Kaspersky sandbox no results after several months

[Bobhond]

Hi,

Several months ago a vendor installed a hardware kaspersky sandbox in our environment and configured the policies. At least I thought so because after several months there is still no data about processed objects.

 

Under the properties of the Endpoint Agent I can see that the integration settings are under policy and that there is an active trusted connection with the sandbox. 

The policy underneath it “list of kaspersky sandbox servers” however is not enforced, although the IP-address of the sandbox is added. The same applies to the “Advanced settings” and “Threat Response”, non of the policies are enforced.

 

So, I assume that the setup of our sandbox is incomplete, is this correct? 

Do all policies under “Kaspersky Sandbox integration” have to be enabled for the sandbox to work correctly?

 

We have a Kaspersky Endpoint Detection and Resepone Optimum Add-on together with “Kaspersky Sandbox, Node European Edition”.

 

Bobhond

[Diego Moraes]

Hello, that's right, in all policies the Sandbox certificate and addresses need to be added.

I don't know the version you are using, but because you still use the Endpoint Agent, it must be a version older than KES 11.7, I suggest migrating to Kaspersky Security Center 13.2 and Kaspersky Endpoint Security 11.8, the Endpoint Agent is no longer needed, it has been integrated into KES, we now configure the Sandbox directly in the KES policy.

The view of Sandbox requests and possible errors are visible in KES and it's easy to check if it's working.

Configuration needs to be done at home policy

Sandbox log on client

Filter by date and see how many requests are being processed per day.

KES 11.8 Policy with Integrated Sandbox

Upon detection of any threat, kaspersky can provide a file to test your environment. I received one at installation.

Note: I have three addresses in the Sandbox because I use it in clusters

 

[Bobhond]

Hi Diego!

 

Thanks a lot for replying!

You are correct in assuming that we use an older version of KES: 11.6 (13.0 Administration Server). I didn’t know that the endpoint agent was going to be integrated in KES, that actually makes it easier to manage. We should definitely look into upgrading.

 

I think I used a misnomer in my question, by policy I meant the locks next to the different options:

 

There’s only “Kaspersky Sandbox integration settings” “under policy”. The IP of the server was added but the lock itself is not locked. That’s why I assume that the sandbox is currently doing nothing. So I guess all these need to be locked?

 

Our screenshot of our sandbox traffic is way less spectacular (filtered on the month of January). 

 

[Diego Moraes]

Actually, your Sandbox is not working properly, it has not received any verification requests.
This "Policy not enforced" option needs to be padlocked on all options and all policies to force this setting and prevent it from being disabled.

If it still doesn't work, open a call in the company account, or with your supplier to help you understand where the problem is.

I also recommend migrating your license to the EDR feature if you don't already have it, in version 11.8 it has been greatly improved in response and incident detection.

See how many hosts the policy was applied to.

EDR feature in practice, Sandbox can do this automatically.

Endpoint Agent Policy.