to tasks.

Creating an application execution task

You can create an application running task or command execution task.

If the standard output file or error output file reaches a size of 100 KB when the task is running, some of the data is deleted from the file. The file will not contain all the data.

To create a task for running an application or executing a command:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Run application.

   This opens the task creation window.

3. Configure the following settings:
   1. In the File path and Working directory fields, enter values in one of the following ways:
      • In the File path field, enter the full path to the executable file (for example, C:\Windows\System32\ipconfig.exe). Leave the Working directory field empty.

        When creating a task, the application does not check if the specified path to the executable file is valid.

      • In the File path field, enter the name and extension of the executable file (for example, ipconfig.exe). In the Working directory field, enter the working directory (for example, C:\Windows\System32\).
   2. In the Arguments field, enter additional options for running the file or task (for example, the /all argument).
   3. In the Description field, enter the task description. This field is optional.
   4. Configure the Task for setting, that is, the task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
4. Click Add.

The application running task or command execution task is created. The task runs automatically after it is created.

Users with the Security auditor role cannot create application running tasks or command execution tasks.

Users with the Security officer role do not have access to tasks.

Creating a file deletion task

To create a file deletion task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Delete file.

   This opens the task creation window.

3. Configure the following settings:
   1. File path—Path to the file that you want to delete.

      You can also specify the path to an alternate data stream of this file. In this case, only the specified data stream will be deleted. The other data streams of this file will be left unchanged.

   2. MD5/SHA256—MD5- or SHA256 hash of the file that you want to delete. This field is optional.
   3. Description is the task description. This field is optional.
   4. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
4. Click Add.

The file deletion task will be created. The task runs automatically after it is created.

If the file has been blocked by another process, the task will be displayed with the Completed status but the file will be deleted only after the host is restarted. It is recommended to check whether the file is successfully deleted after the host is restarted.

Deleting the file from a mapped network drive is not supported.

Users with the Security auditor role cannot create file deletion tasks.

Users with the Security officer role do not have access to tasks.

Creating a file quarantine task

If you believe that an infected or probably infected file is on the computer with the Endpoint Agent component, you can isolate it by putting it into quarantine.

To create a file quarantine task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Quarantine file.

   This opens the task creation window.

3. Configure the following settings:
   1. In the File path field, enter the path to the file that you want to quarantine.
   2. In the MD5/SHA256 field, enter the MD5 or SHA256 hash of the file that you want to quarantine. This field is optional.
   3. Description is the task description. This field is optional.
   4. In the Hosts field, enter the name or IP address of the host to which you want to assign the task.

      You can specify multiple hosts.

   5. Click Add.

   The file quarantine task is created. The task runs automatically after it is created.

   As a result of the task:

   • The file is deleted from the folder of the computer where it is located and moved to the Quarantine directory on the same computer, which was specified during configuration of the application that is used as the Endpoint Agent component.
   • In the task list of the Tasks section of the application web interface, execution information about the task is displayed.
   • In the file list in the Storage section, Quarantine subsection, information about the quarantined file is displayed.

If the file has been blocked by another process, the task is displayed with the Completed status but the file is placed in Quarantine only after the host is restarted. It is recommended to check whether the task was successfully completed after the host is restarted.

The file quarantine task can finish with the Access denied error if you are trying to quarantine an executable file and it is currently running.

To solve this problem, create a process termination task for this file, and then try creating the file quarantine task again.

Users with the Security auditor role cannot create file quarantine tasks.

Users with the Security officer role do not have access to tasks.

Creating a quarantined file recovery task

If you believe that a previously isolated file is safe, you can restore it from Quarantine to the host.

To create a task for restoring a file from Quarantine:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Restore file from quarantine.

   This opens the task creation window.

3. Configure the following settings:
   1. Description is the task description. This field is optional.
   2. File search—Name of the file in Quarantine.
4. Click Add.

The task for restoring a file from Quarantine is created. The task runs automatically after it is created.

After restoring a file from Quarantine to a host, metadata about the file remains in the table of objects placed in Storage.

In distributed solution and multitenancy mode, a file that is quarantined on an SCN server cannot be restored on the PCN server. You can restore the file on the SCN server on which the quarantine file task was created.

