[Topic 246841]

Kaspersky Anti Targeted Attack Platform Help

New functions

• What's new in the Kaspersky Anti Targeted Attack Platform
  
  

Hardware and software requirements

• Hardware and software requirements
• Compatibility of the Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent for Windows
• Compatibility of the Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Security for Windows, Linux, and Mac
  
  

Licensing

• Licensing the Kaspersky Anti Targeted Attack Platform
  
  

Getting started

• Distributed solution and multitenancy
• Sizing the Kaspersky Anti Targeted Attack Platform
• Installation and initial configuration of the Kaspersky Anti Targeted Attack Platform
• Configuring the integration of Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent component
  
  

Getting started in the Kaspersky Anti Targeted Attack Platform web interface

• Getting started with the application web interface — For administrators
• Getting started with the application web interface — For security officers
  
  

Additional features

• Managing the Sandbox component through the web interface
• Interaction with external systems via API
  
  

Update

• Updating the previous version of the Kaspersky Anti Targeted Attack Platform
  
  

Contacting the Technical Support Service

• How to obtain Technical Support
  
  

[Topic 246848]

Kaspersky Anti Targeted Attack Platform

Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the application") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The solution is developed for corporate users.

The Kaspersky Anti Targeted Attack Platform solution includes three functional blocks:

• Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
• Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.
• Network Detection and Response (hereinafter also referred to as "NDR"), which provides protection of the corporate LAN.

The solution can receive and process data in the following ways:

• Integrate into the local area network, receive and process mirrored
  SPAN, ERSPAN and RSPAN traffic

  

  A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.

  Kaspersky Anti Targeted Attack Platform supports receiving mirrored traffic from aggregating devices: a network packet broker or a network tap. If filtering is to be applied to traffic coming from aggregating devices, the hardware requirements of Kaspersky Anti Targeted Attack Platform must be adjusted. To determine the actual hardware requirements of the solution, we recommend doing a pilot deployment first.

  

  A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.

  Kaspersky Anti Targeted Attack Platform supports receiving mirrored traffic from aggregating devices: a network packet broker or a network tap. If filtering is to be applied to traffic coming from aggregating devices, the hardware requirements of Kaspersky Anti Targeted Attack Platform must be adjusted. To determine the actual hardware requirements of the solution, we recommend doing a pilot deployment first.

  , and extract objects and metadata from the HTTP, HTTP2, FTP, SMTP, DNS, SMB, and NFS protocols.
• Connect to the proxy server via the ICAP protocol, receive and process data of HTTP, HTTP2, and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
• Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
• Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.
• Receive and process copies of network traffic obtained from a remote location using the Kaspersky SD-WAN application. This functionality improves the flexibility of detecting and monitoring network activity, allowing you to analyze traffic from different points on the network and take appropriate action to ensure network security.

  For detailed information on Kaspersky Secure Mail Gateway, Kaspersky Security for Linux Mail Server and Kaspersky SD-WAN, please refer to the documentation of these applications.

• Integrate with Kaspersky Endpoint Agent and Kaspersky Endpoint Security and receive data (events) from individual computers running Microsoft Windows, Linux, and Mac operating systems in the corporate IT infrastructure. These applications continuously monitor processes running on those computers, active network connections, and files that are modified.
• Integrate with external systems with the use of the REST API interface and scan files on these systems.

The solution uses the following means of Threat Intelligence:

• Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
• Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
• Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
• IOC (Indicators of Compromise). Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the OpenIOC standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the application considers the event to be an alert.
• IOA (Indicators of Attack). Kaspersky Anti Targeted Attack Platform scans the Events database of the application and marks events or event chains that match behaviors described by TAA (IOA) rules.

The solution can detect the following events that occur within the corporate IT infrastructure:

• A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
• A file has been sent to the email address of a user on the corporate LAN.
• A website link was opened on a corporate LAN computer.
• Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
• Processes have been started on a corporate LAN computer.

The application can provide the results of its operation and Threat Intelligence to the user in the following ways:

• Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
• Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
• Integrate with external systems via the REST API and send information on alerts generated by the solution to external systems on demand.
• Publish information on Sandbox component alerts in the local reputation database of Kaspersky Private Security Network.

Users with the Senior security officer or Security officer role can perform the following actions in the application:

• Monitor the components of the solution.
• View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
• Look through the table of events occurring on computers and servers of the corporate IT infrastructure, search for threats, filter, view and manage each event, follow recommendations for evaluating and investigating incidents.
• Run tasks on computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security: run applications and stop processes, download and delete files, quarantine objects on computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security, place copies of files in Storage of Kaspersky Anti Targeted Attack Platform, and restore files from quarantine.
• Set up policies for preventing the running of files and processes that they consider to be unsafe on selected computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security.
• Isolate individual computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security from the network.
• Work with TAA (IOA) rules to classify and analyze events.
• Manage user-defined Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA rules — upload rules to be used for scanning events and creating alerts.
• Work with OpenIOC compliant files (IOC files) to search for signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Agent component and in the Alerts database.
• Exclude TAA (IOA) rules and IDS rules defined by Kaspersky from scanning.
• Manage objects in quarantine and copies of objects in Storage.
• Manage reports about application performance and alerts.
• Configure the sending of notifications about alerts and problems encountered by the application to email addresses of users.
• Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.
• Store and download copies of raw network traffic for analysis in external systems.

Users with the Security auditor role can perform the following actions in the application:

• Monitor the components of the solution.
• View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
• Look through the table of events occurring on the computers and servers of the enterprise IT infrastructure, search for threats, filter and view each event.
• View the list of hosts with the Endpoint Agent component and information about selected hosts.
• View user-defined rules for Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA.
• View the scan-excluded TAA (IOA) rules and IDS rules defined by Kaspersky experts.
• View reports about application performance and alerts.
• View the list of VIP alerts and the list of data excluded from the scan.
• View all settings made in the application web interface.
• Store and download copies of raw network traffic for analysis in external systems.

