🔔 We announce the release of Kaspersky Anti Targeted Attack Platform 4.0.

🔧 What’s new:

• Improved application interface
• New rule import and task functionalities
• Other improvements; for the full list of changes see Online Help.

❓ For more information about the release, see Knowledge Base and Online Help.

Kaspersky Anti Targeted Attack Platform 4.0 now has the following new features:

1. Improved interface for managing tables and alert details.
   • Turning column display on and off in tables is now supported.
   • Now you can filter TAA (IOA) rule based alerts by rule name.
2. New task functionality for hosts with the Kaspersky Endpoint Agent for Windows component:
   • Start YARA scan

     This task lets you scan for malware using YARA rules.

   • Service management

     This task lets you remotely run, stop, pause, and resume a service, as well as remove the service or change its run type.

   • The Get forensics task can now fetch a list of autorun points from the host.
3. New rule import functionality:
   • Now you can import multiple files with YARA rules. You can individually manage each rule imported from the file.
   • New functionality for importing a file with MD5 and SHA256 hashes for files that you want to prevent from running. You can import up to 50 000 hashes. For each hash, the program creates a separate prevention rule.
4. Now you can make exclusions conditional for Kaspersky TAA (IOA) rules. The program now supports the Based on conditions exclusion mode. In this mode, the TAA (IOA) rule is supplemented by conditions in the form of a search query. The program does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
5. Users can now be authenticated in the Kaspersky Anti Targeted Attack Platform web interface with domain accounts.
6. Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules is now supported

   Adding this capability resulted in the following changes in the program:

   • The Settings includes a new Send files to Sandbox automatically subsection.
   • The Dashboard section now includes the Sent to Sandbox by TAA rules widget.

     The widget displays 10 TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.

   • Alerts created as a result of a file being sent to Sandbox for scanning in accordance with TAA (IOA) rules can be filtered in the alert table.
7. Added notifications for excessive CPU and RAM load for a given period of time.

   Adding this capability resulted in the following changes in the program:

   • Users with the Administrator role can configure the maximum allowed CPU and RAM load for the server.

     If the CPU or RAM load on the server exceeds this value for a specified period of time, the Dashboard section displays a notification for users with the Senior security officer, Administrator, and Security auditor roles.

   • Users can configure email notifications about excessive CPU and RAM load.
8. Now you can receive information about hard drive, CPU, and RAM load on Central Node and Sensor servers through external systems that support the SNMP protocol v2 and v3.
9. New procedure of recording information about files received for scanning in the program log:
   • Each file entry includes the MD5 hash of the file.
   • Information about all stages of file processing is logged, irrespective of the scan result.

   By default, the log file is saved in /var/log/kaspersky/apt-history/.

10. You can now find events registered on a Kaspersky Endpoint Agent for Windows host by IP address of the host.

    Adding this capability resulted in the following changes in the program:

    • In design mode for searching the event database for threats, the General details group now includes the HostIP criterion.
    • Event details in the System info section now include the Host IP field.
    • The tree of events in host details now includes the IP field.
    • Alert details under Hosts now includes the IP column that displays the IP address of the host that the host had when the alert was created or updated.
11. You can now perform Threat Response actions from external systems that are integrated with Kaspersky Anti Targeted Attack Platform. External systems interact with Kaspersky Anti Targeted Attack Platform through an API.

    You can use external systems to do the following:

    • Network isolation of a host.
    • Running a script or executable file.
    • Creating a prevention rule.

    Commands to carry out operations are received at the Central Node server and then Kaspersky Anti Targeted Attack Platform relays them to Kaspersky Endpoint Agent.

    All of the above operations are available for Kaspersky Endpoint Agent for Windows. With Kaspersky Endpoint Agent for Linux, you can only run a script or an executable file.

https://support.kaspersky.com/KATA/4.0/en-US/194460.htm

Views: 1