Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
8 November 2023
ID 226232
If this functionality is enabled, the application can automatically send files from hosts with the Endpoint Agent component for scanning with the Sandbox component in accordance with Kaspersky TAA (IOA) rules. Files are sent in accordance with the following principle:
- Kaspersky Anti Targeted Attack Platform checks the event database and marks events that match TAA (IOA) rules.
- If relevant conditions are found in TAA (IOA) rules, Kaspersky Anti Targeted Attack Platform sends files for scanning by the Sandbox component.
Requests for scanning files by the Sandbox component are not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
- Based on the results of the scan, the application can add alerts to the alert database.
You can view alerts created in this way by filtering alerts by the Details – Autosend to Sandbox attribute.
If automatic sending of files to be scanned by the Sandbox component is enabled, the volume of traffic processed by the component can become very large. If the Sandbox component server cannot support the increased load, some of the objects from the processing request queue are replaced with requests for processing files that are automatically sent for scanning.
To avoid dropping objects from the processing request queue, you can:
- Deploy additional Sandbox servers.
- Disable automatically sending files to be scanned by the Sandbox component.
- Add to exclusions those TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.
Information about rules that are most frequently used by Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component is displayed in the Sent to Sandbox by TAA rules widget. You can add this widget to your current layout.
When you add a file to exclusions, event marking and creation of alerts in accordance with this rule is also stopped.
Files that can be automatically sent for scanning by the Sandbox component are listed in the following table.
List of files that can be automatically sent for scanning by the Sandbox component
Event type | File type |
|---|---|
Process started | File of the started process and file of its parent process. |
Module loaded | File of the loaded module and file of its parent process. |
Connection to remote host | File of the parent process. |
Blocked application (prevention rule) | File of the application that was blocked from running, and file of its parent process. |
Document blocked | File of the document that was blocked from running, and file of its parent process. |
File changed | Created, deleted, or modified file and file of the parent process. |
System event log | File of the process (only for Linux). |
Registry modified | File of the parent process. |
Port listened | File of the parent process. |
Driver loaded | File of the loaded driver. |
Scan: detect | Detected file and file of its parent process (if any). |
Scan: detect processing result | Detected file and file of its parent process (if any). |
AMSI scan | File of the process. |
Process: interpreted file run | File that was started and file of its parent process. |
Process: console interactive input | File of the parent process. |
Information about files sent for scanning by the Sandbox component is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
