Inquiry regarding Automated Script Execution and KSN Data Submission

[haohan]

Dear Kaspersky Technical Support Team,

I am currently using Kaspersky Endpoint Security (KES) to manage our server environment. Recently, I observed some unexpected behavior while executing a local PowerShell script (test.ps1) on one of our managed hosts. I would like to clarify how KES handles local scripts and verify some network activity.

1. Automated Script Execution in Remote/Sandbox Environments When a local PowerShell script is executed, does Kaspersky Endpoint Security (via KSN or Advanced Threat Prevention) upload the script or its metadata to Kaspersky’s cloud infrastructure for analysis? Specifically, if the script contains network-outbound logic (e.g., API calls via Invoke-RestMethod), is it possible that the script is being executed or "detonated" within a Kaspersky sandbox environment, causing the API calls to originate from a non-local IP address?

2. IP Address Verification During our security audit, we detected outbound connections to the following IP address:

• IP Address: 79.104.209.194

• Port: 443 / 13111

Could you please confirm if this IP belongs to the Kaspersky Security Network (KSN) or any official Kaspersky update/analysis servers? We need to verify if this is legitimate traffic or an unauthorized lateral movement attempt.

3. Context of the Issue We received automated alerts from our internal API (triggered by the script) that originated from an unrecognized environment. We suspect that KES might be performing a "Cloud Sandbox" analysis which triggered the script's logic externally.

I look forward to your technical clarification on these points to help us refine our security policies.