Users with the Security auditor role cannot create tasks to restore files from Quarantine.

Users with the Security officer role do not have access to tasks.

Creating a copy of a task

To copy the task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Open the task that you want to copy.
3. Click Duplicate.

   This opens the task creation window. All task settings will be copied.

4. If you want to modify task settings, edit one or more settings depending on the type of the task being copied.
5. Click Add.

A copy of the selected task will be created.

Users with the Security auditor role cannot copy tasks.

Users with the Security officer role do not have access to tasks.

Deleting tasks

If you delete a task while it is running, the task results might not be saved.

If you delete a successfully completed file download task, the file is also deleted.

To delete a task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Open the task that you want to delete.
3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The task will be deleted.

To delete all or multiple tasks:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Select check boxes next to the tasks that you want to delete.

   You can select all tasks by selecting the check box in the row containing the headers of columns.

3. In the pane that appears in the lower part of the window, click Delete.

   This opens the action confirmation window.

4. Click Yes.

The selected tasks are deleted.

Users with the Security auditor role cannot delete tasks.

Users with the Security officer role do not have access to tasks.

Filtering tasks by creation time

To filter tasks by creation time:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Time link to open the task filtering menu.
3. Select one of the following task display periods:
   • All if you want the application to display all created tasks in the table.
   • Last hour if you want the application to display tasks that were created during the last hour in the table.
   • Last day if you want the application to display tasks that were created during the last day in the table.
   • Custom range if you want the application to display tasks that were created during a specified period in the table.
4. If you have selected the Custom range task display period:
   1. This opens the calendar; in the calendar, specify the start and end dates of the task display period.
   2. Click Apply.

   The calendar closes.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by type

If you are using distributed solution and multitenancy mode, you can filter tasks by their type.

To filter tasks by type:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Type link to open the task filtering menu.
3. Select one of the following task display options:
   • All, if you want to display all tasks regardless of their type.
   • Global, if you want to display only tasks that were created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
   • Local, if you want to display only tasks that were created on a SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by name

To filter tasks by name:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Name link to open the task filtering menu.
3. Select one or more check boxes:
   • Kill process
   • Run application
   • Get forensics
   • Start YARA scan
   • Service management
   • Get file
   • Delete file
   • Quarantine file
   • Restore file
4. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by file name and path

You can filter tasks based on the Details criterion—Name and path to the file or data stream.

To filter tasks by name and path to the file or data stream:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Details link to open the task filter configuration window.
3. In the drop-down list on the right, select Details.
4. In the drop-down list on the left, select one of the following task filtering operators:
   • Contain.
   • Not contain.
   • Equal to.
   • Not equal to.
5. In the entry field, specify one or several characters of the file name or path.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by description

You can filter tasks by the Description criterion, which is the task description that was added when the task was created.

To filter tasks by description:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Details link to open the task filter configuration window.
3. In the drop-down list on the left, select Description.
4. In the drop-down list on the right, select one of the following task filtering operators:
   • Contain.
   • Not contain.
   • Equal to.
   • Not equal to.
5. In the entry field, specify one or several characters of the file name or path.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by server name

If you are using distributed solution and multitenancy mode, you can filter tasks based on the servers to which the tasks are applied.

To filter tasks by servers to which the tasks are applied:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Servers link to open the task filtering menu.
3. Select the check boxes next to the names of the servers whose tasks you want to display.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks based on the name of the user that created the task

To filter tasks based on the user name that created the task, all tasks must be displayed. If only tasks created by the current user are displayed, tasks cannot be filtered by user name.

To filter tasks by the name of the user that created the task:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the Created by link to open the task filtering menu.
3. In the drop-down list, select one of the following task filtering operators:
   • Contain
   • Not contain
4. In the entry field, specify one or several characters of the user name.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering tasks by processing status

To filter tasks based on the status of their processing by the user:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click the State link to open the task filtering menu.
3. Select one or more check boxes:
   • Pending.
   • In process.
   • Completed.
4. Click Apply.

The tasks table displays only tasks matching the filter criteria you have set.

You can use multiple filters at the same time.

Clearing a task filter

To clear the task filter for one or more filtering criteria:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The tasks table displays only tasks matching the filter criteria you have set.