Users with the Administrator role can perform the following actions in the application:

• Edit application settings.
• Configure servers for the distributed solution and multitenancy mode.
• Set up the integration of the application with other applications and systems.
• Manage TLS certificates and set up trusted connections between the Central Node server and the Sandbox server, between Kaspersky Anti Targeted Attack Platform servers and the Endpoint Agent component, and with external systems.
• Manage accounts of application users.
• Monitor application health.

[Topic 247269]

What's new

Kaspersky Anti Targeted Attack Platform 7.0.3 introduces the following new features:

1. Improved performance of Kaspersky Anti Targeted Attack Platform
2. Fixed errors when displaying information about network sessions.
3. Fixed errors that occurred when installing or upgrading Kaspersky Anti Targeted Attack Platform.
4. Fixed vulnerabilities in the Suricata module.
5. Optimized rules for combining events.
6. Fixed the unstable display of virtual machine status.
7. Fixed the single sign-on (SSO) authentication error.
8. Fixed an error when registering events in network traffic.
9. Fixed an error when a user with the Security officer role tries to gain access to sections of custom rules.
10. Fixed the display of information about mirrored traffic from SPAN ports in the Dashboard section of the web interface.

Kaspersky Anti Targeted Attack Platform 7.0.1 now has the following new features:

1. A download of mirrored traffic is completed correctly even if the next download request arrives before the previous request has completed.
2. When searching for network packets for the last hour, all records that match the search criteria are displayed.
3. In a cluster configuration, when integrated with a mail server, the error when sending email messages is now fixed.
4. Fixed the error of the Embedded Sensor component that occurred after upgrading the Central Node component, which was used in distributed solution or multitenancy mode, to version 7.0.
5. Now, when deploying a cluster, you can select the localization language for the NDR functionality.

Kaspersky Anti Targeted Attack Platform 7.0 now has the following new features:

1. Now you can connect up to 150 SCN servers to a single PCN server in distributed solution and multitenancy mode.
2. Now you can deploy the application in the following virtualization systems: "Brest" virtualization software, "RED Virtualization", zVirt Node.
3. Now you can use the following localizations in custom operating system images with no impact on object scanning quality: Chinese (simplified), Arabic, and Spanish (Mexico).
4. Now you can manually send files for scanning in Sandbox from hosts on which Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux are used in the role of the Endpoint Agent component.
5. Now you can create a TAA (IOA) rule based on event search conditions from a YAML file with a Sigma rule.
6. Expanded list of fields available for event search in source code mode in the Threat Hunting section.
7. Expanded functionality for the Endpoint Agent represented by Kaspersky Endpoint Security for Windows 12.7:
   • New event types supported: Code injection, Named pipe, WMI, LDAP, DNS, Process access.
   • New subtypes of the File modified event: File read, Hard link created, Symbolic link created.
   • New subtypes of the Registry modified event: Registry key renamed, Registry key saved.
   • New fields for the Module loaded and Connection to remote host events.
8. Expanded functionality for the Endpoint Agent represented by Kaspersky Endpoint Security for Linux 12.2:
   • New event types: Connection to remote host, Port listened, Module loaded, DNS, Process access.
   • New subtype of the File modified event: File read.
   • Now you can quarantine an object.
   • Now you can create prevention rules.
9. Now you can enforce the user account password change.
10. Scanning of encrypted archives downloaded from an URL in an email message is now supported.
11. Now you can apply response actions to multiple devices.
12. Expanded NDR functionality:
    • Now you can view events in network traffic.
    • The table of alerts now displays External Analysis alerts.
    • Added an inventory of devices on the local network of the organization.
    • Now you can view the following device information:
      • User accounts registered in the operating systems of the devices.
      • File execution on devices.
      • Address spaces of devices.
      • Now you can display risks associated with devices.
      • Dynamic IP addressing of devices is now supported.
      • Now you can monitor the network activity of devices on the network map.
      • Devices can now be actively polled to enrich information in the list of devices and build the network topology map.
      • Added the ability to analyze network sessions.
      • Now you can identify the name of the transport protocol that was used in a network session.
      • Now you can identify the name of the application-layer protocol that was used in a network session.
      • Now you can find sessions by network packets in the traffic storage, as well as download the data of individual network packets and sessions to a file.
      • New types of reports.
13. Updated logic for managing custom IDS rules.
14. Different ports are now used for the interaction between the Central Node and Sensor components:
    • For the Central Node server, inbound connections must be allowed to TCP ports 13520 and 7423.
    • For the Sensor server, outbound connections to TCP ports 13520 and 7423 and inbound connections to TCP port 9443 must be allowed.
    • In the distributed solution and multitenancy mode, you must enable inbound and outbound connections for TCP ports 11000:11006 on PCN and SCN servers.

Changes in Kaspersky Endpoint Agent 3.16 for Windows:

You can view the list of changes in Kaspersky Endpoint Agent 3.16 for Windows in the Kaspersky Endpoint Agent for Windows Online Help.

Changes in Kaspersky Endpoint Security 12.7 for Windows:

You can view the list of changes in Kaspersky Endpoint Security 12.5 for Windows in the Kaspersky Endpoint Security for Windows Online Help.

Changes in Kaspersky Endpoint Security 12.2 for Linux:

You can view the list of changes in Kaspersky Endpoint Security 12 for Linux in the Kaspersky Endpoint Security for Linux Online Help.

[Topic 157533]

About Kaspersky Threat Intelligence Portal

For additional information about files that you consider to be suspicious, you can go to the website of the Kaspersky application Kaspersky Threat Intelligence Portal, which analyzes each file for malicious code and shows information about the reputation of the file.

Access to the Kaspersky Threat Intelligence application is provided for a fee. Authorization on the application website requires that an application access certificate is installed in the certificate storage on your computer. In addition, you must have a user name and password for access to the application.

For more details about the Kaspersky Threat Intelligence Portal, please visit the Kaspersky website.

