Support

Support for business applications

Kaspersky Endpoint Security 12 for Windows

Detection and Response solutions

Kaspersky Anti Targeted Attack Platform (EDR)

EDR telemetry exclusions

Kaspersky Endpoint Security 12 for Windows
Нет результатов
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools Support lifecycle

EDR telemetry exclusions

16 April 2024

ID 270557

Get as PDF

To improve performance and optimize data transmission to the Telemetry server, you can configure EDR telemetry exclusions. For example, you can choose not to send network communications data for individual applications.

How to create an EDR telemetry exclusion in the Administration Console (MMC)

How to create an EDR telemetry exclusion in the Web Console and Cloud Console

EDR telemetry exclusion parameters

Parameter

Description

Excluded processes

Optimize the telemetry size to send. Kaspersky Endpoint Security allows optimizing the amount of transmitted data and excluding events with certain codes from telemetry: code 102 (basic communications) and 8 (network activity of the process) for the Microsoft SMB protocol, the WinRM service, and the klnagent.exe process of the Network Agent, as well as extended information about the types of network packets for all types of network protocols.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Rule triggering criteria

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Parent path. Path to the folder in which the file is located.
  • Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.
  • Fill in based on file properties. The application automatically populates fields with information from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plugin displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Use for the following event types

  • File modification.
  • Network events.
  • Process: console interactive input.
  • Module loaded.
  • Registry modified.

Excluded network communications

Rule name.

Direction.

Protocol.

Protocol number.

Local port or range.

Remote port or range.

Local address. The network address of the computer for which Kaspersky Endpoint Security is excluding telemetry from network traffic.

Remote address. The network address of the computer for which Kaspersky Endpoint Security is excluding telemetry from network traffic.

Only the IPv4 format is supported for IP addresses.

Applications. List of executable files of applications for which Kaspersky Endpoint Security is excluding EDR telemetry from network traffic.

Excluded file operations

Rule name.

File name or mask. Name or mask of a file or folder; Kaspersky Endpoint Security applies the exclusion rule when this file or folder is accessed. Kaspersky Endpoint Security supports the * and ? characters when entering a mask.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Rule triggering criteria

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Parent path. Path to the folder in which the file is located.
  • Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.
  • Fill in based on file properties. The application automatically populates fields with information from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plugin displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Kaspersky Endpoint Security for Windows: Detection of advanced threats
Control systems which prevent damage from the sensitive data theft. Management from a single console. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.