Kaspersky Anti Targeted Attack Platform can monitor file execution on devices known to the application. File execution is monitored based on information received from EPP applications. Based on this information, the application generates a table of executable files.
To automatically get information about file execution from EPP applications, the following conditions must be satisfied:
Endpoint Agent must be installed on the devices.
Asset Management methods must be enabled to detect device activity and device information.
For the table of executable files, the following restrictions on the number of items and storage durations apply:
The total number of executable files may not exceed 100,000.
If the maximum number of executable files is reached, the application automatically removes 10% of the oldest entries.
The maximum storage duration of an executable file before information about its execution is received again is 90 days.
If new information about file execution is not received before the maximum storage duration expires, the application automatically removes the entry of this file.
If necessary, users with the Administrator role can delete executable files manually.
To view the table of executable files:
Select the Assets section in the application web interface window.
Go to the Executable files tab.
The table of executable files is displayed.
When viewing the table of executable files, you can configure, filter, search, and sort the files, as well as navigate to related items.
The table displays the following information:
File ID is the file ID assigned in Kaspersky Anti Targeted Attack Platform.
Device is the name and address of the device.
Name is the name and version of the application, or the file name.
Data received is the date and time when the information about the file was last received.
Product is the name of the software product saved in the operating system of the device.
Product version is the version of the software product saved in the operating system of the device.
Vendor is the name of the vendor of the application.
Path is the full path to the file.
File size is the amount of disk space occupied by the file.
MD5 hash is the checksum of the file calculated using the MD5 hashing algorithm.
SHA256 hash is the checksum of the file calculated using the SHA256 hashing algorithm.
Signature is the result of verifying the digital signature of the file: Valid (if the digital signature was verified successfully) or Invalid (for example, if the certificate has expired).
Created is the date and time when the file was created.
Changed is the date and time the file was last modified.
Origin is the source of information about the file.