Professional Documents
Culture Documents
www.kaspersky.com
I-1
Unit I. Deployment
Unit I. Deployment
Introduction .................................................................................................................... 4
Basics of Kaspersky Endpoint Security for Business ................................................................................................... 4
Which products the course covers .......................................................................................................................... 4
What constitutes Kaspersky Security Center .......................................................................................................... 5
What constitutes Kaspersky Endpoint Security ...................................................................................................... 5
How Kaspersky Security Center manages computers ............................................................................................ 7
How the administrator manages protection via the Console ................................................................................. 9
How policies are applied to computers ................................................................................................................ 10
How policies work in groups................................................................................................................................ 10
How tasks are applied to the computers .............................................................................................................. 11
How tasks work in groups .................................................................................................................................... 12
How Kaspersky Endpoint Security for Business is licensed ................................................................................. 13
What This Course Is About ........................................................................................................................................ 15
What we will tell you in this course and what not ................................................................................................ 15
Where to learn more about what is out of the course scope................................................................................. 16
What the course includes ..................................................................................................................................... 17
Introduction
First of all, let us introduce the course and tell which topics it covers and which omits. You will also learn which
solutions and products are studied in this course, what they consist of, how interact and how are licensed.
The course describes the Kaspersky Endpoint Security for Business solution that includes various Kaspersky Lab
products. The course does not try to cover all products; it tells only about those that can help to protect a not-too-
large Windows network.
A not-too-large network in our course means approximately up to 1000 endpoints in a single location. Endpoints in
this course are servers and workstations running Windows.
To protect such a network, two Kaspersky Endpoint Security for Business products are necessary:
Kaspersky Endpoint Security is an application that not only protects against malware and hackers, but also can
control the users’ actions and encrypt files and drives.
— Kaspersky Security Center Administration Server stores all the settings, collects events, draws up reports,
etc. It is the Server that manages protection on the administrator’s command.
— The database server maintains the Administration Server’s database, where the Server stores events and
some of the settings. Other Server settings are stored in files on a drive.
— Kaspersky Security Center Network Agents connect Kaspersky Endpoint Security to the Administration
Server: receive settings for Kaspersky Endpoint Security from the Server, and send events to the server
— Kaspersky Security Center Administration Console is a management system interface for the administrator;
the administrator configures parameters in the console, consults reports and events and manages protection
in general
Protection components
File Anti-Virus Scans files whenever the user or a program creates, changes, copies or starts one.
Blocks operations with malicious files, and quarantines these files
Mail Anti-Virus Intercepts e-mail messages, scans their text and attachments, deletes malicious files from
messages
Web Anti-Virus Scans web pages and files that the user or programs download from the Internet. Blocks
dangerous and phishing web sites, prohibits downloading malicious files
Network Attack Scans network packets that the computer receives. Blocks a connection if detects indications of
Blocker a network attack
Firewall Controls the connections established by the programs running on the computer, and the packets
they receive or send. Blocks packets according to the configured rules. Does not allow an
unknown program or a program that has bad reputation to establish connections
Application Monitors the programs’ activities on the computer. Does not allow programs that have bad or
Privilege Control unknown reputation to change system settings and user’s files. Does not allow them to fiddle
around with the operating system and other software
System Watcher Also monitors what applications do, but analyzes what a program does in general rather than its
individual actions. Stops the applications that behave as malware. In particular, stops programs
that try to encrypt files
BadUSB Attack Does not permit connecting new input devices (keyboards, etc.) to the computer without the
Prevention user’s consent. Protects against USB devices that pretend to be keyboards and send malicious
commands to the computer
Kaspersky Requests the reputation of programs and web pages from Kaspersky Lab servers, provides the
Security Network latest information about threats, protects against zero-day attacks and false positives
Control components
Application Startup Blocks program start according to the configured rules. Can freeze a computer status and
Control block any new application.
Device Control Blocks access to devices according to the configured rules. The administrator can prohibit
access to all or some of removable drives, Wi-Fi adapters or modems
Web Control Blocks access to web pages according to the configured rules. The administrator can prohibit
access to social networks, job search and news web sites, torrent trackers, etc.
Encryption components
Encryption of hard drives Encrypts all drives’ contents. Protects files on notebooks, which may be lost or stolen
Encryption of Files and Encrypts individual files and folders according to the rules. Protects files on
Folders notebooks, which may be lost or stolen
Microsoft BitLocker Manages disk encryption via Microsoft BitLocker. Protects files on notebooks, which
Management may be lost or stolen
I-7
Unit I. Deployment
Virus Scan Scans files on the specified schedule. Performs this more thoroughly than File Anti-
Virus.
Update Downloads descriptions of threats and file reputations to the computers, provides
protection when Kaspersky Security Network is inaccessible
Sensor of Kaspersky Anti Informs the Central Node of Kaspersky Anti-targeted Attack Platform about the
Targeted Attack Platform programs’ activities on the computers, helps to detect Advanced Persistent Threats
Integrity Check Ensures that nobody can modify Kaspersky Endpoint Security files
Find Vulnerabilities A local task that scans computers for vulnerabilities in applications and operating
system files against a database of vulnerabilities. It is not used, because the same
task is performed by Network Agent
For more details about components and their settings, refer to Units II and III.
Let’s see how all components of Kaspersky Endpoint Security for Business interact.
Network Agent connects to the Administration Server on the specified schedule, and also if necessary. By default, a
so-called synchronization takes place every 15 minutes.
I-8 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
For the administrator to see what’s happening in the network, Network Agent sends the following data to the server:
Events As soon as logged When Kaspersky Endpoint Security finds malware, or cannot
download updates, or cannot start components, etc.
Typically, Agents send only changes in the lists to the server. Once every several hours (3 hours for some lists, 12
for others) the Server completely synchronizes the lists with the computers.
Administration Server accepts connections from the Network Agents on TCP port 13000. Agents compress and
encrypt data with the Administration Server certificate using SSL/TLS.
For Kaspersky Endpoint Security to protect a computer in a way the administrator wants, the Network Agent
downloads settings for Kaspersky Endpoint Security in the form of policies and tasks from the Server.
During a synchronization, Network Agent compares tasks and policies on the computer with those of the
Administration Server, and if the administrator has changed something on the server, the Agent downloads new
tasks and policies.
Usually, computers receive tasks and policies earlier than at a planned synchronization. Network Agents accept
packets on UDP port 15000. If the Server wants an Agent to urgently connect to the Server, it sends a special signal
to this port. When the administrator modifies a task or policy, the Administration Server contacts Agents on all
computers to which this task or policy pertains. During a synchronization, policies are downloaded only by those
computers that have not received the signal from the Server.
The administrator can also send a synchronization request manually, via a computer’s shortcut menu in the
Administration Console.
Additionally, Agents connect to the Server to download updates for Kaspersky Endpoint Security. For this purpose,
they also connect to port 13000 over an SSL connection.
I-9
Unit I. Deployment
The events and statuses sent by Network Agents help the administrator understand what is happening in the
network. The Administration Server summarizes statuses of individual computers and displays them on the main
page of the Administration Console—the Monitoring tab of the Administration Server node.
To better understand what is happening, the administrator can receive reports, which the Administration Server
draws up based on events. There are many search and filter tools in the console that help to arrange events and
computers according to various parameters.
To specify settings for computer protection, the administrator creates tasks and policies in the console:
— Tasks—for operations that have a logical termination, for example, update completes when Kaspersky
Endpoint Security receives all new threat descriptions, virus scanning completes when all files in the scan
scope have been scanned. That is why updates and virus scanning are configured as tasks, which have
schedules
— Policies—for all the other parameters: how to scan files that the user downloads from the Internet or
receives by e-mail, how to scan files opened by programs, which network connections to allow and which
to block. These settings are to be applied permanently to permanently protect the computer, and that is why
they are specified in a policy.
If different computers need different settings, the administrator organizes computers into groups and creates
individual policies or tasks within each group. For example, to perform virus scanning on servers at weekends, and
on workstations in the background mode during a business day, the administrator can create two groups (for servers
and workstations) and create virus scan tasks with different schedules for them.
I-10 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
A policy contains the same parameters as the local settings of Kaspersky Endpoint Security. When the administrator
configures a policy, the local protection settings are changed.
If the button appears pressed and the lock is closed, the parameters are applied to the computers where the policy is
enforced. The user cannot modify the values of these parameters in the local interface of Kaspersky Endpoint
Security.
If the button appears released and the lock is open, the computer considers that this parameter has not been specified
in the policy. The user can change these parameters in the local interface.
Even if the user has not created any groups, there is the root group on the Administration Server, which is named
Managed devices. If the user wants to create custom groups, they are created as subgroups within the Managed
devices group.
