Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules

If this functionality is enabled, the application can automatically send files from hosts with the Endpoint Agent component for scanning with the Sandbox component in accordance with Kaspersky TAA (IOA) rules. Files are sent in accordance with the following principle:

Kaspersky Anti Targeted Attack Platform checks the event database and marks events that match TAA (IOA) rules.
If relevant conditions are found in TAA (IOA) rules, Kaspersky Anti Targeted Attack Platform sends files for scanning by the Sandbox component.
Requests for scanning files by the Sandbox component are not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
Based on the results of the scan, the application can add alerts to the alert database.
You can view alerts created in this way by filtering alerts by the Details – Autosend to Sandbox attribute.

If automatic sending of files to be scanned by the Sandbox component is enabled, the volume of traffic processed by the component can become very large. If the Sandbox component server cannot support the increased load, some of the objects from the processing request queue are replaced with requests for processing files that are automatically sent for scanning.

To avoid dropping objects from the processing request queue, you can:

Deploy additional Sandbox servers.
Disable automatically sending files to be scanned by the Sandbox component.
Add to exclusions those TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.
Information about rules that are most frequently used by Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component is displayed in the Sent to Sandbox by TAA rules widget. You can add this widget to your current layout.

When you add a file to exclusions, event marking and creation of alerts in accordance with this rule is also stopped.

Files that can be automatically sent for scanning by the Sandbox component are listed in the following table.

List of files that can be automatically sent for scanning by the Sandbox component

Event type	File type
Process started	File of the started process and file of its parent process.
Module loaded	File of the loaded module and file of its parent process.
Connection to remote host	File of the parent process.
Blocked application (prevention rule)	File of the application that was blocked from running, and file of its parent process.
Document blocked	File of the document that was blocked from running, and file of its parent process.
File changed	Created, deleted, or modified file and file of the parent process.
System event log	File of the process (only for Linux).
Registry modified	File of the parent process.
Port listened	File of the parent process.
Driver loaded	File of the loaded driver.
Scan: detect	Detected file and file of its parent process (if any).
Scan: detect processing result	Detected file and file of its parent process (if any).
AMSI scan	File of the process.
Process: interpreted file run	File that was started and file of its parent process.
Process: console interactive input	File of the parent process.

Information about files sent for scanning by the Sandbox component is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.

In this section

Enabling and disabling the automatic sending of files from hosts with the Endpoint Agent component to be scanned by the Sandbox component

Page top