Kaspersky Endpoint

Detection and Response

Optimum
Proof of Concept guide
Version 1.4.1

Kaspersky

18.08.2020
Contents

Introduction ...................................................................................................................................................................2
Who should use this guide? ......................................................................................................................................2
What is Kaspersky Endpoint Detection and Response Optimum? ...........................................................................2
Application architecture .............................................................................................................................................3
Prepare the environment ..............................................................................................................................................5
Review KEDR Optimum requirements ......................................................................................................................5
Download the required files .......................................................................................................................................5
Configure network .....................................................................................................................................................5
Demo environment description ..................................................................................................................................6
Deployment and configuration ......................................................................................................................................7
Deploy Web Console .................................................................................................................................................7
Deploy Web Plug-in ...................................................................................................................................................7
Deploying KES with Kaspersky Endpoint Agent .....................................................................................................11
Kaspersky Endpoint Agent activation ......................................................................................................................14
Create and configure Endpoint Agent policy ...........................................................................................................19
Configure Kill Chain .................................................................................................................................................22
Capability scenarios ....................................................................................................................................................23
An attack using a new previously unknown threat ..................................................................................................23
Evaluation steps ...................................................................................................................................................24
Host isolation ........................................................................................................................................................28
IoC scan ...............................................................................................................................................................32
Execution Prevention ...........................................................................................................................................35
Appendix A: PoC completion checklist .......................................................................................................................37
Introduction
Who should use this guide?
This guide is built to help you quickly deploy and configure Kaspersky Endpoint Detection and Response Optimum
(KEDR Optimum or KEDRO) for evaluation. It guides you through detailed scenarios in a proof of concept
environment to help you better understand how KEDR Optimum works. These instructions provide an evaluation
method for the most common use cases.

The guide is intended for use primarily by Kaspersky presales engineers and 3rd parties wishing to evaluate the
product.

It is assumed that the reader will:

1. Have a prior knowledge of internet access management and corporate network infrastructure.

2. Be an experienced network administrator or technical reviewer.

3. Be familiar, at least at a conceptual level, with Kaspersky Security Center (KSC).

What is Kaspersky Endpoint Detection and Response Optimum?

KEDR Optimum is a mass-market EDR solution for less mature IT security departments or organizations with IT
security specialists within IT departments, who want:

 To understand the status of their defenses against advanced threats

 To have full visibility across their infrastructure

 To be able to respond fast

KEDR Optimum is designed to provide full visibility and root cause analysis in order to give the IT security
specialist a complete view of any potential attack, an immediate understanding of what’s happening, and the ability
to respond fast before damage can occur.
Application architecture

Figure 1. EDR Optimum Architecture and operation scheme.

EDR Optimum does not require any resource-demanding components, thus minimizing costs related to solution
deployment.

No additional resources are required to install KEDR

Optimum

Components of the solution:

Kaspersky Endpoint Agent. This application is part of the KEDR Optimum solution, and is installed as part of a
Kaspersky EPP (Endpoint Protection Platform – the Kaspersky Endpoint Security for Windows application is an
example of an EPP), or separately, on workstations and servers on your corporate LAN. It is the main solution
component installed on devices. The endpoint agent is responsible for:

 Collecting data on threat verdicts and threat context from Kaspersky Endpoint Security (KES)

 Gathering incident–related and system data for the enrichment of verdicts.

 Provision of incident-related data to KSC, for use in data visualization including attack execution mapping
and root cause analysis

 IoC (Indicator of Compromise) scanning processes on the endpoint

 Response actions (host isolation, on-demand scan tasks, sending files to quarantine, etc)
Kaspersky Security Center (KSC). Enables the centralized execution of basic administration and maintenance
tasks in an organization's network. The application provides the administrator with access to detailed information
about the organization's network security level, and supports the configuration of all protection components built
using Kaspersky applications.

Kaspersky Security Center (KSC) Web Console. Provides a web interface for KSC. KEDR Optimum supports
the Web Console version of KSC only. Working with KEDR Optimum is possible only via the WEB Console.

Network Agent. Coordinates the interaction between the Administration Server and Kaspersky applications,
including Kaspersky Endpoint Agent, Installed on a network node (workstation or server).

Kaspersky Endpoint Security (KES) 11.4 and later versions. KES) for Windows provides comprehensive
computer protection against various types of threats, network and phishing attacks. Each type of threat is handled
by a dedicated component. Components can be enabled or disabled independently of one another, and their
settings can be configured.
Prepare the environment
Review KEDR Optimum requirements

You can find the list of all requirements for KEDR Optimum in the Online help.

It’s assumed that either Kaspersky Security Center (KSC) or KSC Cloud Console is already deployed on the
infrastructure.