— There may be policies for different applications in a group, for example, the Network Agent policy and the
Kaspersky Endpoint Security policy
— There can be a few policies for the same application in a group, but only one of them can be active.
The Active policy is the policy that the Administration Server sends to the computers.
An Inactive policy does not influence anything, but the administrator can make it active and thus quickly adjust
settings on all computers.
If the administrator makes a policy active, the policy that has been active so far becomes inactive automatically.
— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where there is no Kaspersky
Endpoint Security policy, the parent group’s policy is applied to the subgroup’s computers as well
— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where another Kaspersky
Endpoint Security policy is configured, the subgroup’s computers receive the policy configured within this
subgroup. However, required (locked) parameters from the parental policy are enforced on the subgroup’s
policy, and the administrator cannot modify them. In a child policy, the administrator can edit only the
parameters that are not locked in the parent group’s policy
— The administrator can choose not to apply a group policy to subgroups: in the subgroup’s policy, clear the
check box that regulates inheriting parameters from the parental policy. After that, the administrator will be
able to edit all parameters in the child policy
The administrator manages update and virus scan settings via tasks rather than via the policy.
I-12 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
While there can be only one type of Kaspersky Endpoint Security policy1, there are many various task types for
Kaspersky Endpoint Security:
— Virus Scan
— Updates
— Update rollback
— Inventory
— Key installation
— Integrity check
— Change application components
— Checking connection with KSN
— Managing Kaspersky PreBoot Agent Accounts
Each task type has its own characteristic settings. For example, a virus scan task has its scope and file scan settings,
an update task has an update source and instructions which updates to download.
Unlike policies, tasks have no locks. All task settings are enforced on the computers and the user cannot modify
them.
Tasks can be created not only by the administrator on the Administration Server, but also by the user in the local
interface. However, if a policy is configured on the Administration Server and enforced on a computer, it will use
only the Administration Server’s tasks. Local tasks will be neither run nor even displayed in the interface. And the
user will not be able to create new local tasks.
The administrator creates tasks in groups for regular activities, such as virus scanning or downloading updates.
1
One for one or several product versions. For example, Kaspersky Endpoint Security 10 SP1 has its own policy type, and Kaspersky
Endpoint Security 10 SP2 another one. However, two policies of a single Kaspersky Endpoint Security version contain the same parameters
and only the values of these parameters differ.
I-13
Unit I. Deployment
— There can be several tasks of each type in a group, for example, a few virus scan tasks. They may differ in
the scope and schedule, for example, one of the tasks can scan the whole computer once a week, and
another one, only critical areas but daily.
— If you want to scan for viruses the same scope with different schedules on different computers, organize
computers into respective groups and create individual tasks within each group. For example, to perform
full scan on servers at weekends, and on workstations during business hours in background mode.
— If there is a task in a group, and there is a subgroup with a task of the same type, the subgroup’s computers
will be running both tasks. Usually, this means that the administrator has not thought over thoroughly
enough which tasks are really needed.
You must be especially careful with update tasks. To update Kaspersky Endpoint Security on a computer,
there must be one update task. If an update task is configured within a group and another one in its
subgroup, both will be applied to the computers that comprise the subgroup. If an update task is running
already, another one will return an error if started in the meanwhile. Consequently, the administrator will
keep receiving update errors because of a configuration error while updates will work correctly
— Subgroups can be excluded from a task scope. Then the subgroup’s computers will receive only the
subgroup’s task, and the parental task will not be used
Unlike a policy, a task can be created not only for a group. The administrator can create a task for any list of
computers, from a single computer to an arbitrary set of computers belonging to different groups.
Which licenses are available for Kaspersky Endpoint Security for Business
We’ve studied how the components of Kaspersky Endpoint Security for Business interact, and how the
administrator manages them.
I-14 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Now let us find out which licenses are available for Kaspersky Endpoint Security for Business, and what makes
them different.
There are three levels of licenses in Kaspersky Endpoint Security for Business:
Different licenses permit using different Kaspersky Lab products and different functions within these products.
KESB Core allows a customer to use Kaspersky Lab products for workstations only; servers cannot be protected
under this license. This means that a KESB Core license can activate Kaspersky Endpoint Security for Windows,
Kaspersky Endpoint Security for Mac and Kaspersky Endpoint Security for Linux Workstations.
KESB Core activates only the protection functions of Kaspersky Endpoint Security for Windows rather than its
complete functionality. Control components and encryption components do not work under this license.
You do not need to activate Kaspersky Security Center to use it. Everything which is necessary for managing
workstation protection is available without a license.
In Kaspersky Endpoint Security, a KESB Select license activates the protection and control components.
In Kaspersky Security Center, a KESB Select license activates the mobile device management functionality. You do
not need to activate Kaspersky Security Center to be able to manage only the protection and control on workstation
and servers.
KESB Advanced permits protecting the same types of endpoints: workstations, servers and mobile devices, but
activates more functions.
In Kaspersky Endpoint Security for Windows, a KESB Advanced license permits using encryption.
In Kaspersky Security Center, a KESB Advanced license allows the customer to use Systems Management;
specifically, automatically download and install software fixes and updates, create and deploy images of operating
systems with pre-installed applications, etc.
Targeted licenses
If a customer does not need all KESB Advanced functions, licenses for individual functions are also available:
— Encryption
— Mobile Device Management
— Systems Management
Except for the functionality, these licenses have a limitation on the number of endpoints to be protected. For
example, a customer purchases a license for 100 nodes, and if later wants to protect more devices, purchases a new
license for, say, 150 or 200 nodes.
All the abovementioned licenses are usually valid for a year. After that, the customer renews the license for another
year, and so on.
I-15
Unit I. Deployment
Subscription licenses
Additionally, Kaspersky Lab supports subscription licenses. These licenses are purchased from special partners, and
the customer pays monthly. The customer can suspend a subscription and resume it later.
With a subscription license, the customer can select which functionality level to use and change the number of nodes
every month if necessary: expand or cut down depending on the current needs.
Kaspersky Endpoint Security for Business includes many products and capabilities. This course does not try to
cover all of them. It only tells how to protect a not-too-large network of computers running Windows operating
systems.
That is why our course does not describe all the products that belong to Kaspersky Endpoint Security for Business;
instead, it focuses on:
For the same reason, the course does not tell about all the capabilities of Kaspersky Endpoint Security for Windows
and Kaspersky Security Center, but concentrates on how to:
— Encryption management
— Third-party vulnerability and patch management
— Creation and deployment of disks with computer images
— Protection of large, complex and distributed networks using Update Agents, Connection gateways or
several Kaspersky Security Center Administration Servers
The following courses are available, which are devoted to other products and technologies:
How to protect Windows servers using Kaspersky Security for Windows Servers KL 005.10 1 day
How to fix vulnerabilities and install updates on third-party software KL 009.10 1 day
How to manage protection in large, complex and distributed networks KL 302.10 2 days
How to protect virtual machines using Kaspersky Security for Virtualization. Agentless KL 014.40 1 day
How to protect virtual machines using Kaspersky Security for Virtualization. Light Agent KL 031.40 1 day
The course consists of presentations and labs, which alternate. The instructor first explains every topic with slides,
and then the students put theory into practice in lab experience.
The Student Guide includes all slides and elaborates on all the topics and product settings.
The students complete hands-on exercises using virtual machines. The virtual environment depends on the class: it
can be VMware Workstation, VMware vSphere, Microsoft Hyper-V, etc. The Lab Guide is designed for VMware
Workstation.
I-18 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Students use five virtual machines, which perform the following roles in the labs:
In a deployment, all network computers must be protected, and the administrator must be able to manage protection
centrally. To achieve this, it is necessary to install Kaspersky Security Center 10 (KSC 10) and Kaspersky Endpoint
Security 10 for Windows (KES 10) on the computers.
First, install the Kaspersky Security Center Administration Server. The Administration Server centrally manages
protection, and helps to install other components.
The Kaspersky Administration Console is installed automatically along with the Administration Server. To manage
the server remotely, use remote desktop, or install Kaspersky Security Center Administration Console on the
administrator’s computer.
In order to protect the network, install Kaspersky Endpoint Security on every computer. Kaspersky Endpoint
Security alone cannot interact with Kaspersky Security Center; install the Network Agent on every computer to
make centralized management possible.
I-19
Unit I. Deployment
If you need to enforce different settings on different computers, organize the computers into groups. Do not create
more groups than necessary. To be able to easily find computers, import the structure from Active Directory.
You do not need much time to install all components of Kaspersky Endpoint Security for Business. What consumes
time is troubleshooting.
To save time, do your homework. Try what you want to implement in a test environment. If issues are encountered,
think how to solve them. Or find a workaround to use in case the issue arises on the network computers.
