Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article will help you to check EDRO component correct installation and integration. 

What you need to know about EDRO

1 EDRO working with KES 11.7+, KSWS 11.0.1 and KSV LA 5.2 (Windows only), so called EPP

https://support.kaspersky.com/KEDR_Optimum/2.3/en-US/216855.htm 

2 You must use NWC for EDRO

3 You can't use only KEA for EDRO scenario. It always integrates with EPP.

How to check that EDRO component installed correctly

First of all you need to check whether KEA component was installed or not. And if it's installed then was it integrated with EPP. 

KES

Starting with KES 11.7 EDRO agent is integrated in the KES.

First of all, check component status in MMC or NWC

MMC

image.png.e5e9df5fc0828af09e62529f3f46cfbd.png

NWC

image.thumb.png.896990f6ddec5e855aba757eafbc07f3.png

If you see Not supported by license, pay attention to the version. If you see 0.0.0.0 or N/A, it means that component is not installed. Not supported by license doesn't mean that there is no license for EDRO, it may mean that component is not installed on the host.

When component is installed but not activated, you'll see installed component version:

MMC

image.png.188c94fe5370aba573bd20cf36b7da7d.png

NWC

image.thumb.png.e26a3568687c40a9c1f5867eef43badf.png

If component was installed and was not activated, it will look like this in the KES GUI:

image.png.854d694bc32aad8d8976025d5a614eb6.png

If component is not installed, then there will be no Detection and Response section in the KES GUI (in case MDR is installed, then there will be section Detection and Response, but there will be no Endpoint Detection and Response Optimum like you see above).

 

How to check EDRO license in the KES UI

You can check license components in the KES GUI. If there is no Optimum word, license do not support EDRO. For example:

image.png.8401980f7ea554fb2032bb517c9e300f.png

And there's an example when license key supports EDRO:

image.png.0a75e388328fc4c8639b0e17133727a4.png

KSWS

During KSWS installation you must enable Endpoint Agent, even if KEA was already installed on the host. KSWS detects it and enables connector with existing KEA (KEA will not be reinstalled).

image.png.40aad8c0550fe6f74cfa0403251bd75f.png

This is how correctly installed KSWS + KES looks like in the MMC:

image.png.680f16370fed24cd4e46e059bca3d615.png

And if it not installed:

image.png.766cdc12ace7734bd80c8aa371848539.png

KSV LA

There is no change components task. You can change them only during the upgrade or installation. Reinstallation requires reboot.

During installation you need to choose Custom installation and enable integration with KEA

image.png.a5046052d678b4215112ce7a00f08a0c.png

Remember that you can enable integration in the installation package properties in the KSC.

How to check NWC setup for EDRO

What to do if there is no Alerts section in the NWC.

How it looks If there is no Alerts section in the WEB UI

image.png.6a6d23db0b2426f2c3290019b87b6778.png

Go to the settings:

image.png.acaad8e480c2585831bc2c4b667a1b88.png

And enable EDR alerts:

image.png.c8ad0ba0a351db8a5a841d88606edcaf.png

In the KSC NWC there will be EDRO plugin by default. It installs with the console. So the only way to reinstall it - reinstall NWC.

How detection looks without installed EDRO component 

If you see detection but without enriched information, you'll see it like this:

image.thumb.png.9ab1962d8a26e308c2c9656314d3c15a.png

In the Enrichment and response section you'll see only Basic. It means where was a detection but no additional information about it was collected. Main reason why this may happen is that there's no EDRO component on the host.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...