[Topic 247444]

Distribution kit

The Kaspersky Anti Targeted Attack Platform distribution kit includes the following files:

1. Disk image (file with the iso extension) containing the installation files for the Ubuntu Server 22.04 operating system and for the Sensor, Central Node, Sandbox components.
2. Archive (.tar.gz file) of the Sensor, Central Node components for creating an iso image based on Astra Linux Special Edition 1.7.5.
3. Archive (.tar.gz file) of the Sandbox component for creating an iso image based on Astra Linux Special Edition 1.7.5.
4. Disk images (.iso files) of operating systems in which the Sandbox component runs files.
5. Utility (.tar file) for creating an iso image based on Astra Linux Special Edition 1.7.5.
6. Update package for the Central Node component based on the Ubuntu and Astra Linux operating systems.
7. File with information about third-party code used in Kaspersky Anti Targeted Attack Platform.

The Kaspersky Endpoint Agent distribution kit includes the following files:

Kaspersky Endpoint Agent distribution kit

[Topic 247120]

Hardware and software requirements

Software requirements for virtual platforms for installing Kaspersky Anti Targeted Attack Platform

You can deploy the application on the following virtual platforms:

• VMware ESXi 6.7.0 or 7.0
• "Brest" 3.3 virtualization software
• "RED Virtualization" 7.3
• zVirt Node 4.2

When deploying the application on a VMware ESXI virtual platform, you must install the current update package for the hypervisor.

If you want to deploy the application on the Astra Linux operating system in a VMware ESXI hypervisor, you need to ensure that the server hardware you are using is compatible with the Astra Linux operating system. For a full list of supported server hardware, please refer to the Astra Linux developer website.

When deploying the application on the "Brest", zVirt Node, and "RED Virtualization" virtual platforms, the following limitations apply:

• If you want to use the Sandbox component on the "Brest" virtual platform, zVirt Node, or "RED Virtualization", you must additionally configure the time for scanning objects using the component to increase the probability of detection. To configure it, please contact Technical Support.
• High availability deployment of the application is not supported on zVirt Node or "RED Virtualization" virtual platforms.

For the Central Node, Sensor and Sandbox hardware requirements see the Sizing Guide.

Hardware and software requirements for installing the Endpoint Agent component

The hardware and software requirements of the Endpoint Agent component reflect the hardware and software requirements of the applications that act as the Endpoint Agent component, and are described in the documentation of these applications:

• Kaspersky Endpoint Agent for Windows.
• Kaspersky Endpoint Security for Windows.
• Kaspersky Endpoint Security for Linux.
• Kaspersky Endpoint Security for Mac.

Hardware and software requirements for using the web interface of Kaspersky Anti Targeted Attack Platform

One of the following browsers must be installed on the computers in order to configure and manage the application using the web interface:

• Mozilla Firefox for Linux.
• Mozilla Firefox for Windows.
• Google Chrome for Windows.
• Google Chrome for Linux.
• Edge (Windows).
• Safari (Mac).

Minimum screen resolution to use web interface: 1366x768.

[Topic 247280]

Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

The Kaspersky Endpoint Agent application uses predefined settings that determine the impact that it has on the performance of the local computer under scenarios of information retrieval and interaction with the Central Node component.

If the version of Kaspersky Anti Targeted Attack Platform installed on Central Node servers is incompatible with the version of Kaspersky Endpoint Agent installed on computers on the corporate LAN, the functionality of Kaspersky Anti Targeted Attack Platform may be limited.

Information about the compatibility of Kaspersky Endpoint Agent component versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

Limited compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Agent 3.12 with Kaspersky Anti Targeted Attack Platform 4.1.

  The scope of data sent by Kaspersky Endpoint Agent is limited:

  • Scanning autorun points using the Start YARA scan task is not supported.
  • The tasks Get NTFS metafiles, Get process memory dump, Get registry key are not supported.
• Integration of Kaspersky Endpoint Agent 3.12 with Kaspersky Anti Targeted Attack Platform 5.0–6.1.

  The scope of data sent by Kaspersky Endpoint Agent is limited:

  • Scanning autorun points using the Start YARA scan task is not supported.
  • The following tasks are not supported: Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump.
  • Event information is not transmitted for the Process terminated event.
• Integration of Kaspersky Endpoint Agent 3.12 with Kaspersky Anti Targeted Attack Platform 7.0.

  The scope of data sent by Kaspersky Endpoint Agent is limited:

  • Scanning autorun points using the Start YARA scan task is not supported.
  • The following tasks are not supported: Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump.
  • Information about the following events is not transmitted: Process terminated, Named pipe, WMI, LDAP, DNS, Process access.
  • For the File modified event, information about the following subtypes is not transmitted: File read, Hard link created, Symbolic link created.
  • For the Registry modified event, information about the following subtypes is not transmitted: Registry key renamed, Registry key saved.
• Integration of Kaspersky Endpoint Agent 3.13 with Kaspersky Anti Targeted Attack Platform 4.0.

  A server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent application: Get NTFS metafiles, Get process memory dump, Get registry key tasks cannot be created in the web interface of the application.

• Integration of Kaspersky Endpoint Agent 3.13 with Kaspersky Anti Targeted Attack Platform 4.1–6.1.

  Kaspersky Endpoint Agent does not support the creation of the following tasks: Get disk image, Get memory dump.

• Integration of Kaspersky Endpoint Agent 3.14 with Kaspersky Anti Targeted Attack Platform 4.0.

  The server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent application: creation of Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump tasks is not available in the web interface of the application.

• Integration of Kaspersky Endpoint Agent 3.14 with Kaspersky Anti Targeted Attack Platform 4.1.

  A server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent application: the tasks Get disk image and Get memory dump cannot be created in the web interface of the application.

• Integration of Kaspersky Endpoint Agent 3.12–4.0 with Kaspersky Anti Targeted Attack Platform 7.0.

  The scope of data sent by Kaspersky Endpoint Agent is limited:

  • Information about the following events is not transmitted: Named pipe, WMI, LDAP, DNS, Process access.
  • For the File modified event, information about the following subtypes is not transmitted: File read, Hard link created, Symbolic link created.
  • For the Registry modified event, information about the following subtypes is not transmitted: Registry key renamed, Registry key saved.

[Topic 247216]

Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications

If you want to use the Kaspersky Endpoint Agent application as the Endpoint Agent component, you can install just the Kaspersky Endpoint Agent, or configure the integration of Kaspersky Endpoint Agent with workstation protection applications (Endpoint Protection Platform, hereinafter also "EPP"), Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, and Kaspersky Security for Virtualization Light Agent. If the integration of applications is configured, Kaspersky Endpoint Agent also sends the information about threats detected by EPP applications and their processing results to the Central Node server.