However, you are unlikely to stumble upon every possible issue in a test environment. Therefore, in your real
network, start with a small number of computers: 10–20. Try to select different computers to come upon as many
potential issues as possible. If you encounter new issues, return to the test environment, reproduce them and come
up with a solution or a workaround.
Stage the deployment: for example, 100 computers at a time. This way, you will discover new issues gradually, and
the number of problem computers will always be small.
At each step, plan some extra time for troubleshooting. Do not proceed to the following step until you decide how to
solve or get round all issues. Solve issues in a test environment rather than on the network computers.
Today, an IT test environment is usually made of virtual machines. If virtual machines appear to be a luxury, use the
administrators’ computers for testing.
I-20 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To install Kaspersky Security Center Administration Server, prepare a computer that meets the system requirements.
If there are fewer than 1000 endpoints in the network, the Administration Server and the database server will easily
share a single computer. If nodes are more numerous, use a more powerful computer or use an individual computer
for the database server.
The Administration Server computer can be either physical or virtual. If you are using a virtual Server, make sure
that the virtual environment meets the system requirements.
It is better to use server hosts for the Administration Server. In small networks (up to a couple of hundred
computers), a powerful workstation will do. Also, you can use a workstation in a test environment.
The Administration Server can be installed on the following non-server versions of Windows:
Virtualization support
To install the Administration Server on a virtual machine, use one of the following virtualization platforms:
A virtual machine must meet the operating system, software and hardware requirements.
Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers
are supported:
— MySQL
Microsoft SQL Server 2014 SP1 Express is included with the distribution of Kaspersky Security Center and is
installed automatically during the standard installation. Remember that Express editions have their limitations and
must not be used for managing a large number of computers (more than 5000). Detailed information about this is
provided in course KL 302.10.
SQL server can be installed either on the same computer as the Administration Server or on any other network
computer. The Administration Server must have Read and Write access to the SQL database. If the Administration
Server and SQL server are installed on the same computer, access issues do not arise.
In addition to the operating system, the following software must be installed on the computer:
Allocate a new computer for the Administration Server. If it is impossible, make sure that Kaspersky Security
Center Network Agent is not installed on the computer. The installer automatically detects the Network Agent and
prompts the administrator to uninstall it.
— 4 GB of RAM
— 10 GB of free hard drive space (if you plan to use the Systems Management functionality, 100 GB of free
hard drive space will be necessary)
A more powerful server will be necessary for any significant number of clients. Recommendations are available in
the Deployment Guide. Practical experience of using Administration Server in large networks is summarized in
course KL 302.10. Kaspersky Endpoint Security and Management. Advanced Skills.
I-24 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
You can download the installer of Kaspersky Security Center 10 from Kaspersky Lab website
(https://www.kaspersky.com/small-to-medium-business-security/downloads/security-center) or from the product
page on the technical support website (http://support.kaspersky.com/ksc10#downloads).
When the full distribution version is run, the installation shell starts. The installation shell allows selecting
the components to install, for example, the Administration Server or the Administration Console. You can also
extract installation files of the selected components into the specified folder.
— iOS MDM Server (a component of Kaspersky Security Center for managing mobile devices)
— Exchange ActiveSync Mobile Device Server (a component of Kaspersky Security Center for managing
mobile devices)
— Application management plug-ins
— Kaspersky Endpoint Security for Windows (extract only)
This course covers only Server, Console and Network Agent, and also Kaspersky Endpoint Security.
Almost all of these decisions can be changed after the installation. You cannot modify only the SQL server type. If
you select Microsoft SQL, you will not be able to switch to MySQL without losing data.
You can switch to another SQL server of the same type without losing data, but it is not easy. You will need to back
up the Administration Server data, reinstall the Administration Server, select another SQL server, and after that,
restore the data from the backup copy.
I-26 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Setup Wizard
Installation types
If you select Custom installation and leave all the default settings, the result will be exactly the same as after the
Standard installation.
2
On Windows Server Core, only custom installation is available.
I-27
Unit I. Deployment
You can install the following components together with the Administration Server:
— SNMP Agent
— Mobile devices support
The SNMP agent is necessary for the Administration Server to be able to send notifications over SNMP. This
component needs the SNMP service (a Windows component) to be installed on the computer. If the SNMP service
is absent from the computer, the SNMP agent will not be shown in the list of Administration Server components
during the installation.
The Mobile devices support option adds the components necessary for managing Kaspersky Endpoint Security for
Mobile via Kaspersky Security Center. Detailed information is available in course KL 010.10.
Under the list of components, you can change the location of Administration Server program files. If you want to
move files because drive C: lacks space, consider moving only the shared folder of the Administration Server. It can
be relocated independently of the program files, and it takes up much more space than the other program files. The
path to the shared folder will be configured later in the installation wizard.
Remember that the %ProgramData%\KasperskySC folder contains the backup copies of the Administration Server.
These copies consume much space, up to several gigabytes, depending on the number of endpoints.
Network size
The number of computers in the network Fewer than 100 100 to 1,000 1,000 to 5,000 More than 5,000
Automatic randomization of the task start relates to the schedules of virus scan, update, vulnerability search, and
other group tasks.
If a task starts simultaneously on many computers, the load on the network and Administration Server drastically
increases. To even out the peak, tasks can start on the computers with a random delay.
The administrator can enable randomization and then specify the randomization range manually or select automatic
randomization. On each computer, the delay is selected randomly within the specified or automatically chosen
range.
If automatic randomization is used, the randomization range depends on the number of computers where the task
starts:
0–200 0 minutes
200–500 5 minutes
500–1,000 10 minutes
1,000–2,000 15 minutes
2,000–5,000 20 minutes
5,000–10,000 30 minutes
10,000–20,000 1 hour
20,000–50,000 2 hours
50000+ 3 hours
Slave Administration Servers and security parameters are described in course KL 302.10. Kaspersky Endpoint
Security and Management. Advanced Skills. These functions are rarely used in small and middle-size networks.
The default settings are the same when the administrator selects either “From 1000 to 5000” or “More than 5000
computers on network.” If you select the “More than 5,000 computers on network” option, the installation wizard
will recommend that you do not use the free version of Microsoft SQL server. Detailed information about large
networks is provided in technical training KL 302.10. Kaspersky Endpoint Security and Management. Advanced
Skills.
The network size selection only influences a couple of interface settings, which can easily be modified after
the installation. The threshold value that actually makes the difference is 1,000 computers. Administration Server
operation parameters do not depend on the selected network size.
I-29
Unit I. Deployment
By default, the installer creates a new account named KL-AK-<alphanumeric combination> for starting
the Administration Server service. It is a local account, which is not included in the computer administrators’ group,
but has the same permissions as administrators.
Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of
the Administration Server. For security reasons, this account cannot log on to the system locally.
If the administrator decides to use another account, he or she must grant it all the necessary permissions.
The Administration Server service account must have administrator permissions on the computer selected for
the installation.
If the database is planned to be stored on a Microsoft SQL server installed on a remote computer, the account must
have Read and Write permissions for the Administration Server database on the Microsoft SQL server.
If the Administration Server account has domain administrator permissions, some operations are simplified, for
example, remote installation. In other cases, permissions are not that important.
I-30 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The KL-AK-* account starts only the Administration Server service: Kaspersky Security Center Administration
Server. The Administration Server also has other services:
The first three services are started under another service account created by the installer: KlScSvc. This account has
the same rights as KL-AK-*: the permissions equivalent to administrative less the right to log on locally.
The Network Agent and the automation object operate under the Local System account. On some operating systems,
the automation object operates under the Network Service account.
The installation wizard allows selecting another account instead of KlScSvc. For example, if the company already
has a service account for this purpose.
I-31
Unit I. Deployment
The Administration Server stores events, information about computers and a part of the settings in the SQL
database.
The Administration Server can store the database in either of the following types of SQL servers:
The choice depends on the company’s and the administrator’s preferences. MySQL server has open source code and
can run on a Linux operating system. That is why MySQL is sometimes preferred by state institutions. A MySQL
server will have to be installed by the administrator manually.
Microsoft SQL Server is an industry standard. Besides, it need not be installed beforehand. The distribution of
Kaspersky Security Center includes Microsoft SQL Server 2014 SP1 Express, which can be installed automatically
by the KSC installation wizard.
If you decided to use an already installed instance of Microsoft SQL server rather than install the Express version,
specify the full name of the instance and the name of the database designed for the Administration Server.
To find the necessary instance in the network, click the button Browse. If the instance you are looking for is absent
from the list, make sure that SQL Server Browser service is running on the SQL server. It is disabled by default.
