Active device polling jobs

Using the active polling jobs, you can conduct a security audit of monitored devices in terms of receiving accurate and complete information about devices and their configurations directly from the devices themselves. Active polling is achieved using connectors. To actively poll devices, you need to add one or more Active poll connectors to the application.

Connectors provide different active polling methods. Active polling methods stipulate the protocols as well as commands and functions of these protocols. The built-in Active poll connector type contains a set of methods that support active polling over application-layer protocols as well as general-purpose protocols. Kaspersky Anti Targeted Attack Platform supports the following methods for active polling of devices:

• Polling via ARP (only for computers with the kernel version 4.3 or later)
• Polling via SMB
• Polling via SNMP
• Polling via SSH
• Polling via WinRM HTTP
• Polling via WinRM HTTPS
• Polling via WMI

The methods let you get different sets of device information. You can select the information that you need and the methods to be used when configuring active polling.

Some methods use secrets to connect to devices. Device connections are made using credentials from secrets added to the application.

Using appropriate methods, the application can automatically update the following device information based on active polling results:

• Name that represents the device in the application
• Name that represents the device on the network (network name)
• Vendor name of the device hardware
• Model name of the device
• Version number of the device hardware
• Vendor name of the device software
• Name of the device software
• Version number of the device software
• Address information for network interfaces of the device
• Name of the operating system installed on the device (only for devices running Windows and Linux operating systems)

For a list of operating systems supported by the application for actively polling devices, see the Appendix.

The application does not update data for which the automatic update function was disabled using the Autoupdate toggle button when the device was added or when device information was edited. The application also evaluates the accuracy of received device information and in some case may not update previously received information.

Some active polling methods support detecting risks and modifying the topology map with the obtained device information.

You can manually run security audit jobs or configure a schedule to automatically run each job. Only users with the Senior security officer role can run active polling jobs.

When using the active polling functionality, you must keep in mind the following special considerations and limitations:

• The functionality becomes available after adding a license key.
• Application modules of connectors that are used for actively polling of devices need network access to the devices to send requests to and receive data from the devices. If the application modules are running on the host with installed application components, to ensure network access to devices, this computer must have a network interface with a connection to the network of the devices to be polled. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored corporate LAN traffic (for example, from SPAN ports of network switches).
• Unexpected problems may arise when active polling devices if these devices misinterpret the commands of the active poll. The problems may be caused by misconfiguration or highly specialized configuration of devices. Also, problems can arise due to hidden errors in the network configuration, which do not manifest during normal communication of devices. Therefore, the risks of the following potential consequences are involved in active polling of a device:
  • The device powering off
  • Connectivity being lost with the device
  • Complete or partial device malfunction
  • Slower-than-normal operation
  • Other potential faults of the network and equipment

In this section Adding active polling job Editing an active polling job Viewing the table of active polling jobs Starting and stopping active polling jobs Viewing general information about the active polling job runs Viewing a report on the active polling job execution Deleting active polling jobs

Page top