The integration scenarios described above do not work when Kaspersky Endpoint Agent is installed on a virtual desktop in Virtual Desktop Infrastructure.

Integration of Kaspersky Endpoint Agent with Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server requires installing Kaspersky Endpoint Agent as part of those applications.

Compatibility of Kaspersky Endpoint Agent for Windows with versions of Kaspersky Security for Windows Server

You can install the following versions of Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server:

• Kaspersky Endpoint Agent 3.9 as part of Kaspersky Security 11 for Windows Server.
• Kaspersky Endpoint Agent 3.10 as part of Kaspersky Security 11.0.1 for Windows Server.

When you install Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server, the standalone Kaspersky Endpoint Agent of the same or earlier version is removed. If Kaspersky Endpoint Agent installed as part of Kaspersky Security for Windows Server has an earlier version, it will not be installed. In this case, you must first remove the standalone Kaspersky Endpoint Agent application.

If necessary, you can upgrade the Kaspersky Endpoint Agent application that is already installed as part of Kaspersky Security for Windows Server. Integration between compatible versions of the applications is maintained both when Kaspersky Endpoint Agent is upgraded and when Kaspersky Security for Windows Server is upgraded.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Windows Server versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Windows Server versions

When integrating with Kaspersky Endpoint Agent 3.13–3.16, Kaspersky Security for Windows Server does not transmit event information of the AMSI scan event.

For more details about installing Kaspersky Security for Windows Server, see Kaspersky Security for Windows Server Help.

Compatibility of Kaspersky Endpoint Agent for Windows with versions of Kaspersky Endpoint Security for Windows

You can install the following versions of Kaspersky Endpoint Agent (Endpoint Sensors) as part of Kaspersky Endpoint Security for Windows:

• Kaspersky Endpoint Agent 3.7 or Kaspersky Endpoint Agent (Endpoint Sensors) 3.6.1 as part of Kaspersky Endpoint Security 11.2, 11.3 for Windows.

  Kaspersky Endpoint Agent (Endpoint Sensors) 3.6.1 is not compatible with Kaspersky Anti Targeted Attack Platform version 4.1 or higher.

  Kaspersky Endpoint Agent 3.7 is not compatible with all versions of Kaspersky Anti Targeted Attack Platform.

• Kaspersky Endpoint Agent 3.9 as part of Kaspersky Endpoint Security 11.4, 11.5.
• Kaspersky Endpoint Agent 3.10 as part of Kaspersky Endpoint Security 11.6.
• Kaspersky Endpoint Agent 3.11 as part of Kaspersky Endpoint Security 11.7, 11.8.

When you install Kaspersky Endpoint Agent 3.10 or later as part of Kaspersky Endpoint Security for Windows, the standalone Kaspersky Endpoint Agent application of the same or earlier version is removed. If the separately installed Kaspersky Endpoint Agent has a later version, the application bundled with Kaspersky Endpoint Security for Windows is not installed. In this case, you must first remove the standalone Kaspersky Endpoint Agent application.

If necessary, you can upgrade the Kaspersky Endpoint Agent application that is already installed as part of Kaspersky Endpoint Security for Windows. Integration between compatible versions of the applications is maintained both when Kaspersky Endpoint Agent is upgraded and when Kaspersky Endpoint Security for Windows is upgraded. You can upgrade a previous version of Kaspersky Endpoint Agent to version 3.14 only for Kaspersky Endpoint Agent version 3.7 or higher.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Endpoint Security for Windows versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions with Kaspersky Endpoint Security for Windows versions

For more details about installing Kaspersky Endpoint Security, see Kaspersky Endpoint Security for Windows Help.

Compatibility of Kaspersky Endpoint Agent with versions of Kaspersky Security for Virtualization Light Agent

You can configure the integration of separately installed Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Virtualization Light Agent versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions and Kaspersky Security for Virtualization Light Agent versions

Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent installed on a virtual machine generate the same load on the Central Node server as Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent installed on the host.

For more details about enabling the integration of Kaspersky Endpoint Agent with Kaspersky Security for Virtualization Light Agent, see Kaspersky Security for Virtualization Light Agent Help.

Compatibility of Kaspersky Endpoint Agent with versions of Kaspersky Industrial CyberSecurity for Nodes

You can install Kaspersky Endpoint Agent on a device with Kaspersky Industrial CyberSecurity for Nodes installed. The applications are integrated automatically.

Compatibility of Kaspersky Endpoint Agent versions with versions of Kaspersky Industrial CyberSecurity for Nodes

To integrate with Kaspersky Industrial CyberSecurity for Nodes, the corresponding license key must be installed in the Kaspersky Endpoint Agent.

For detailed information, you can contact your account manager.

[Topic 246849]

Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

To integrate Kaspersky Endpoint Security 12.1 or later with Kaspersky Anti Targeted Attack Platform, you do not need to install Kaspersky Endpoint Agent.

Starting from version 12.8, Kaspersky Endpoint Security for Windows can be used as the Light Agent for Windows component for the Kaspersky Security for Virtualization application. For more details about the integration, see Kaspersky Security for Virtualization Light Agent Help.

Limited compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Security 12.1–12.6 with Kaspersky Anti Targeted Attack Platform 7.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Information about the following events is not transmitted: DNS, Code injection, Named pipe, WMI, LDAP.
  • For the File modified event, information about the following subtypes is not processed: File read, Hard link created, Symbolic link created.
  • For the Registry modified event, information about the following subtypes is not processed: Registry key renamed, Registry key saved.
  • New fields are not available for the Module loaded and Connection to remote host events.
• Integration of Kaspersky Endpoint Security 12.7–12.8 with Kaspersky Anti Targeted Attack Platform 5.1–6.1.