The database for the Administration Server is created by the installer. Later, the Administration Server connects to
the database to record and extract events.
The installer needs the permission to create a database. The Administration Server needs the write and read
permissions for the database.
If the Microsoft Windows Authentication Mode is selected, the installer connects to the SQL server under the
current Windows user account. Meanwhile, the Administration Server will connect to the database under the
account of its service (KL-AK-<*>), which the administrator selected at a previous steps.
Therefore, the current user must have the right to create a database on the SQL server. To check whether the user’s
permissions are sufficient, click the button Check connection.
If the Kaspersky Security Center administrator cannot receive the permission to create a database on the SQL server,
the SQL server administrator should create an empty database, and the Kaspersky Security Center administrator is to
specify the names of the instance and database in the installation wizard.
The KL-AK-<*> account (or another one specified by the administrator) must have the read and write permissions
for the database. You cannot check this before the installation, but you can grant the selected account these
permissions afterwards, or even select another account for the Administration Server service.
If you select the SQL Server Authentication Mode, specify an SQL server account rather than a Windows
account. Both the installer and the Administration Server will use this account to create the database and record
events there.
By default, the SQL Server Authentication Mode is disabled in all supported versions of SQL server. It is considered
to be obsolete and unsafe. Microsoft and Kaspersky Lab recommend to use Microsoft Windows Authentication
Mode.
If the SQL server instance is located on another computer, make sure that SQL server allows remote connections,
and that ports are not blocked by the firewall. Click the button Check connection.
I-33
Unit I. Deployment
If you select a MySQL server, the installation wizard cannot install it and waits for connection parameters of an
already existing server.
Specify the computer address, MySQL server port (usually, 3306) and database name.
Specify the username and password to connect to MySQL server. These name and password will be used by both
the installer to create the database, and by the Administration Server to write into it.
In the latest versions of MySQL server, to enable an account to connect to the server, you need to allow a specific
address or computer name to use it on the SQL server side. See the MySQL documentation for details.
To check whether the selected account can connect to the selected server, click the button Check connection.
I-34 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The shared folder stores signature updates and the installation files for applications, specifically, Network Agent and
Kaspersky Security Center.
By default, the installer creates the shared folder of the Administration Server in the folder with program files.
The local name of this folder is Share, and the network name is KLSHARE.
Right after the installation and initial setup, the shared folder takes up about 400 MB. Its size may increase up to
several gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place
the shared folder of the Administration Server on a drive other than the system one.
The location of the shared folder can be changed later via the Administration Console.
Administration Server accepts connections from Network Agents on two TCP ports:
By default, all connections are encrypted in Kaspersky Security Center, so only SSL port 13000 is used. Port 14000
might be used only if the administrator disables connection encrypting for troubleshooting.
If you want to use other ports, make this decision beforehand and specify them in the installation wizard.
To modify the ports after the Administration Server has been installed, you will have to edit them in several places
in the Console. And to modify the ports after Network Agents have been installed on the network computers, you
will have to use a special task or reinstall the Agents.
In older versions of Kaspersky Security Center, Administration Consoles connect to port 13000. In the recent
versions, KSC Consoles connect on TCP port 13291. You cannot select this port in the installation wizard, but you
can easily modify it later via the Administration Console.
Web server and activation proxy server services use 4 more ports, which can also be reconfigured in the console.
To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years
during the installation. To save and restore the certificate after failures or after reinstalling the Administration
Server, use the backup procedure (see Unit IV Maintenance).
The client computers where the Network Agent is installed will connect to the Administration Server using
the address and port specified during the installation.
You can specify the Server address in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice
depends on the network configuration. Even though an IPv6 address can’t be specified, Network Agents can connect
to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name.
If the Administration Server has a static IP address that will not be changed in the near future, it is the best choice.
In this case, the ability to connect depends only on the routers, not on the name resolution system.
If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection
address, as you will have to modify the client connection settings often. In this case, it is better to specify the server
name: either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS name as DNS
name resolution is not usually blocked by local firewalls.
I-36 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls.
Therefore, the NetBIOS name should only be used for connections if the other methods cannot be used.
After the installation, the Server connection address and ports can be changed in the properties of Network Agent
installation package. The default Server connection address and ports, which will be automatically added to new
Network Agent packages, is specified in the properties of the Advanced | Remote installation | Installation
packages node.
The distribution kit of Kaspersky Security Center includes the management plug-ins for all current versions of
Kaspersky Lab products. The custom installation enables the administrator to select the plug-ins of the products that
are used or will be used in the network. The plug-ins can also be installed later from the Kaspersky Security Center
installation shell. Plug-in installers are also included in the distributions of the corresponding products.
Every plug-in is installed by its own short installation wizard. Some plug-ins are installed automatically, while
others prompt the administrator to accept the license agreement.
If a product has been upgraded to a new version with a new plug-in, the old plug-in can be uninstalled.
The following knowledgebase article explains how to remove unnecessary plug-ins:
http://support.kaspersky.com/faq/?qid=208280749
During the typical installation, management plug-ins for Kaspersky Security Center 10 components and Kaspersky
Endpoint Security 10 for Windows are installed.
Plug-ins are installed in the very end of the Administration Server installation. After the Kaspersky Endpoint
Security 10 plug-in is installed, the installation is finished. On the last page, the administrator may accept starting
the Administration Console.
I-37
Unit I. Deployment
On the last page, the wizard prompts to start the local Administration Console immediately and proceed with the
installation in the Administration Server Quick Start Wizard.
Usually, Administration Server needs a few minutes to start working and accept connections.
If you need plug-ins for other Kaspersky Lab products, you can install them from the installation shell.
To be able to manage the Administration Server remotely in a way other than via RDP, install the Administration
Console. The console has a very simple installation wizard without settings. Plug-ins for the console can also be
installed from the same installation shell.
Plug-ins are to be installed on each console, rather than on the Administration Server. If the console lacks a plug-in,
the administrator will not able to open tasks and policies of the corresponding program and the console will display
an error message. To fix this, simply install the necessary plug-in.
I-38 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Installation results
If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages,
the result will be the same as with the Standard option:
SQL server A local instance of Microsoft SQL Server 2014 SP1 Express
Instance name: KAV_CS_ADMIN_KIT
Database name: KAV
Most of these settings can be modified either during the custom installation, or in the product settings after
the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is
installed; some others are very difficult to change. You should consider the following very carefully before
the installation:
1. The path to data files cannot be modified at all, which complies with Microsoft requirements
2. The path to the program files, as well as the SQL server address, cannot be modified unless you reinstall
Kaspersky Security Center
3. The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way.
I-40 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
When the Console connects to the Server for the first time, the Quick Start wizard launches. It continues the setup
and creates the default settings. The wizard prompts the administrator to:
— Add a license
— Configure the proxy server
— Download the latest versions of plug-ins and installation packages
— Enable Kaspersky Security Network
— Configure e-mail notification and reporting
— Specify vulnerability search and software update parameters
The first step of the Quick Start wizard is activating the product. Most Kaspersky Lab products require activation
and some, particularly Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different
levels of functionality. That is, depending on the license, some functions may be unavailable.
To activate a product, you need a key or a code. Both can represent the customer’s license with all relevant
restrictions.
A key is a file and its validity and restrictions can be verified locally by the product. A code is just a string and
the product needs to connect to Kaspersky Lab Activation service online to verify its validity and restrictions.
Old versions of Kaspersky Lab products can be activated only with a key. All recent versions can be activated with
either a key or a code.
Codes are more useful, because a code can activate all the purchased products. With key activation, a license often
includes several different key files. A key designed for Kaspersky Security Center cannot activate Kaspersky
Endpoint Security, and vice versa. Meanwhile, a single code can be used for activating both of them.
Keys are indispensable when you need to activate a product on a computer without access to the Internet. If you
have only a code rather than keys, add the code to the key store on the Administration Server (Advanced \
Application management \ Kaspersky Lab licenses). The Server will automatically download the corresponding
keys, which you will be able to export into files.
If computers have no Internet access but are connected to the Administration Server, which does have access, the
products on the computers can be activated with a code. The products will verify the code via the Administration
Server service, Kaspersky Activation Proxy.
I-42 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all simple, just
choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to
connect to the Internet at this stage.
You can select to install a code (or key) to the client computers automatically. For this purpose, select the check box
Automatically deploy key to managed devices. If the Administration Server detects a managed computer where
Kaspersky Endpoint Security is not activated, it will automatically send the key selected for automatic installation
there.
For more details about how to activate Kaspersky Endpoint Security on the client computers, refer to Chapter 3 of
this Unit.
If you have a key, than most probably you have more than one of them, and you need to decide which one to feed to
the wizard.