The Kaspersky Security Center Online Help shows to install the Administration Server component.

Need to know how to get started with KSC Cloud Console? Go to https://ksc.kaspersky.com/, create an
account and either add a valid license code or request a trial license for 30 days.

Download the required files

Kaspersky Endpoint Agent can be installed separately or as part of Kaspersky Endpoint Protection Platform
applications (or EPPs)

Kaspersky Endpoint Agent 3.9 can be installed as part of the following EPPs:

 Kaspersky Endpoint Security 11 for Windows: 11.4 and later versions

https://support.kaspersky.ru/kes11#downloads

 Kaspersky Security 11 for Windows Server and later versions

https://support.kaspersky.ru/ksws10#downloads

 KSC

https://support.kaspersky.ru/ksc12#downloads

 Web Plugin for KSC

o Kaspersky Endpoint Security 11.4

o Kaspersky Endpoint Agent 3.9

Configure network
The Network Agent coordinates the interaction between the Administration Server and Kaspersky applications
installed on a network node (workstation or server). This means that you must consider requirements for the
administration agent: https://help.kaspersky.com/ksc/12/en-US/158830.htm

No additional configuration is required

Demo environment description
This demo environment has been created in a public cloud. The information about virtual machines (VMs) and user
accounts used in this environment is below:
Table 1. Demo environment

FQDN OS IP Purpose
Windows Server Server with KSC and KES +
wins2019s.demo.lab 10.0.0.1
2019 Standard Endpoint Agent

Windows 10 Client VM. Used for Endpoint Agent

win10pro64.demo.lab 10.0.0.2
Professional and KES.
Deployment and configuration
Deploy Web Console
The Kaspersky Security Center 12 Web Console can be installed on the same device as KSC itself, or on a
different one.

How to install Kaspersky Security Center 12 Web Console

Deploy Web Plug-in

The plug-in is a specialized component that provides an application management interface through the
Administration Console. Each application has its own plug-in.

Select the plug-ins needed to install the managed applications.

Open the web console

and enter the
administrator login and
password

In the Console settings

drop-down list, select
‘Web plug-ins’.
A list of available
management plug-ins
is displayed.
Click ‘Add’

A list of available plug-

ins located on
Kaspersky servers is
displayed. By default,
this full list includes
plug-ins of all
languages.
Set up a filter by
language. This will
help you quickly find
the plugin you need.

In the list of available

plug-ins, select
Kaspersky Endpoint
Security 11.4 by
clicking on its name.
Click ‘install plug-in’.
When the installation is
complete, click ‘OK’.

Now you need to

install the plug-in for
Kaspersky Endpoint
Agent 3.9
A list of available
management plug-ins
is displayed.
Click ‘Add’

In the list of available

plug-ins, select
Kaspersky Endpoint
Agent 3.9 by clicking
on its name.
Click ‘install plug-in’.
When the installation is
complete, click ‘OK’.
Deploying KES with Kaspersky Endpoint Agent
In order to deploy protection for Windows desktops it’s necessary to install:

- Network Agent (Kaspersky Security Center Administration Agent)

- Kaspersky Endpoint Security for Windows with Kaspersky Endpoint Agent module

Kaspersky Endpoint Agent can be installed separately or as part of the Kaspersky Endpoint Protection Platform
applications (or ‘EPPs’").

Kaspersky Endpoint Agent 3.9 can be installed as part of the following EPPs:

- Kaspersky Endpoint Security 11 for Windows: 11.4.

Installation on the host without antivirus

By default, Kaspersky Endpoint Agent is not automatically selected for installation - you need to manually select it
in the list of EPP components. There’s an online help page about creating an antivirus installation package:

How to deploy Kaspersky applications through Kaspersky Security Center 12 Web Console

First, let's create an antivirus package with an activated component of Kaspersky Endpoint Agent

Open the section with

installation packages
‘Discovery&Deploym
ent’ -> ’Deplyment
&Assignment’ ->
’Installation
Packages’

Click ‘+Add’ to create

an installation package
In the wizard that
opens, select the
'Create installation
package for a
Kaspersky
application' option.
Click ‘Next’

A list of available
installation packages
located on Kaspersky
servers is displayed.
By default, this full list
includes of all
languages, types and
property.
Set up a filters. This
will help you quickly
find the installation
package you need.

In the list of available

installation package,
select Kaspersky
Endpoint Security 11.4
by clicking on its
name.
Click ‘Download and
create installation
package’.
 After a few minutes,
the download result
will be displayed

The‘Discovery&Depl
oyment’ ->
’Deplyment
&Assignment’ ->
’Installation
Packages’ section
displays the
downloaded package.
Click on it.