  The server of these Kaspersky Anti Targeted Attack Platform versions can receive a limited scope of data from the Kaspersky Endpoint Security application:

  • Information about the following events is not processed: Named pipe, WMI, LDAP, DNS, Code injection.
  • For the File modified event, information about the following subtypes is not processed: File read, Hard link created, Symbolic link created.
  • For the Registry modified event, information about the following subtypes is not processed: Registry key renamed, Registry key saved.
  • New fields are not available for the Module loaded and Connection to remote host events.

[Topic 247128]

Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions

To integrate Kaspersky Endpoint Security with Kaspersky Anti Targeted Attack Platform, you do not need to install the Kaspersky Endpoint Agent.

Starting from version 12, Kaspersky Endpoint Security for Linux can be used as the Light Agent for Linux component for the Kaspersky Security for Virtualization application. For more details about the integration, see Kaspersky Security for Virtualization Light Agent Help.

When Kaspersky Endpoint Security for Linux is used as the Light Agent for Linux component, the integration of Kaspersky Endpoint Security for Linux with Kaspersky Anti Targeted Attack Platform is retained.

Limited compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Security 11.4 with Kaspersky Anti Targeted Attack Platform 5.1–6.1.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Kill process, Get forensics, Start YARA scan, Delete file, Quarantine file, Restore file from quarantine, Manage services, Get disk image, Get memory dump.
• Integration of Kaspersky Endpoint Security 12, 12.1, 12.2 with Kaspersky Anti Targeted Attack Platform 6.0–6.1.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Start YARA scan, Quarantine file, Restore file from quarantine, Manage services, Get disk image, Get memory dump.
• Integration of Kaspersky Endpoint Security 12.1 with Kaspersky Anti Targeted Attack Platform 5.1.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of prevention rules is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Get registry key, Get NTFS metafiles, Get process memory dump, Get disk image, Get memory dump, Kill process, Start YARA scan, Manage services, Quarantine file, Restore file from quarantine.
• Integration of Kaspersky Endpoint Security 11.4 with Kaspersky Anti Targeted Attack Platform 7.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan, Named pipe, WMI, LDAP.
  • Creation of the following tasks is not supported: Kill process, Get forensics, Start YARA scan, Delete file, Quarantine file, Restore file from quarantine, Manage services, Get disk image, Get memory dump.
• Integration of Kaspersky Endpoint Security 12, 12.1, 12.2 with Kaspersky Anti Targeted Attack Platform 7.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan, Named pipe, WMI, LDAP.
  • Creation of the following tasks is not supported: Get forensics, Start YARA scan, Quarantine file, Restore file from quarantine, Manage services, Get disk image, Get memory dump.

[Topic 252759]

Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security for Mac as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security for Mac versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions

Limited compatibility of Kaspersky Endpoint Security for Mac versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Security 12–12.1 with Kaspersky Anti Targeted Attack Platform 6.0–6.1.
  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Kill process, Get forensics, Start YARA scan, Delete file, Quarantine file, Restore file from quarantine, Manage services, Get disk image, Get memory dump.
• Integration of Kaspersky Endpoint Security 12–12.1 with Kaspersky Anti Targeted Attack Platform 7.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan, DNS, Code injection, Named pipe, WMI, LDAP.
  • Creation of the following tasks is not supported: Kill process, Get forensics, Start YARA scan, Delete file, Quarantine file, Restore file from quarantine, Manage services, Get disk image, Get memory dump.

[Topic 264169]

Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform

You can use KUMA as a SIEM system.

Information about the compatibility of KUMA versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 264174]

Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform

You can use XDR as a SIEM system.

Information about the compatibility of XDR versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 264175]

Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform

You can use Kaspersky Private Security Network (KPSN) instead of Kaspersky Security Network (KSN) to avoid sending your organization's data beyond the corporate LAN.

Information about the compatibility of KPSN versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 264697]

Compatibility of Kaspersky Anti Targeted Attack Platform with VK Cloud

Kaspersky Anti Targeted Attack Platform supports deployment on the VK Cloud platform.

When deploying the application, you can connect Sandbox components to the Central Node component.

The following restrictions apply when deploying Kaspersky Anti Targeted Attack Platform for integration with VK Cloud:

• Only the KATA functional block is supported.
• Only the certified version of the application based on Astra Linux is supported.
• Only the non-high-availability version of the application is supported.
• You can configure integration only with an external KSMG system. For more details on integration, see KSMG Help.
• You can use the distributed solution mode only if you are using the KSMG integration.

For the Sandbox component to work, the following requirements must be met:

• Nested virtualization must be enabled for the virtual machine.
• The network interface settings must be correctly configured to provide Internet access to objects being processed.

  Windows images can only be activated if the network interface is configured correctly.

• The network interface used for Internet access of processed objects must be isolated from the local network of your organization.
• The network interface used by processed objects for Internet access must be connected to a subnet that is not the same as the subnet to which the control interface is connected.
• We do not recommend using a static public IP address for the network interface that handles Internet access of the objects being processed.

[Topic 247274]

Limitations

Kaspersky Anti Targeted Attack Platform 7.0.3 has the following known limitations:

1. Sigma rules relying on data sources other than System Monitor (Sysmon) and Windows Event Log are not supported.
2. Correlation Sigma rules are not supported.
3. As part of integration with the NDR functional block, up to 1000 Endpoint Agent components can be connected to a single Central Node component. If you want to connect more components, please contact Technical Support.
4. In a file alert created based on the results of scanning a copy of web traffic, the User name field is empty if the user is authenticated on the proxy server with basic authentication.
5. Information about the Endpoint Agent component is not displayed in the Processed widget on the Dashboard.
6. After upgrading Central Node deployed as a cluster, the alerts table may not display new alerts generated by the IDS technology. You can check whether the limitation applies to you and take steps to fix it, if necessary. For details, see the Updating Kaspersky Anti Targeted Attack Platform from version 7.0.1 to version 7.0.3 section
7. Upgrading the Central Node component from version 6.1 fails if processing of mirrored SPAN traffic is disabled in the version of the component that is being upgraded. To fix this limitation, we strongly recommend following steps 1 of the Updating Central Node installed as a cluster and 4 of the Upgrading a Central Node installed on a server instructions.
8. In rare cases, upgrading from version 7.0.1 to version 7.0.3 of Central Node deployed as a cluster based on the Astra Linux operating system may fail with the error "Upgrade has failed on task UpdateSizing".