I-43
Unit I. Deployment
It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it
is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be
added later either in the properties of the Administration Server or in the Advanced | Application management |
Kaspersky Lab licenses node.
The next step prompts to configure proxy server connection parameters for Internet access. The Administration
Server connects to the Internet to download updates and communicate with KSN servers of Kaspersky Lab. Both
features use common proxy server parameters.
The settings are rather typical: the address, the port, optional user name and password for authorization, and
an option to bypass proxy server for local addresses.
Kaspersky Security Center installer includes all the recent plug-ins as of the Kaspersky Security Center release.
However, newer versions of products can also be issued later and newer versions of managed products and
respective plug-ins may have appeared after the Kaspersky Security Center was released.
The Quick Start Wizard can check whether new versions of managed products are available.
First, the wizard checks whether newer versions are available for the plug-ins that the administrator selected to
install together with the Administration Server.
In the list of new plug-ins, the wizard shows the program version managed via the plug-in, the version of the
installed plug-in, and the version of the latest available plug-in.
After the plug-ins, the wizard checks whether new versions of managed products are available, for which it can
download installation packages. The wizard shows only those products whose packages or plug-ins have already
been added to the console.
For some of the managed products, packages may not be available; the Kaspersky Endpoint Security package is
always available though. If there is a newer version of Kaspersky Endpoint Security on the list, download it. For this
purpose, select it on the list.
To download the products that are not shown in the list, open the node Advanced, Remote installation,
Installation packages in the console; click the button Additional actions and select View current version of
Kaspersky Lab applications.
The wizard will download the selected packages and display them in the list. The administrator can configure them
using the Properties button. Chapter 3 of this Unit tells about the settings of Network Agent and Kaspersky
Endpoint Security packages.
The wizard prompts the administrator to accept the Kaspersky Security Network (KSN) statement. KSN is the name
of the cloud-assisted protection technologies of Kaspersky Lab.
KSN provides extra protection for the computers by receiving the latest information about new threats before this
information is added into the traditional anti-malware signatures. In return, Kaspersky Lab will receive anonymous
information about the files and URL addresses processed on the client computers. The KSN service is described in
detail in the Introduction and in Unit II Protection Management.
If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are
activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be disabled in
the Kaspersky Endpoint Security 10 policy; however, the use of KSN proxy will be enabled nevertheless.
The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server. In
the Administration Server, the KSN proxy function is implemented as a service named Kaspersky Security Network
proxy server. By default, the use of KSN proxy is enabled in the Administration Server properties.
The next step is to set up e-mail notification and delivery of reports. To receive notifications about important events
by email, specify the administrator’s e-mail address and SMTP server parameters: address, port and, if necessary,
authorization data. These parameters will be used when sending notifications and reports.
By default, event notifications are not sent. To receive the information about events by e-mail, turn on notifications
in the event properties. The parameters of Kaspersky Security Center events are configured in the Administration
Server properties, and parameters of Kaspersky Endpoint Security events—in the Kaspersky Endpoint Security
policy.
If the notification parameters are left blank, the wizard will not create the Send reports task. If they are filled in,
the wizard will create the task and configure it to send the report about protection status to the administrator on
a weekly basis.
The wizard does not check correctness of the specified settings, but allows the administrator to do it with the Send
test message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the
SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to
check the inbox and make sure that the message is actually there.
I-47
Unit I. Deployment
This step appears in the Quick start wizard only if the administrator specified a key or code that activates
the Systems Management functionality of Kaspersky Security Center (or selected to add a key later).
The choices define how software patches and Microsoft updates are installed. Kaspersky Security Center can
automatically detect vulnerable programs and operating system modules on the computers, and automatically install
the necessary updates and fixes. Additionally, Kaspersky Security Center can function as a local source of Microsoft
updates (WSUS Server). Detailed information about this is provided in technical training KL 009.10. Systems
Management.
After all parameters are specified, the Quick Start wizard creates the policies and tasks necessary for endpoint
protection. The following policies and tasks are always created:
I-48 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Policies
Policy Scope
Kaspersky Endpoint Security 10 Service Pack 2 for Windows The “Managed devices” group
Tasks
Quick Virus Scan Managed devices Friday at 7:00 Scans critical areas with the
p.m. recommended settings
Find vulnerabilities and required Managed devices Tuesday at 7:00 Scans %SystemRoot% and
updates p.m. %ProgramFiles% folders for all
known vulnerabilities
Backup of Administration Server Administration Daily at 4:00 Stores the 3 latest copies, the
data Server a.m. password is not specified
The following three tasks are created depending on the parameters specified in the wizard:
Install required updates and fix Managed devices Daily at 1:00 Fixes critical vulnerabilities,
vulnerabilities a.m. installs the updates approved by the
administrator, security updates, and
critical Microsoft updates
When the wizard creates the Kaspersky Endpoint Security policy, it prompts the administrator to confirm scan
exclusions.
There are two options that help to create recommended exclusions for workstations and servers according to
Microsoft and Kaspersky Lab guidelines. They are enabled by default.
Additionally, there are exclusion templates for remote management software. These templates should be enabled if
the listed software is used at the company. Otherwise, remote management using this software may be partially
disrupted by Kaspersky Endpoint Security.
As soon as the tasks and policies are created, the Quick Start wizard starts downloading updates to the repository.
The wizard displays the task progress, but you don’t need to wait for it to finish. If you proceed to the next page of
the wizard, updating will still be going on in the background.
I-50 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
What to do next
The last page of the Quick Start wizard displays the check box that allows starting the remote installation wizard for
deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is
preferable to adopt a deployment plan and stick to it rather than rush into action:
If necessary, the administrator can start the Quick Start wizard again from the shortcut menu of the Administration
Server. In this case, the wizard will create only the tasks and policies that are missing.
After the Quick Start wizard, the administrator gets in the Administration Console.
Kaspersky Security Center Administration Console is based on Microsoft Management Console. The leftmost pane
of the window contains the navigation tree, the right part displays the page of the selected node.
The main node in the console is the Administration Server’s node. All the other nodes are within it.
To understand what is happening in the network, open the Administration Server node. Its four tabs contain global
statuses, dashboards, reports and events.
Managed computers are located in the Managed devices node. This node is a group where you can create tasks,
policies and subgroups. All policies and some of the tasks that have been created by the Quick Start wizard are
designed for the Managed devices group.
If a computer is missing from the Managed devices node, look for it in the Unassigned devices node. None of the
policies and tasks are applied to those computers; that is why you should not leave here any of the computers that
need to be protected. Move them to the Managed devices.
If a computer can be found neither in the Managed devices, nor in Unassigned devices, it means that the
Administration Server has not discovered it yet. Make sure that the computer is powered on, and wait for an hour or
two. If the Server cannot find a computer, install the Network Agent on it.
The installation packages to be installed on the computers can be found in the node Advanced, Remote
installation, Installation packages. If necessary, modify the set of components or other installation settings here.
The license that you specify in the Quick Start wizard gets in the node Advanced, Application management,
Kaspersky Lab licenses. Here you can find the license limitations, when it expires, which computers use it, etc.
You can also add a new license here when an old one expires.
All tasks are gathered in the Tasks node. It contains the tasks that pertain to groups, and the Administration Server
tasks, and tasks for sets of computers. In the Tasks node, you can create, delete or edit any task.
If you need to find computers that match some parameters, use the Search window, which can be started from the
shortcut menu of the Administration Server. If you often look for computers using the same parameters, create a
computer selection in the respective node. It already contains pre-configured selections of computers with typical
issues.
I-52 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Kaspersky Endpoint Security can be installed on the following Microsoft Windows operating systems:
Client
Server
An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky
Security for Windows Server is designed for their protection.
The list of operating systems includes most Windows versions from Windows 7 / Windows Server 2008 R2 to
Windows 10 RS2 / Windows Server 2016.
Kaspersky Endpoint Security 10 Service Pack 2 for Windows can be installed on the following virtual platforms:
On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command
line switch. In Kaspersky Endpoint Security 10 Service Pack 2 for Windows, this parameter can also be enabled in
the installation package properties rather than only via the command line.
The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint
Security 10 for Windows.
— CPU:
— 1 GHz or higher for 32-bit systems
— 1.4 GHz or higher for 64-bit systems
— RAM: 512 MB
— Hard drive space: 1 GB
RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less
RAM.