- include the Endpoint

Agent installation in
‘Properties’
-save changes

Next, create a remote installation task and wait for it to complete successfully. The complete process of creating a
package and installing it on workstations is described here: Scenario: Kaspersky applications deployment through
Kaspersky Security Center 12 Web Console

For the product to work correctly, the anti-virus databases must be updated. The product has a special task for this.
Information on how to do this is described here: Database and application module update scenarios

Kaspersky Endpoint Agent must be installed on the device together with a compatible EPP application in
order to build a Kill Chain.
Kaspersky Endpoint Agent activation

License type

Base:

If there is one key to activate KES and Kaspersky Endpoint Agent – see this help page:
https://help.kaspersky.com/ksc/12/en-US/3612_1.htm

Add-on:

You can activate the Kaspersky Endpoint Agent using a task in KSC. The ability to create a special group task
Endpoint Agent will appear after installing the Kaspersky Endpoint Agent plugin

-Open the section with

licenses
‘Operations’ ->
‘Licensing’
-Click ‘+add’
-After that select ‘Add
key file’

Click 'Select key file’

and specify the key that
activates the KEDRO
functionality
Open the section with
devices tasks
‘Devices’ -> ‘Tasks’

click ‘+Add’

Select Kaspersky
Endpoint Agent
Product and the
‘Activation of
Application’ Task

Select ‘Group of
devices’ to run it on a
group of devices with
Endpoint Agent
installed

Click ‘Next’
Select the device group
that contains the device
with KES11.4
Click ‘Next’

Select the key that was

added in the previous
steps
Click ‘Next’

In the next step, specify

the ‘Default account’.
Click ‘Next’.
Complete the wizard.
Click ‘Finish’

Select the created task

and run it.

Check the result of the

task. To do this, open
its properties by clicking
on the task name
check the status of the
task on the 'Results’
tab.
Create and configure Endpoint Agent policy
The KEDR Optimum policy was created with default settings. To use its functionality in working with incidents, you
will need to pre-configure it. This section describes how to create and configure Kaspersky Endpoint Agent settings
using the management plug-in.

Open the section with

devices policies
‘Devices’ ->
‘Poicies&Profiles’

click ‘+Add’

Select the ‘Kaspersky

Endpoint Agent’
application

Click ‘Next’
Enable KEDR Optimum
functionality.
Click ‘Next’

In the next step, open

the ‘Application
Settings/Interface and
management’

Check the box for

KEDR Optimum and
toggle Enforce to ‘On’
(by default, this is
toggled to ‘off’).
Click “OK”
In the next step, open
the Repositories/
Sinchronization with
Administration Server

Check both the

‘Synchronize data
about objects
quarantined on
managed hosts’ and
‘Create threat
formation chain ‘
boxes. Toggle
‘Enforce’ to ‘on’

Click ‘Save’
Configure Kill Chain
Dealing with incidents involves using a Threat Report. Through this, you can see the kill chain and work with
information security events. Before you begin, the report must be configured.

Connect to the web

console of the KSC. In
the Home page, select
the ‘Reports’ tab.
Click on ‘Report on
threats’

In ‘report properties,
open the ‘Fields’ tab
and customizing the
report for a user-
friendly experience.

the main thing:

Check the box for
‘Open Incident’ and
use the ‘Move up’
button to bring this to
the top

Click ‘Save’
Capability scenarios
An attack using a new previously unknown threat
An attack is carried out by mailing to the organization's internal address list or in other ways. The file mailed enters
the organization’s infrastructure at user workstations.

Scenario:

 New malware arrives on the organization’s PCs

 The AV on some PCs may have been turned off (partially or completely) or the AV database not updated.

 On one PC everything is turned on and working

 KES detects new malware using Behavior Analysis technology (System Watcher) and transfers the
information to KSC using KEDRO

Information Security Officer

 Builds a kill chain, based on: hash file, exploit name, etc.

 Analyzes file information on the Threat Intelligence Portal

 Isolates the host

 Adds the file to quarantine

 Creates a hash IoC and scans the infrastructure

 If infected machines are detected by IoC search, automatic isolation / file quarantine / scan task occurs

 Results are analyzed.

Preparation:

Download the test sample from the link, add it to the target workstations and extract it to the local disk:

sw_test.exe

Password: infected

This is a synthetic threat that is not capable of doing harm, but its behavior is similar to that of a real
threat.
 Evaluation steps

On a user’s machine
with KES for Windows
installed, run
sw_test.exe

In this scenario, let’s

imagine that this file
was received previously
by this user via email
from an unknown
person and is now
about to be shared with
a colleague. Or
downloaded from a
phishing site and
launched on your
workstation

Next, open the report

through the local
interface
Check the ‘Exploit
Prevention’ events in
KES for Win.