   Resolving the "Upgrade has failed on task UpdateSizing" error

   If you get the "Upgrade has failed on task UpdateSizing" while upgrading Central Node deployed as a cluster based on Astra Linux from version 7.0.1 to version 7.0.3, follow the steps below.

   All steps described below must be performed on servers in Technical Support Mode, after elevating user privileges using the sudo -i command.

   To resolve the "Upgrade has failed on task UpdateSizing" error:

   1. Log in to any of the storage servers in the Central Node cluster and check if the Ceph storage is working. To do so, execute the following command:

      ceph -s | grep health:

      The Ceph storage is healthy if the following value is returned:

      health: HEALTH_OK

      If the value is different from health: HEALTH_OK, please contact Technical Support.

   2. Find out which servers in the cluster have the 'manager' role in Docker swarm. To do this, run the following command on any of the cluster servers:

      docker node ls

      A list of cluster servers is displayed. Look at the MANAGER STATUS column in the list: if a server has Leader or Reachable in that column, it means it has the 'manager' role.

   3. Log in to the server with the 'manager' role in Docker swarm and restart the ZooKeeper service with the following command:

      docker service update kata_product_main_1_zookeeper --force

   4. Wait 10 minutes and check the status of the Kafka service:
      1. Run the following command:

         docker service ps kata_product_main_1_schema_registry

         Look at the value in the NODE column to determine which server has the Schema Registry.

      2. Log in to the server with the Schema Registry and run the following command:

         docker exec -it $(docker ps | grep schema_registry | awk '{ print $1 }') curl http://127.0.0.1:8081/subjects

         If you get a JSON with a list of subjects, it means the Kafka service is working. In this case, go to step 6.

   5. If the Kafka service is not working, restart it using the following command:

      docker service update kata_product_main_1_kafka --force

      After this, do step 4 again. If the Kafka service still does not work after this, please contact Technical Support.

   6. Proceed with the upgrade with the following commands:

      source /opt/upgrade_venv/bin/activate

      kata-upgrade params --data-dir /data/upgrade/ --user admin --password '<pass>' --ndr-language '<language>' --current-task-index 15

      In the above command, replace <language> with the language that was selected at the start of the upgrade process. Possible values: English, Russian.

9. After upgrading from version 6.1 to version 7.0.3 of Central Node deployed as a cluster based on the Astra Linux operating system, telemetry search in the Threat Hunting section may not work.

   Resolving an "Internal error" that occurs when searching for event data

   If searching for event data (telemetry) in the Threat Hunting section is not working after upgrading the Central Node deployed as a cluster based on Astra Linux from version 6.1 to version 7.0.3, follow the steps below.

   All steps described below must be performed on servers in Technical Support Mode, after elevating user privileges using the sudo -i command.

   To resolve the event data search error:

   1. Find out which servers in the cluster have the 'manager' role in Docker swarm. To do this, run the following command on any of the cluster servers:

      docker node ls

      A list of cluster servers is displayed. Look at the MANAGER STATUS column in the list: if a server has Leader or Reachable in that column, it means it has the 'manager' role.

   2. Log in to the server with the 'manager' role in Docker swarm and run the following command:

      docker service ps kata_product_main_1_elasticsearch_data

      Look at the value in the NODE column to determine which servers in the cluster are running the elasticsearch_data process.

   3. On each server in the cluster that is running the elasticsearch_data process:
      1. Get the ID of the container in which the elasticsearch_data process is running with the following command:

         docker ps | grep elasticsearch_data | awk '{ print $1 }')

      2. Check the container log with the following command:

         docker logs<container ID> | grep "this node is unhealthy: health check failed due to broken node lock"

      3. If the "this node is unhealthy: health check failed due to broken node lock" string is found in the server logs, terminate the process by running the following command:

         docker kill <container ID>

   4. In the application web interface, go to the Threat Hunting section and perform a custom search in event data. If you get the "Internal error" error again, please contact Technical Support.

10. When installing the Central Node component of version 7.0.3 on the server, Kaspersky Anti Targeted Attack Platform may refuse email messages received via SMTP. The sender may get a "Connection refused" error. You can remove this limitation. For details, see the Configuring integration with a mail server via SMTP section.

Kaspersky Anti Targeted Attack Platform 7.0 has the following known limitations:

1. Sigma rules relying on data sources other than System Monitor (Sysmon) and Windows Event Log are not supported.
2. Correlation Sigma rules are not supported.
3. As part of integration with the NDR functional block, up to 1000 Endpoint Agent components can be connected to a single Central Node component. If you want to connect more components, please contact Technical Support.
4. An error may occur when downloading mirrored traffic if the user has not waited for an already started download process to end.
5. When searching network packets for the last hour, no more than 200 records are displayed, even if the system has more matching records. We recommend refining the search query to get a selection with fewer sessions.

   Limitations do not apply to traffic dump downloading.

6. For a cluster configuration, when integrated with a mail server, an error may occur when sending an email message: "451 4.3.0 Error: queue file write error". For information on how to remove the limitation, see the Configuring integration with a mail server via SMTP section.
7. Embedded Sensor may be missing after upgrading to version 7.0 a Central Node component that had been used in the distributed solution or multitenancy mode. For information on how to remove the limitation, see the Upgrading Central Node installed on a server section.
8. In a file alert created based on the results of scanning a copy of web traffic, the User name field is empty if the user is authenticated on the proxy server with basic authentication.
9. No connection is established between the Endpoint Agent components and the PCN if the Sensor component installed on a standalone server is being used as the proxy server.
10. The Ignore MAC addresses for NIC rules toggle switch has no effect on the application.
11. If the Endpoint Agent host is running Windows Server 2016 or earlier, Endpoint Agent does not send information about the Code injection event. The component sends information about this event only if the host is running Windows Server 2019 or later.