3
The minimum RAM with which the application can be installed is 768 MB
I-55
Unit I. Deployment
Prior to installing Kaspersky Endpoint Security on the computers, prepare the following:
What to do Why
Let the Administration Server discover You will not have to look for and enter names or addresses
network computers
Prepare an independent list of computers The server may fail to discover all of the computers; you had better
have a reference list at hand, where you will be able to check the
progress
Find out computer addresses If the Administration Server has not discovered a computer, but you
know its address, you will be able to start remote installation
nevertheless
Find out usernames and passwords of the If there is a domain, the domain administrator password is sufficient
administrators For non-domain computers, you need to know the administrator’s
password regardless of whether the installation is remote or local
Find out whether there are third-party Kaspersky Endpoint Security may fail to detect and uninstall
antiviruses on the computers, and which antiviruses by other manufacturers, and then you will have to remove
ones them manually
If there are many computers, phase the The more computers, the more issues you will encounter, the longer
installation you will solve them, and the longer will be the total downtime
Try to test various installation methods in a You will encounter at least some of the issues that will then arise in
test environment the network, and you will be able to decide how to avoid or quickly
solve them
Select the installation methods that make less trouble
Start
I-56 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Kaspersky Endpoint Security can be installed in various ways, each with its own specifics and advantages.
Remote installation You need not go to each computer, you can run the installation on many computers
using Kaspersky simultaneously, which saves time
Security Center Installation can be started at any time and you will start receiving results in mere minutes.
However, you need to know the administrators’ passwords on the computers, and the
computers’ shared folders must be accessible over the network. Often, firewalls or
Windows security settings block access to shared folders
Installation via Again, you need not go to the computers and the installation can be run on many computers
Active Directory simultaneously.
Moreover, you do not need to ensure access to the computers’ shared folders or know the
computer administrators’ passwords. The computers will download and install the programs
themselves.
On the other hand, the computers must be joined to the domain and the administrator must
have enough permissions within the domain to be able to publish the package. Computers
do not begin the installation immediately; everything starts only when the computers
connect to the domain next time, meaning, after a restart.
Installation using The administrators install not only Kaspersky Endpoint Security, and they may have third-
third-party tools party software installation and management tools.
Specifics depend on the tool, but usually the administrator can install applications remotely
on many computers at a time.
Local installation None of the remote installation methods guarantees 100% success. Computers may not be
from a standalone joined to the domain, their shared folders may be blocked by the firewall, and the
package administrator may have no third-party computer management tools.
Sometimes, it is easier to go to the computer and install an application locally than
troubleshoot a remote installation.
Standalone packages that can be generated in Kaspersky Security Center save time during a
local installation: the administrator does not need to pass through the installation wizard and
configure parameters. All he or she is to do is to simply run the installer and wait
For remote installation, use a method that fits your network best.
On the computers where remote installation fails, install the products locally using standalone packages.
I-57
Unit I. Deployment
There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on
the same mechanism. The difference is in the location of their starting points in the Console and the number of
available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard.
Its typical use is described below.
The Administration Server detects computers where protection tools are not installed. This information is displayed
on the Monitoring tab of the Administration Server node, in the Deployment area: the indicator is yellow and
a warning is shown. To fix this, the administrator can click the Enable protection link.
I-58 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Installation packages
The Advanced | Remote installation node opens, where the administrator can start the remote installation wizard.
The deployment wizard prompts the administrator for the installation package to be installed, target computers and
the installation method.
The wizard does not prompt the administrator for all the installation parameters. For example, the wizard does not
prompt which components of Kaspersky Endpoint Security to install. If you need to enable the Citrix Provisioning
Services compatibility mode, the remote installation wizard does not allow that either.
That is why, before you start the remote installation wizard, open the list of installation packages and check their
settings. If necessary, change the packages’ settings, or create new packages with the necessary settings. You can
manage installation packages, delete or create new ones in the Installation Packages repository (in the Advanced |
Remote Installation node).
Which settings are available in installation packages and how to create new packages, is described in sections How
to change KES components and How to create a new installation package at the end of this chapter.
I-59
Unit I. Deployment
The product to be installed is selected from the list of available installation packages. The standard distribution of
Kaspersky Security Center contains the installation packages of the current versions of Network Agent and
Kaspersky Endpoint Security for Windows.
If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network
Agent. The wizard not only installs the selected package, but also connects the computers to the Administration
Server by installing the Network Agent on them. If the computers are already connected, the Network Agent is not
reinstalled.
Installation packages of Kaspersky Endpoint Security 10 for Windows and Network Agent can be installed on any
supported operating system: server, workstation, 32-bit or 64-bit.
Due to this universality, the installation package of Kaspersky Endpoint Security 10 is relatively large: just under
300 MB. There are no supported ways to reduce this size. The Network Agent package is much smaller: about 40
MB.
I-60 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
In the wizard, you can select computer groups (the upper button) or individual computers (the lower button).
If you start the wizard right after the Administration Server has been installed, there is only one computer in the
groups, the Administration Server itself. All the other computers discovered by the Administration Server are in the
Unassigned devices node. The Administration Server may fail to detect some computers: they will be absent from
the console.
Why does the wizard suggest selecting groups if there are no computers there? For example, if prior to deploying
protection you’ve imported the computers’ structure from Active Directory. Then you already have groups filled
with computers, and you can install Kaspersky Endpoint Security by groups. How to import groups and computers
from Active Directory is explained in the 4th chapter of this Unit.
Let’s now get back to the scenario when you have no groups. To select computers in the Unassigned devices node,
or specify addresses of undiscovered computers, click the lower button.
As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If
a group is selected, the wizard will create a group task; if computers, a task for specific computers.
I-61
Unit I. Deployment
If you click the upper button, the wizard prompts to select the group. It does not show its contents, so
the administrator must remember which group the target computers are in.
If you click the lower button, the wizard shows all discovered computers: those that have already been added to the
Managed devices groups, and those that are in the Unassigned devices node so far. In the Unassigned devices node,
computers are grouped by domains and workgroups.
Select the target computers. If you select a group, domain or a top-level node, you will select all computers within
that group, domain or node.
I-62 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To install Kaspersky Endpoint Security on the computers that the Administration Server failed to discover, click the
button Add. In the window that opens, type computers’ addresses or names. To quickly enter numerous addresses,
specify a range or import the list from a text file. In the file, each address or name must be specified on an individual
line.
The wizard will add all the addresses you’ve entered, and select them automatically.
Installation method
At the following step, the wizard prompts how to perform remote installation. There are two methods:
Using Network Network Agent must already be installed on the computer and must be connected to the current
Agent Server
The Server sends a command to the Agent, the Agent downloads packages to a temporary folder
and performs the installation under the Local System account
The administrator’s name and password need not be specified, access to the computer’s shared
folders is not required
I-63
Unit I. Deployment
The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on
the computer, installation using Windows tools is tried.
If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs
the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 10 using Network Agent.
Kaspersky Endpoint Security, unlike the Network Agent, needs to be activated to operate properly. In
the installation wizard, you can explicitly select which code or key should be used to activate the product from
the list of codes and keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary,
you can add another code or key to the repository without quitting the wizard.
Select a key. The wizard will not just use the selected key for this installation, but also save it in the properties of
Kaspersky Endpoint Security package. The plug-in of Kaspersky Endpoint Security does not support activation
codes in the installation package properties.
To activate Kaspersky Endpoint Security with a code rather than key, do not select anything in the installation
wizard. Instead, in the node Advanced, Application management, Kaspersky Lab licenses, open the activation
code properties and select the check box Automatically deployed key.
I-64 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky
Endpoint Security 10 installation requires restarting the computer. The Network Agent installation almost never
requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection
program has been installed on the computer.
The default choice, Prompt user for action, is all right for workstations. When installing the product on servers, we
recommend selecting Do not restart the computer. At a server, a user is unlikely present and no one will react to
the prompt.
For the user not to postpone the restart for too long, the task displays a warning every 5 minutes by default and
forces computer restart in 30 minutes. The administrator can modify these settings and the message text.
The Kaspersky Endpoint Security 10 installer can detect and uninstall incompatible applications (various protection
tools, including Anti-Viruses, firewalls, etc.), which are not recommended to be used concurrently with Kaspersky
Endpoint Security, because this may result in serious problems for users and computers.
I-65
Unit I. Deployment
The administrator usually knows which potentially incompatible protection tools are installed in the network and
should uninstall them beforehand. The programs are recommended to be uninstalled either by their built-in
uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer should
be regarded only as a contingency measure.
Detection of incompatible applications cannot be disabled4, since it is intended to prevent conflicts. You can modify
uninstallation settings in the remote installation wizard; this is described in detail at the end of this chapter.
As a result of installing the Network Agent and protection software, computers should become manageable: use the
settings of policies and tasks specified on the Administration Server. To actually achieve this, computers must
belong to the Managed devices node rather than the Unassigned devices node.
If a computer has the Network Agent installed, but is not included in an administration group, it will neither send its
events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified
by the administrator. It is manageable only nominally. De facto it is not.