Open host with KSC ->

‘Reports’

Check ‘Report on
threats’ and click
‘Show report’
Open report ‘Details’,
find the related incident
and hit ‘Present’ in the
‘Open Incident’
column.

Here you can find the

kill chain. Scroll down to
review the incident
details.

Click on each step of

the kill chain for details.

click on the MD5 hash

file
The online reputation
database reveals that
the file was not
previously detected and
there is no information
on it. This indicates a
high risk of threat.
 Host isolation

Open report ‘Details’,

find the related incident
and hit ‘Present’ in the
‘Open Incident’
column.

in details of the incident

click on ‘Isolate host’

Open the host with

‘detect’.

The user has a

message on the screen
stating that the network
connection is blocked

Try to open/update any

page in the browser.
Make sure your
computer is isolated
from the network.
Open host with KSC

->’Devices/TAGS’

Open the device list at

the ISOLATED FORM
NETWORK tag.

Click “View devices”

Click on the device

name.

To remove the isolation,

turn off the tag.

Open ‘Tags’ tab

Check ‘Isolated from

network’ Tag and click
‘Unassign tag’
Open device property

->’Devices/Managed
Devices-> Click
<Device name>’

Open ‘Application’ tab

Click ‘Kaspersky
Endpoint Agent’

Open ‘Application
Settings->Network
isolation’ tab.

Click ‘General’.
uncheck the "Isolate
current device from
the network"

click ‘OK’

Click ‘Save’

After these steps, the

isolation is turned off
 IoC scan

This section demonstrates how to create an IoC scan task based on the detected threats and scan the entire
network to see if other nodes were affected.

in ‘incident details’
open the 'injections'
section which contains
information about the
files used for infection

You will see many

events in the table, but
we need find malicious
sw_test.exe

Check the box for

sw_test.exe

Click ‘+Create IoC’

Set ‘Action – Isolate

host’ from the network
and ‘Remove and
quarantine’.

You can also run the

‘Critical areas
scanning’ task.

Click ‘Create task’

Go to ‘Devices’ ->
‘Tasks’ -> find new task
and start it

Open ‘task result’ (click

on the task name)

Since we previously put

the threat file onto
another device as well,
the scan task is
detected

Switch to ‘Application
Settings’ -> ‘Results’
and click the details of
IoC scan by clicking on
the ‘results’ link.

You can see the status

and state of IoC scan –
matched. Click on it.
You can see where the
file was located and by
what criteria it was
detected

Switch to the VM and

check the internet
connection – try to open
the Google.com website
– or run ping in .cmd to
facebook.com
 Execution Prevention

Lets add a rule for KEDRO to prevent a new copy of the malware file being executed in future.

On any machine open sw_test.exe file. It has not deleted (the file itself is not a virus) so you can still run it.

Switch to the KSC Web

Console -> ‘Reports’ ->
‘Generate Reports on
threats’ -> Open the
incident related to the
malicious file and click
on the file in Threat
development chain
graph.

Click ‘Prevent
Execution’.

The file hash will be

automatically added to
of prevention rule list.

Go to ‘Devices’ ->
‘Policies & Profiles’ ->
open Kaspersky
Endpoint Agent policy.

As you can see, the file

is already in the
prevention rule list.

Change mode to
‘Active’ and enable
user’s notification.

Then click Save.

Wait ~ 1 min for

Kaspersky Endpoint
Agent policy to be
applied
Try to run the file on one
of the devices again

Kaspersky Endpoint
Agent blocks launch of
the objects or opening
the documents that meet
criteria of the Execution
prevention rules.
Appendix A: PoC completion checklist
# Task Success criteria Notes

1 Prepare the environment

PoC environment meets all the imposed

1.1 Review the requirements
requirements

All required network ports are open in the

1.2 Configure network
correct direction

Check account rights and PoC is performed through t accounts with

1.3
permissions sufficient privileges

2 Deployment and configuration

Kaspersky Endpoint Security 11.4 and

2.1 Install Plug-in for products Kaspersky Endpoint Agent are installed on
the KSC server

Install Kaspersky Endpoint

Security 11.4 for Windows KES 11.4 for Windows is installed on the
2.2
with Kaspersky Endpoint target devices
Agent

2.3 Configure Kill Chain Threat report contains the necessary fields
and filtering
Configure Endpoint Agent Necessary options included for building kill
2.4
policy chain

3 Capability scenario: Attack using new previously unknown threat

open incident information in kill chain and

3.1 incident investigation
check file reputation in Open TIP

3.2 Host isolation isolation of an infected host

detection of other infected VMs using IoC

3.3 IoC Scan
scanning

3.4 Execution Prevention startup file blocked using EDR