TDR and Kaspersky

Deployment Overview

Threat Detection and Response (TDR) is a collection of advanced malware defense tools that correlate threat indicators from Fireboxes and Host Sensors to enable real-time, automated response to stop known, unknown, and evasive threats.

As part of the TDR solution, you install TDR Host Sensors to provide endpoint protection. In some cases, the TDR Host Sensor might have conflicts with the antivirus software installed on your endpoints. To resolve this issue, you can configure exclusions in the antivirus software and in TDR.

This document describes the steps to deploy a TDR Host Sensor on a host that runs Kaspersky software.

This document does not describe all steps necessary to set up your Threat Detection and Response account. Before you begin, make sure to set up your TDR account and enable TDR on the Firebox. For information about how to set up your TDR account, TDR deployment best practices, and how to enable TDR on a Firebox, see Quick Start — Set Up Threat Detection and Response.

Configuration Summary

To avoid conflicts between the TDR Host Sensor and Kaspersky, add these exclusions:

  • Exclusions in TDR for Kaspersky — For Windows:
    • C:\ProgramData\Kaspersky Lab\
    • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\
    • C:\Program Files\Kaspersky Lab\Kaspersky Endpoint Security for Windows\
    • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 20.0\
    • C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 20.0\
  • Exclusions in TDR for Kaspersky — For Mac:
    • /Library/Application Support/Kaspersky Lab/
  • Exclusions in Kaspersky for the TDR Host Sensor — For Windows:
    • 64-bit Windows — C:\Program Files (x86)\WatchGuard\Threat Detection and Response\
    • 32-bit Windows — C:\Program Files\WatchGuard\Threat Detection and Response\
  • Exclusions in Kaspersky for TDR — For Mac:
    • /usr/local/watchguard/

If the Host Sensor and Kaspersky detect and respond to a threat at the same time, this can cause high utilization of system resources such as CPU, memory, and disk I/O.

Configuration Details

To complete this deployment, you must have:

  • An active Threat Detection and Response subscription with Host Sensor licenses
  • Kaspersky Endpoint Security for Business Select
    • Kaspersky Endpoint Security for Windows 11.2.0.2254
    • Kaspersky Endpoint Security for Mac 11.0.0.501c
  • Kaspersky Small Office Security
    • Kaspersky Small Office Security 20.0.14.1085 — Windows
    • Kaspersky Internet Security 20.0.0.829b — Mac

The TDR and Fireware versions tested for this deployment included:

  • TDR Host Sensor 5.8.5.9153
  • Firebox with Fireware v12.5 or higher

The Windows test environment for this deployment included:

  • Windows 7, 8.1, 10 Enterprise 64-bit Operating System
  • Memory (RAM) — 8 GB
  • Processor — 2 CPU Cores

The Mac test environment for this deployment included:

  • macOS 10.13
  • Memory (RAM) — 8 GB
  • Processor — Intel Core i5

Configure Exclusions in TDR

In your TDR account, add the exclusions to manually identify paths for files and processes that you do not want Host Sensors to monitor. Before you deploy a Host Sensor on computers that have Kaspersky installed, Add exclusions for the Kaspersky file paths as TDR Exclusions in your TDR account. To add the exclusions to TDR, you can either use Predefined Exclusion Sets or add the exclusions manually.

Predefined Exclusion Sets

TDR has predefined AV exclusion sets for the most common third-party AV tools. This AV tool has a predefined exclusion set available. Predefined exclusion sets include all recommended exclusions for the AV tool. TDR updates these exclusion sets as needed. For information about predefined AV exclusion sets, see Configure TDR Exclusions.

You must also add the TDR exclusions to your AV software to avoid potential conflicts.

Manually Add AV Exclusions

If you do not want to exclude all the recommended paths in a predefined exclusion set, you can add exclusions manually.

In your TDR account, add the TDR exclusions for the paths shown in the Integration Summary.

Unless otherwise noted, configure each TDR exclusion with these options, which are selected by default:

  • Also exclude subfolders
  • Entities to exclude: Files and Processes

To add an exclusion in TDR:

  1. Log in to your TDR account or managed account as a user with Operator privileges.
  2. Select Configuration > Exclusion.
  3. Click Add Exclusion.
    The Add Exclusion dialog box opens.
  4. In the Path text box, type the path to exclude. Folders specified in an exclusion must end with a backslash.
  5. To apply the exception to all hosts, in the Hosts / Groups text box, specify the group All Hosts.
  6. Click Save & Close.

Repeat these steps to add each exclusion.

Configure Exclusions in Kaspersky

To exclude directories used by the TDR Host Sensor, add the exclusions for the paths listed in the Integration Summary.

To add a Windows exclusion in Kaspersky Small Office Security

  1. Open Kapersky Small Office Security.
  2. Click Setting.
    The Setting page appears.
  3. Select Additional on the left panel.
    A list of options appears on the right panel.
  4. Select Threats and Exclusions on the right panel.
    The Threat and exclusion setting page appears.
  5. Click Exclusions > Manage exclusions.
  6. Click Add.
  7. In the File or folder text box, type the path to exclude.
  8. Click Add.
  9. Click Continue.

To add a Windows exclusion in Kaspersky Endpoint Security for Business Select

  1. Open Kaspersky Endpoint Security for Windows in client.
  2. Click Settings.
    The Setting page appears.
  3. Select General Settings > Exclusions.
    A list of options appears .
  4. Click Settings of the Scan exclusions and Trusted zone.
    The Trusted zone setting page appears.
  5. Click Scan exclusions.
  6. Click Add.enable File or folder
  7. Click Select file or folder, type the path to exclude.
  8. Click OK.
  9. Click OK.
  10. Click Trusted application.
  11. Click Add > Applications, select TDR applications.
  12. Click OK.
  13. Select all Do not actions.
  14. Click OK.
  15. Click OK.
  16. Click Save.

To add a Mac exclusion in Kaspersky Internet Security:

  1. Click the Kaspersky icon in the upper right corner.
  2. Click Preferences > Threats > Trusted Zone.
  3. Click Trusted files and folders, type the path to exclude.
  4. Click OK.
  5. Click the lock to prevent furthers changes.

To add a Mac exclusion in Kaspersky Endpoint Security for Business Select:

  1. Click the Kaspersky icon in the upper right corner.
  2. Click Preferences > Threats > Trusted Zone.
  3. Click Trusted files and folders, type the path to exclude.
  4. Click OK.
  5. Click the lock to prevent furthers changes.

For information about the integration testing methods, see TDR Testing Methodology.