If the administrator selects computers rather than groups, the wizard will ask whether it is necessary to relocate
the computers to an administration group, and if yes, into which one.
The selection affects only unassigned computers. If both unassigned and managed computers are on the installation
list, the managed ones will remain in their original groups. This step is displayed only if Network Agent is installed
together with Kaspersky Endpoint Security 10.
4
Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible programs; if
necessary, it can be added to the package description file for remote installations.
I-66 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Administrator account
Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers.
The deployment wizard allows you to specify several accounts, in case different administrator passwords are used
on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges,
the next one is tried, and so on.
Before trying the specified accounts, the installer attempts to act under the Administration Server service account,
which you don’t actually see on the list. However, if the administrator used the default settings when installing the
server, the server service account cannot be used for remote installation. As a result of installation with default
settings, the server service starts on behalf of the KL-AK-* account that is created automatically and receives
the rights of a local administrator (not literally, but effectively the same). It has no rights on remote computers.
So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain
environment, a domain administrator account is the best choice for remote installations. In large companies, there is
usually a special account for remote installations, or the IT personnel accounts have the necessary rights.
Installation task
The installation wizard uses the settings specified by the administrator to create and immediately start the product
installation task on the selected computers. After that, it automatically opens the task page in the Administration
Console.
The task page displays the task progress on the selected computers. An installation can be ready for execution,
running, wait for reboot, complete successfully or return an error. The number of computers in every status is
displayed on the pie chart and in the table.
Task log
To view the task log, click the View results link under the statistics on the task page.
The upper part of the results window contains the list of all target computers and the current task status for every
one of them; and the lower part shows the task log for the selected computer.
The task log contains the history of each task status changing on the computer. The status can be the same, while its
description may vary. For example, an installation task log usually contains several records of the Running status,
where the first one informs of starting file copying to the remote computer, the second one—of starting the installer,
and the third one—of the installation completion.
The typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky
Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer. After the
Agent is installed, the Administration Server waits for it to connect and start the installation of Kaspersky Endpoint
Security.
I-68 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Installation result
Although a single Kaspersky Endpoint Security package fits all Windows versions, installation results differ on the
servers and workstations.
— On workstations, all components selected in the installation package properties are installed.
You can also install programs using Active Directory group policies without Kaspersky Security Center.
The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared
folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to
a group policy that is applied to the domain computers. When a client computer starts and logs in the domain,
the policy is applied and the installation package is installed automatically, even before the user logs on to
the system.
This installation method can be comparatively easy when implemented manually. Kaspersky Security Center makes
it even more convenient.
I-70 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To publish the Network Agent package to a domain group policy, in the task (or in the installation wizard), select to
Assign Network Agent installation in the Active Directory group policies.
For the task to complete successfully, run it under a domain administrator account. For this purpose, add the domain
administrator account to the Account section of the task settings.
The method is applicable to the Network Agent only, because after the Agent is installed, other programs are
supposed to be installed using the Agent.
If the above mentioned option is selected, the Administration Server creates a new group named
Kaspersky_AK{GUID} in Active Directory and includes within it the accounts of the computers to which the task
applies.
Also, the Administration Server creates a new group policy object of the domain level that is named
Kaspersky_AK{the same GUID} in Active Directory and assigns within it the installation of the Network Agent
MSI package located in the shared folder on the server.
The permission to apply the policy is granted only to the created group which contains the accounts of the target
computers. So, the domain level policy will be applied to the selected domain computers, not all domain computers.
After this, the installation is performed as per usual. The policy eventually applies to the computers. At the next
restart, computers download the Network Agent MSI package from the shared folder on the Administration Server
I-72 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
and install it. The installation parameters, which include server address and ports, are taken from the answer file
located in the same folder as the MSI package. Thus computers automatically connect to the Administration Server.
If the task is configured to install not only the Agent, but also another program, for example, Kaspersky Endpoint
Security, the installation will resume after the Agent connects to the Server.
The security group and group policy object created by the task persist in the Active Directory until the task is
removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory
group policies option is cleared in the task properties.
If remote installation fails, it often makes sense to simply go to the computer and install the applications locally
instead of troubleshooting. Especially if such computers are comparatively few.
If you use an ordinary installer, you have to complete the installation wizard. Although it doesn’t take long, it is
boring, and you may easily mistype the Administration Server address. You had better prepare a standalone package
with all the settings on the Administration Server, and install from it.
A standalone package in Kaspersky Security Center is a single setup.exe file that includes the installation files and
installation parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can
include Network Agent installation files and the Administration Server connection parameters.
This package is designed for local installation by the IT employees, administrators or users who have sufficient
rights. It saves time and reduces the number of errors.
I-73
Unit I. Deployment
Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This
eliminates the risk of missing some files, and reduces the overall time necessary.
Standalone or ‘1–click’ packages are created from regular installation packages available in the Advanced, Remote
installation, Installation packages node of the Administration Server. A special wizard is used that prompts for
the installation parameters.
When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include
the Network Agent, so that the target computer could immediately connect to the Administration Server.
I-74 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Just like with a remote installation, computers can be moved into the managed category right after the installation.
Leaving protected computers in the unassigned category does not make any sense.
This step appears in the wizard if the Network Agent is installed together with the main package.
If it is necessary to modify the default settings of Kaspersky Endpoint Security or select specific components to be
installed, it needs to be done within the properties of the regular installation package, before starting the standalone
installation package wizard. The parameters of the installation packages are described later in this chapter.
After that, the wizard prompts for the package name. If you’ve changed some settings of the standard package of
Kaspersky Endpoint Security, specify it in the package name prior to creating a standalone package, for example,
KES 10 SP2 without Firewall. This way, you will be able to understand what is the difference between similar
standalone packages in the shared folder of Administration Server.
After all the parameters are specified, the wizard generates the setup.exe installation file and places it in the PkgInst
subdirectory of the shared folder on the Administration Server. The name of the folder that contains the setup.exe
file coincides with the package name. You can find the package later at the following network path:
\\<Administration Server name>\KLSHARE\PkgInst\<standalone package name>\setup.exe.
I-75
Unit I. Deployment
The Administration Server signs standalone packages with its certificate by default. This certificate is self-signed,
and Windows will display a warning when the package is run. The administrator can select to sign packages with
another certificate. Specify the necessary certificate in the properties of the Advanced | Remote installation
| Installation packages node, in the Signing stand-alone packages section.
The wizard suggests that the administrator takes one of the following actions:
— Open the folder containing the package—for example, to copy it to a flash drive
— Place a link to the package on a web resource—a text window opens, which contains HTML code of
the link to the package that can be added to a web page
— E-mail users an invitation to run the package—Administration Server starts the default e-mail client and
automatically fills in the message subject and body providing a link to the package located in the shared
folder; the only thing the administrator has to do is to specify the recipients’ addresses
I-76 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Later, the list of created standalone packages can be opened from the Installation packages node within the
Advanced, Remote installation container. You can delete unnecessary packages or send another e-mail message to
the users.
The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server.
If non-domain users whose accounts have not been added to the Administration Server try to click it, they will not
be able to access the resource.
The link to the network folder should be replaced with an http link to the package that can be copied from its
properties. There is a built-in web server on the Administration Server where from any user can download
the package. Each standalone package gets a unique http link based on the package id. The administrator can find
the link in the package properties in the list of all standalone packages.
If standalone package creation wizard is started for a package repeatedly, the administrator can select whether to re-
create the standalone package or create another one.
I-77
Unit I. Deployment
Installation packages
Installation packages in Kaspersky Security Center represent the products ready to be installed. A package includes
installation files along with the installation parameters and some product setup parameters. Installation package
parameters in a sense replace the local installation wizard and local setup wizard. Every product has its own settings.
As you know, installation packages are used in the remote installation wizards and tasks, and for creating standalone
installation packages.
Kaspersky Security Center includes all packages necessary for deploying the protection system:
— Network Agent
— Kaspersky Endpoint Security for Windows
Available packages are stored in the Advanced, Remote installation, Installation packages repository. This node
shows the following information on each package: name, language, and version of the product, as well as the unique
name of the package. The package description area also displays its size, which is the total size of all its files.
Packages can be created, modified and removed. If a package is used in an installation task, it cannot be removed
until the associated task is deleted. First, delete all tasks that use the package, and then delete the package.
You can create and use various installation packages in Kaspersky Security Center. You can use them to install
operating systems, third-party programs, updates and critical fixes for third-party applications, and also start various
scripts and utilities on the computers. This is described in more detail in KL 009.10: Systems Management course.
Within the framework of this chapter, we describe only the installation packages created for Kaspersky Lab
programs.