Limitations that apply when deploying the Central Node component as a cluster:

1. A Central Node cluster must include at least 4 servers: 2 storage servers and 2 processing servers. You can scale the cluster to increase the amount of traffic handled or the number of connected hosts in accordance with the Sizing Guide.
2. It is recommended to add servers with the same hardware configuration to the cluster. Otherwise, a proportional increase in performance is not guaranteed.
3. Adding an extra server to the cluster does not speed up the processing of objects that are already in the scan queue.
4. The web interface of the application can be temporarily unavailable if the server on which it is hosted fails.
5. If the processing server fails, you may lose ICAP, POP3, and SMTP traffic data as well as the copies of emails that are waiting to be processed and the detections associated with them.
6. If the processing server is configured to receive mirrored traffic from SPAN ports, then SPAN traffic is not processed if this server fails.
7. If one of the cluster servers fails or the connection between the server and the Endpoint Agent component is temporarily lost, data in the event database can temporarily become desynchronized.
8. If the configuration of the cluster servers is changed, processing of traffic and events from computers with the Endpoint Agent component may be temporarily slowed down.
9. When installing Kaspersky Anti Targeted Attack Platform as a cluster or when updating a cluster configuration, it may happen that the Embedded Sensor does not start.

   In this case, we recommend doing the following:

   • If the Sensor is not connected, remove it using the web interface, then in Technical Support Mode, run the kata-sensor-tool fix-cluster-sensor command.
   • If Sensor is not running, in Technical Support Mode, run the kata-sensor-tool fix-cluster-sensor command.

   After some time, the Sensor should appear in the web interface.

10. Delays are possible when receiving email over SMTP. To solve this problem, we recommend the following steps:
    1. Connect to the Central Node or Sensor in Technical Support Mode.
    2. Enable the DEBUG logging level for the SMTP integration with the following command:

       console-settings-updater set --merge /kata/configuration/product/preprocessor_smtp '{"logging":{"level":{"root":"DEBUG"}}}'

    3. Wait approximately 30 seconds for the settings to synchronize.
    4. Go back to the ERROR logging level for the SMTP integration with the following command:

       console-settings-updater set --merge /kata/configuration/product/preprocessor_smtp '{"logging":{"level":{"root":"ERROR"}}}'

Limitations that apply when using the application in distributed solution and multitenancy mode:

1. On a PCN server, the Assets → Devices tab displays only hosts that are connected to that PCN server.
2. User account passwords can be changed only on the PCN server.

Limitations that apply to the Sensor component:

1. Only Sensor components installed on standalone servers can be used to capture network traffic at the maximum speed of 10 Gbps.
2. Capturing FTP traffic at the maximum speed of 10 Gbps can result in a high level of loss.
3. If you add or remove network interfaces that send SPAN traffic to Kaspersky Anti Targeted Attack Platform, raw network traffic dumps may be downloaded from a network interface that is different from the one you selected.

Limitations that apply to the Sandbox component:

1. The following versions of operating systems are supported for custom images:
   • Windows 7
   • Windows 8.1 64-bit
   • Windows 10 64-bit (up to version 1909)
2. Only English and Russian localizations are fully supported for custom operating system images.
3. License keys for activating the operating systems and software are not provided.
4. If some of the operating systems selected in the set of operating systems on the Central Node server are not installed on the Sandbox server, Kaspersky Anti Targeted Attack Platform does not send objects to the Sandbox component for scanning. If multiple servers with the Sandbox component are connected to the server with the Central Node component, the application sends objects to those servers whose installed operating systems match the set selected on the Central Node.

Limitations that apply when integrating with Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows:

1. Tasks for getting RAM dumps and disk images can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows and Kaspersky Endpoint Security 12.1 or later for Windows.
2. Tasks for getting process memory dumps, NTFS metafiles, and registry keys can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows or Kaspersky Endpoint Security 12.1 or later for Windows.
3. The task of scanning hosts using YARA rules can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows and Kaspersky Endpoint Security 12.1 or later for Windows. If you simultaneously assign a task to computers with Kaspersky Endpoint Agent version 3.14 or later, and to computers with earlier versions of that application, the task runs only on computers with Kaspersky Endpoint Agent 3.14 or later.
4. If autorun points are selected as the scan scope, the task runs only on computers with Kaspersky Endpoint Agent 3.14 or later and Kaspersky Endpoint Security 12.1 or later for Windows.
5. The Code injection, Named pipe, WMI, LDAP, DNS, Process access events are available only when integrating with Kaspersky Endpoint Security for Windows 12.7 or a later version.

Limitations that apply when integrating with Kaspersky Endpoint Security for Linux:

1. The following functionality is not available for computers running Kaspersky Endpoint Security for Linux 11.4:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 11.4 for Linux applications.

   • Finding indicators of compromise on computers using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on computers with Kaspersky Endpoint Security 11.4 for Linux applications.

2. The following functionality is not available for computers running Kaspersky Endpoint Security for Linux 12:
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 12 for Linux applications.

3. The list of events that Kaspersky Endpoint Security 11.4 or 12 for Linux logs in the event database is limited to the following types:
   • File modified
   • Process started
   • Process completed
   • System event log
   • Detection
   • Detection processing result
4. The list of tasks that you can create on computers running Kaspersky Endpoint Security 11.4 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
5. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
   • Delete file
   • Kill process
6. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12.2 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
   • Delete file
   • Kill process
   • Quarantine file
7. In information about events registered in the event database by Kaspersky Endpoint Security 11.4 or 12 for Linux, the Time created field displays file modification time.
8. The Connection to remote host, Port listened, Module loaded, DNS, Process access events are available when integrated with Kaspersky Endpoint Security 12.2 or later for Linux.

Limitations that apply when integrating with Kaspersky Endpoint Security 12 for Mac:

1. The following functionality is not available for computers running Kaspersky Endpoint Security 12 for Mac:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 12 for Mac applications.

   • Finding indicators of compromise on computers using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on computers with Kaspersky Endpoint Security 12 for Mac applications.

2. The list of events that Kaspersky Endpoint Security 12 for Mac logs in the event database is limited to the following types:
   • File modified
   • Process started
   • Process completed
   • Detection
   • Detection processing result
3. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12 for Mac is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
4. In information about events registered in the event database by Kaspersky Endpoint Security 12 for Mac, the Time created field displays file modification time.

