Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 00:00:06 - 00:05:18 Kaspersky Endpoint Security Cloud allows you to repel the vast majority of threats that spread in a variety of ways. However, the company's network may face a targeted attack, and in this case, the anti-malware components won't be enough. The administrators need to understand exactly how the attack was carried out. This will help pinpoint shortcomings in the infrastructure that endanger the company and may lead to financial or reputational damage. The Endpoint Detection and Response EDR component from the Kaspersky Endpoint Security Cloud Pro arsenal is ideal for such tasks. EDR focuses on gathering detailed information about an attack to enable EDR open the security management, endpoint detection, and response page. Then simply click Enable Endpoint Detection and Response. The component is now activated and will analyze all security incidents on the protected computers. Let's try to carry out a couple of simple attacks to see how EDR reacts to their detection. First, let's run the ICR test file. When you try to launch ICR, Kaspersky Endpoint Security for windows blocks the file because it considers it to be malicious. Next, let's use Metasploit to simulate an HTML application attack on a protected computer. The aim of such an attack is to hide malicious code in an HTML application that is downloaded and executed on the computer, which in turn allows it to download and run other files that the attackers intend to use. When you try to open a link to an HTA file in a web browser, Kaspersky Endpoint Security blocks access and shows a message about a dangerous object. You can see the results of the EDR component operation on the monitoring tab of the Kaspersky Endpoint Security Cloud main window. In the Endpoint Detection and Response section, to see the full list of detected attacks, click go to List of Alerts. The list of detected threats shows the time of detection, threat status, its name, the attack device, and the user assigned to it. The security profile of the device detection technology and a link to detailed information about the threat. Details include all the data collected about the attack. The diagram shows how the attack developed. The entries below provide additional information. In the diagram, we can see all the actions that were performed during the attack, such as child processes started, files saved, and network connections established. The list below provides a detailed description for all actions, processes, file paths and network addresses are specified. In this case, the attack aimed to download an HTA file HTML application attack. The information about the file includes various details, its name detection method, the actions taken, as well as MD5 and Sha 256 checksums. Click a checksum to open information about the respective file in Kaspersky Threat Intelligence Portal, which stores data about threats and allows you to check and uploaded file, checksum or web address. Click the name of a detected threat to get detailed information about it. In this case, the malicious code was a basic Trojan attack, and we only see general information about such attacks. Let's consult the information received after the launch of ICR. When started, this file tried to save several files, establish a network connection and run Windows Command prompt. If we follow the link to Kaspersky Threat Intelligence Portal, we will see quite a few detected names with the same hash. Let's click the ICR file name we are familiar with. You can see information about the threat in the possible actions it tries to perform on a computer. We can add the detected malicious file to an indicator of compromise scan task. An indicator of compromise is an object or action that most likely indicates unauthorized access to the system. Such indicators include unusual DNS queries, a significant number of access operations on a single file, access via uncommon ports, malware, hash detection, and more. When you add a hash to an IOC scan task, reactive scanning is performed. There are three types of IOC scanning. Proactive scan allows you to add information about an attack that is characterized by a certain set of indicators you may find in the internet, and check all windows devices for these indicators. Reactive scan allows you to add a threat detected by Kaspersky Endpoint Security Cloud to scanning. In this case, all IOCs related to this threat will be added to the scan task automatically. All windows devices will be scanned in this case two. If using Custom scan, you can create a scan task and configure it as you wish. For example, select the computers to be scanned. For each type of scanning, you can specify a response to the detection of an object that matches the IOC scan settings. The following reactions can be performed. Combinations are also possible. Notify reaction only notifies about detection. Scan critical areas. Reaction scans the kernel memory running processes and disk boot sector. When quarantine a copy and delete the object reaction is used. A backup copy of the malicious object is created in the quarantine. This will come in handy in the event of a false positive while the original file is deleted. Reaction. Isolate the device from the network. Isolates device from the network to prevent malware from spreading. You can also specify the isolation time, after which access to the network will be restored automatically.5429