Kaspersky EDR / Sandbox

[Cdxit]

Hello,

Working on EDR (Optimum/Sandbox) and still have some questions :

• When the Sandbox gives a result on a file (good or bad), where this information is pushed ? SIEM, KSN, KTIP, Others ? Is this pushed by the Sandbox itself or the Sandbox sends the information to the KSC to push it everywhere, Sandbox to KEA to KES to KSC to everywhere ?
• I still don’t understand when the Sandbox use the synchronous and asynchronous mode for the emultation.. Can someone explain me ?
• KEA agent for EDR/Sandbox seems to be compatible with Linux now (KES). Does someone know where I can find this information ?
• EDR can be managed by KSC ou KSC Cloud Console. Are there differences between the 2 console for the EDR capabilities ?

Thanks in advance for your help.

[Vimaro]

Dear user, 

Thanks for your post. Answering your questions:

When the Sandbox gives a result on a file (good or bad), where this information is pushed ? 

18. In KSC. Then, if you have KESB Advanced license or if you have KESB + KEDR Optimum, you could forward events to SIEM.

I still don’t understand when the Sandbox use the synchronous and asynchronous mode for the emultation.. Can someone explain me?

18. You can get more details about how our Sandbox technology works in following URL: https://support.kaspersky.com/KSB/1.0/en-US/190759.htm

KEA agent for EDR/Sandbox seems to be compatible with Linux now (KES). Does someone know where I can find this information ?

18. Just to be clear: We have two main EDR technologies: EDR Optimum where the Endpoint Agent is present in Kaspersky Endpoint Security and in Kaspersky Security for Windows Servers. This KEA embedded in those products is only compatible right now with Microsoft Windows (KES: Windows 7 and later; KSWS: WS 2003 and later). Let’s call our EDR Optimum as KEDRO to differentiate. Our other EDR version is called EDR Expert or KEDR. This technology is different from KEDRO and yes, it is compatible with Linux. But is different than KEDRO.  

EDR can be managed by KSC ou KSC Cloud Console. Are there differences between the 2 console for the EDR capabilities

18. KEDRO can be managed both by KSC or KSC Cloud Console. KEDR can be managed only by its built in web manager. Main difference is cost, solution architechture and features available between products. 

 

 Don’t hesitate to ask anything else you need. Happy holidays!

[Cdxit]

Thanks for your answers !

Some points still not clear for me :

• isn’t the result of a Sandbox sent to KSN, KTIP or other public Cloud services ?
• Regarding the synchronous/Asynchronous mode, may I understand that the synchronous one is when KEA requests the cache of the Sandbox and then the file is suspended from running until the result ? And Asynchronous is if no cache answer then KEA pushes file to Sandbox for emulation and file is running on the client until the sandboxing result. Is that correct ?

Rgds