Limitations of Kaspersky Endpoint Agent 3.16 for Windows:

You can view the list of limitations of Kaspersky Endpoint Agent 3.16 for Windows in the Kaspersky Endpoint Agent for Windows Online Help.

Limitations of Kaspersky Endpoint Security 12.5 for Windows:

You can view the list of limitations of Kaspersky Endpoint Security 12.5 for Windows in the Kaspersky Endpoint Security for Windows Online Help.

Limitations of Kaspersky Endpoint Security 12 for Linux:

You can view the list of limitations of Kaspersky Endpoint Security 12 for Linux in the Kaspersky Endpoint Security for Linux Release Notes.

Limitations of Kaspersky Endpoint Security 12 for Mac:

You can view the list of limitations of Kaspersky Endpoint Security 12 for Mac in the Kaspersky Endpoint Security for Mac Online Help.

[Topic 159935]

Data provision

The operation of certain components of Kaspersky Anti Targeted Attack Platform requires data processing on the Kaspersky side. Components do not send data without the consent of the administrator of Kaspersky Anti Targeted Attack Platform.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

• In the End User License Agreement (for example, during installation of the application).

  According to the terms of the End User License Agreement, you agree to automatically send Kaspersky the information listed in the End User License Agreement under Data Provision. The End User License Agreement is included in the application distribution kit.

• In the KSN Statement (for example, during installation of the application or in the administrator menu after installation).

  When you participate in Kaspersky Security Network, information obtained as a result of Kaspersky Anti Targeted Attack Platform operation is automatically sent to Kaspersky. The list of transmitted data is specified in the KSN Statement. The Kaspersky Anti Targeted Attack Platform user independently decides on his/her participation in KSN. The KSN Statement is included in the application distribution kit.

  Before KSN statistics are sent to Kaspersky, they are accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components.

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is sent over encrypted communication channels.

When using Kaspersky Private Security Network, Kaspersky is not sent information about the operation of Kaspersky Anti Targeted Attack Platform. However, KSN statistical data is accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components to the same extent as when using Kaspersky Security Network. This accumulated KSN statistical data may be transmitted beyond the perimeter of your organization if a server with the Kaspersky Private Security Network application is located outside of your organization.

The Kaspersky Private Security Network administrator must personally ensure the security of such data.

[Topic 242920]

Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the service data of Kaspersky Anti Targeted Attack Platform is provided in the table below.

Service data of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 176644]

Data of the Central Node and Sensor components

This section contains the following information about user data that is stored on the server with the Central Node component and on the server with the Sensor component:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

[Topic 197172]

Traffic data of the Sensor component

Traffic data of the Sensor component is stored on the server with the Sensor component or on the server with Sensor and Central Node components if Sensor and Central Node are installed on the same server or deployed as a cluster.

Traffic data is recorded and stored in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached (you can configure this setting)
• The configured time interval has elapsed (you can configure this setting)
• The traffic saving service or the entire Kaspersky Anti Targeted Attack Platform application is restarted

As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters data and keeps only the following information:

• Information related to alerts generated as a result of scanning by the Targeted Attack Analyzer technology
• PCAP files in which:
  • Source or destination IP address matches an IP address from the detection
  • Traffic data belongs to the time period within 15 minutes from the detection time

Filtered traffic data is moved to a separate section. The rest of the traffic data (that do not satisfy filtering criteria) is deleted.

Filtered traffic data is saved in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached
• The configured time interval has elapsed

Filtered data traffic is stored for the last 24 hours. Older data is deleted.

[Topic 247484]

Data in detections

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the data that may be stored when creating

Data in Kaspersky Anti Targeted Attack Platform detections

[Topic 247485]

Data in events

Events may contain user data. If Central Node is installed on a server, information about occurred events is stored in the /data directory. If Central Node is installed as a cluster, the information is stored in ceph storage.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Event data can contain information related to the following:

• Name of the computer where the event occurred.
• Unique ID of the computer with the Endpoint Agent component.
• Name of the user account under which the event occurred.
• Name of the group that the user belongs to.
• Event type.
• Event time.
• Information about the file for which the event was logged: name, path, full name.
• MD5 and SHA256 hash of the file.
• File creation time.
• File modification time.
• File access rights.
• Environment variables of the process.
• Command-line parameters.
• Text of the command entered into the command line.
• Local IP address of the adapter.
• Local port.
• Remote host name.
• Remote host IP address.
• Port on the remote host.
• URLs and IP addresses of visited websites, and links from these websites.
• Network connection protocol.
• HTTP request method.
• HTTP request header.
• Information about Windows registry variables: path to the variable, variable name, variable value.
• Contents of a script or binary file sent for AMSI scanning.
• Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.

[Topic 247486]

Data in reports

If the Central Node component is installed on a server, report data is stored in the /data directory indefinitely. If Central Node is installed as a cluster, the information is stored in ceph storage indefinitely.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Reports may contain the following information:

• Report creation date.
• Time period covered in the report.
• ID of the user account that generated the report.
• Report status.
• Central Node components for which the report was generated.
• Text of the report as HTML code.
• Report description.
• Name of the template that the report was generated from.
• Tenant ID.

[Topic 247487]

Data on objects in Storage and Quarantine

If the Central Node component is installed on a server, data about objects in storage and quarantine is stored in the /data directory indefinitely. If Central Node is installed as a cluster, the information is stored in ceph storage indefinitely.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Data on objects in Storage and quarantine may contain the following information:

• Name of the object.
• Path to the object on the computer with the Endpoint Agent component.
• MD5- and SHA256 hash of the file.
• File size.
• ID of the user that quarantined the object.
• ID of the user that placed the object in Storage.
• IP address of the computer on which the quarantined object is stored.
• Name of the computer on which the quarantined object is stored.
• Unique ID of the computer on which the quarantined object is stored in Storage.
• ID of the TAA (IOA) rule by which the detection was generated.
• Category of the detected object.
• Results for the object scanned using individual modules and technologies of the application.
• File download time.
• Metadata of scanned files and their sources.
• Resulting status of the object in Storage.