Response actions

This section contains information on the response actions to the detected threats that are available in Kaspersky Industrial CyberSecurity Endpoint Detection and Response.

About network isolation

Kaspersky Industrial CyberSecurity Endpoint Detection and Response provides the ability to isolate devices from the network on demand (manually) or as an automatic action to respond to detected threats.

In case of automatic response, the corresponding commands will be executed on the devices without confirmation from the operator. Despite the use of standard operating system mechanisms, unforeseen problems may occur. They can be caused by incorrect or highly-focused configuration of devices, compatibility problems, or errors in the software of devices or industrial-control systems (ICS), which do not appear during normal use. For example, the following problems may occur: turning off the device, loss of communication with the device, inoperability of the device, other failures in the operation of the solution and equipment. Also, unintentional impact on the ICS operation is possible.

The administrator of Kaspersky Industrial CyberSecurity Endpoint Detection and Response is fully responsible for the impact of automatic actions of the solution in relation to detected threats on the stability of the ICS and the technological process.

After enabling network isolation, the application breaks all active TCP/IP connections and blocks all new TCP/IP network connections on the devices, except for the connections listed below:

• connections specified as network isolation exclusions;
• connections initiated by services of the Kaspersky Industrial CyberSecurity for Nodes or Kaspersky Industrial CyberSecurity for Linux Nodes;
• connections initiated by Kaspersky Security Center Network Agent.

You can apply device network isolation manually in Kaspersky Industrial CyberSecurity for Nodes settings on the device or in the alert details. It can also be applied automatically as a result of alert response actions when the IOC Scan task is performed. You can unlock an isolated device manually from the alert details, in Kaspersky Industrial CyberSecurity for Nodes settings on the device or from the command line. You can also configure the period after which to disable network isolation automatically.

You can configure network isolation exclusions. Network connections that meet the conditions of the specified exclusion will not be blocked on the devices after network isolation is enabled.

For more details on how to manage network isolation manually using the application settings on the device, refer to Kaspersky Endpoint Agent Help.

Read the Kaspersky Industrial CyberSecurity for Linux Nodes Help about enabling and disabling network isolation on a device and setting up exceptions from network isolation.

About moving file to Quarantine

One of the possible response actions when a threat is detected is to quarantine the file.

Quarantine is a special local repository on a device with Kaspersky Industrial CyberSecurity Endpoint Detection and Response which is intended for storing files that are probably infected by viruses or cannot be disinfected at the time when they are detected. Quarantined files are stored on the protected device in an encrypted form and therefore do not compromise the device security.

You can quarantine a file manually or configure automatic quarantining of a file as a result of alert response actions. You also can quarantine file from the alert details window.

This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.

For details on quarantine, refer to Kaspersky Endpoint Agent Help.

Configuring the settings for storing files in Quarantine

To view a list of quarantined files,

in the main Kaspersky Security Center Web Console window select Repositories → Quarantine.

Scanning of objects quarantined by Kaspersky Industrial CyberSecurity Endpoint Detection and Response is not available.

For more details on working with quarantine, see:

• Kaspersky Security Center Windows Help
• Kaspersky Security Center Linux Help
• Kaspersky Endpoint Agent Help

The objects are quarantined with the permissions of the system account (SYSTEM). When being restored from the Quarantine, the file is not moved to its original location, but to a special folder on the device, from which you can manually move it to the destination folder.

To configure the settings for storing quarantined files:

1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
2. Click the name of the policy you want to configure.

   The policy properties window opens.

3. Select the Application settings tab.
4. In the Repositories section, select Quarantine and specify the required settings.

Quarantine files storage settings are not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.

About the Delete file task

One of the possible response actions when a threat is detected is to delete the file from the device.

For more details about deleting files, see Kaspersky Endpoint Agent Help and Kaspersky Industrial CyberSecurity for Linux Nodes Help.

About running Critical Areas Scan

One of the possible response actions when a threat is detected is running Critical Areas scan on the device.

You can run Critical Areas scan manually or configure the scan to run automatically as a result of alert response actions.

For more details on critical areas scanning, please refer to the Kaspersky Endpoint Agent Help and Kaspersky Industrial CyberSecurity for Linux Nodes Help.

About IOC Scan

An indicator of compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the device and performing threat response actions.

Kaspersky Industrial CyberSecurity Endpoint Detection and Response provides an IOC Scan task. It is a group or local task that is created and configured manually in Kaspersky Security Center Web Console. The IOC files that you prepared are used to run the task.

When an IOC is detected on a device, Kaspersky Industrial CyberSecurity Endpoint Detection and Response performs the specified response action. The following response actions are available for the detected IOCs:

• Isolate device from the network.
• Run scan of critical areas.
• Move the copy of the object to the quarantine, and delete the object.

When responding to threats, Kaspersky Industrial CyberSecurity Endpoint Detection and Response can automatically create IOC Scan tasks.

For details on creating an IOC search task, see:

• Kaspersky Security Center Windows Help
• Kaspersky Endpoint Agent Help
• Kaspersky Industrial CyberSecurity for Linux Nodes Help

About Execution prevention

You can configure execution prevention rules for executable files and scripts, as well as for opening office-format files on the selected devices. For example, you can prevent launching the applications whose usage is considered unsafe on the selected device protected by Kaspersky Industrial CyberSecurity Endpoint Detection and Response. The application identifies the files by their paths or checksums using MD5 and SHA256 hash algorithms.

Execution prevention rule is a set of criteria that are considered when preventing an object from execution. The object must meet all the criteria of the Execution prevention rule in order for the application to block it from execution.

Kaspersky Industrial CyberSecurity Endpoint Detection and Response has the following modes for applying execution prevention rules:

• Block and log to the report. In this mode, EPP application blocks execution of objects or opening of documents that match execution prevention rules criteria.
• Log an event only. In this mode, EPP application records to the Windows Event Log and to Kaspersky Security Center an event about attempts to execute objects or open documents that meet the criteria of the Execution prevention rules, but does not block execution or opening these objects.

For information on enabling execution prevention, configuring its settings and managing execution prevention rules from the command line, refer to Kaspersky Endpoint Agent Help.

You can also prevent the file execution from the alert details window.

This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.

About starting and terminating the process

The Start process task allows you to remotely start files on the device. For example, you can remotely start a utility that creates a file with the computer configuration, and then get the created file using the Get file task.

The Terminate process task allows you to remotely terminate processes on the device. For example, you can remotely terminate the Internet speed testing utility that was started using the Start process task.

More about configuring process startup task and process completion task settings see Help for Kaspersky Endpoint Agent and Help for Kaspersky Industrial CyberSecurity for Linux Nodes.

About the Get file task

The Get file task allows you to get files from the users devices. For example, you can configure getting an event log file created by a third-party application. As a result of the execution of the task, the file is saved in Quarantine. You can download this file from the Quarantine to your device using Kaspersky Security Center Web Console. On the user device, the file remains in its original folder.

To receive a copy of a file, create the Quarantine file task and specify that the file does not need to be deleted when it is moved to quarantine in the Actions after quarantining a file section. For more details, see the Kaspersky Endpoint Agent Help and theKaspersky Industrial CyberSecurity for Linux Nodes Help.

If you are using Kaspersky Endpoint Security 12.1 for Linux, the task is moved to the Backup folder of Kaspersky Security Center.