I-78 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
General properties
Each package has general properties and settings that depend on the program for which the package was created. To
be able to review the package settings, the application plug-in must be installed in the console. If the necessary plug-
in is missing, the console will prompt to nstall it. A plug-in can be installed from the installation shell of Kaspersky
Security Center or downloaded from the application page on the Kaspersky Lab support web site.
The General section of the package properties shows the program version and file size, and also the path to
the package file in the shared folder of the Administration Server. If necessary, an IT employee can download
the installation files over the network and install the application locally.
There is the button Update databases in the general properties of a Kaspersky Endpoint Security package. It
updates the signature database within the package.
For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes
antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky
Endpoint Security is installed, the update task starts and downloads the new databases.
Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may
take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that
the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more
important, since it may constitute tens of megabytes if the package contains outdated databases.
In this case, databases can be updated in the package prior to the installation. The date of the last update is also
shown in the general package properties, in the Databases updated field.
The Update databases button copies a complete set of databases from the Server storage to Kaspersky Endpoint
Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After
an update using the Update databases button, the archive is replaced with a folder named bases. The folder’s
volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed.
I-79
Unit I. Deployment
Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to
the repository. However, this is performed only once for each package. If databases have ever been updated
automatically in a package, they will not be updated automatically any more.
Automatic update is performed for the Kaspersky Endpoint Security package that is added to the storage during
the installation (which is updated shortly after the installation), and for any other newly created Kaspersky Endpoint
Security package soon after it is created.
Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters.
The main parameters are the list of components and the program files folder.
The set of components depends on the Installation type parameter. The administrator can select one of the two pre-
set installation types:
— Basic installation:
— File Anti-Virus
— Mail Anti-Virus
— IM Anti-Virus
— Web Anti-Virus
— Firewall
— Network Attack Blocker
— System Watcher
— Vulnerability Monitor
— Application Privilege Control
— Standard installation:
If you need some other configuration, choose the Custom installation type and select the components you want to be
installed. Some components can only be installed through Custom installation:
By default, the standard installation components are selected. The administrator may switch between the preset
installation types, or choose Custom installation and select individual components on the list. Remember that some
of the components only work on workstations, while a package can be installed on any supported operating system.
On server systems, only the following components can be installed:
— File Anti-Virus
— Firewall
— Network Attack Blocker
— Application Startup Control
— BadUSB Attack Prevention
— Microsoft BitLocker Management
— KATA Endpoint Sensor
Although Application Privilege Control settings will also show up in Kaspersky Endpoint Security on servers,
the component is not actually installed. Kaspersky Endpoint Security won’t control application privileges on servers,
e.g., it won’t block Untrusted applications on servers. The reason why Application Privilege Control settings are
visible on servers is that a part of these settings are also used by the Firewall component. Application Privilege
control and Firewall are described in more detail in Unit II of this course.
In addition to the components, local tasks are installed. They cannot be deselected in the package properties and are
installed on all operating systems:
— Update
— Update rollback
— Virus Scan tasks
— Full scan
— Critical Areas Scan
— Custom Scan
— Background scanning
— Scan removable drives on connection
— Integrity check
— Find Vulnerabilities
Compatibility settings
Those administrators who often use the command line interface can select to automatically add the installation
folder to the %PATH% environment variable. Then they will be able to carry out product management commands
via avp.com, without specifying the complete path.
The package has two additional parameters that provide compatibility settings. One of them, Do not protect
the installation process, disables self-defense during the installation. Self-defense does not allow programs by other
manufacturers, primarily malicious, to modify installation files. It also blocks access to the folder where Kaspersky
Endpoint Security files are installed, and to the registry keys of Kaspersky Lab software. Sometimes, self-defense
conflicts with third-party applications, for example, with backup agents. That is why it can be disabled.
The other parameter provides compatibility with Citrix Provisioning Services. If you want to install Kaspersky
Endpoint Security on a virtual machine image in Citrix PVS environment, enable this option.
One more parameter is the Configuration file. This file defines the configuration settings used by Kaspersky
Endpoint Security after the installation.
The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If the configuration file is not
specified, the product will work using the default settings. However, as soon as the Network Agent connects to
the Server, the Kaspersky Endpoint Security policy will be enforced which will override the protection settings. So,
the configuration file is necessary if the policy does not affect some of the product settings, or for unmanaged
devices.
I-82 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To create a configuration file, install Kaspersky Endpoint Security on a computer, but do not connect it to the
Administration Server; otherwise, the group policy will not allow you to modify local settings.
Configure Kaspersky Endpoint Security via the local interface as necessary, and save these settings into a file. The
Save button is located on the Settings tab, in the Advanced Settings section.
Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code
or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed
product. One of them is to specify the key file in the installation package properties.
In the package properties, you can add only a key, a code cannot be added.
Also, a key or code can be distributed to the selected computers by a special task.
The third option is to select the check box Automatically deployed key in the properties of key or code in the
Kaspersky Lab licenses node of the Administration Console.
As a last resort, a code or key can be added via the local interface of Kaspersky Endpoint Security.
I-83
Unit I. Deployment
By default, Kaspersky Endpoint Security installer looks for and uninstalls incompatible applications: third-party
antiviruses and firewalls.
The list of programs that Kaspersky Endpoint Security can uninstall is rather large, but it is not exhaustive. Usually,
it does not include the most recent versions of protection tools by other manufacturers, or uncommon software. How
to uninstall applications that Kaspersky Endpoint Security failed to detect is described at the end of this chapter.
If Kaspersky Endpoint Security uninstalls an incompatible application incorrectly, disable automatic uninstallation
and remove the program manually.
Installation path
The General section of the Network Agent package is the same as that of Kaspersky Endpoint Security, but without
the button Update databases. The Network Agent has no databases.
The Settings section allows changing the installation folder and also setting the uninstallation password. If
the Network Agent installation folder is not specified explicitly, the standard path is used:
%ProgramFiles%\Kaspersky Lab\NetworkAgent
Password protection
Agent uninstallation can be protected with a password that can be specified in the package properties. Even users
with administrator permissions will not be able to uninstall the Agent using regular tools unless they know
the password. However, users with administrator permissions can make the Agent inoperative if they really want to.
If you have not enabled password protection in the Network Agent installation package, enable it in the Agent
policy, where it is also available.
The Connection section of the Network Agent installation package properties contains the Administration Server
connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive
installation.
The main connection parameters are the Administration Server address and ports. Initially, they take the values
specified during the Administration Server installation. If the client computers and Administration Server belong to
different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation
package properties. These standard parameters include the proxy server address and port, and also the user name and
password for authentication. Remember that these parameters will be used by Network Agents when connecting to
the Server, not the other way round.
When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP
port. To prevent Windows Firewall from blocking requests on this port, the Network Agent can automatically create
the necessary exclusions. To modify this behavior, clear the Open Network Agent ports in Microsoft Windows
Firewall check box. By default, Network Agent accepts connections on UDP port 15000. This value can be changed
both in the package properties and later in the Network Agent policy.
I-85
Unit I. Deployment
Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted
connections to the Server. By default SSL is enabled. Network Agents automatically download and use
the Administration Server certificate. The certificate can be specified manually in networks with strict security
requirements to exclude the possibility of Administration Server substitution.
The advanced parameters of the Network Agent installation package are useful in networks with complicated
infrastructure. These are described in KL 009.10. Systems Management and KL 302.10. Kaspersky Endpoint
Security and Management. Advanced Skills.
Installation packages included in Kaspersky Security Center are usually enough for protecting most networks.
Additional packages can be necessary in the following cases:
— A new version of Kaspersky Endpoint Security has been released. For an upgrade, just like for the initial
installation, an installation package is necessary. The administrator can either create the package manually
or download the new version of Kaspersky Security Center that includes new package version and reinstall
Administration Server over the old one (all settings will be saved).
— It is necessary to remotely install a Kaspersky Lab product that is not included in the distribution of
Kaspersky Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to
be created manually.
— Different parameters are needed in several network parts. For example, according to the deployment plan,
some computers do not need Web Anti-Virus and Mail Anti-Virus components. To be able to deploy
the system simultaneously on both categories of computers, create an additional installation package with
those non-standard settings.
I-86 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Creating a package requires the management plugin for the same application to be installed in the Kaspersky
Security Center console. The plugin installation file is usually found among the installation files of the application
and sometimes the wizard detects the plugin installer and installs it automatically. If this is not the case, you will
need to install the plugin before creating the package.
Package types
The wizard starts with a choice of the package type. There are three (or four, depending on the Kaspersky Security
Center interface settings), options:
— A package for a Kaspersky Lab application. This package type requires a special package description file,
which is included in the distribution of most Kaspersky Lab applications. A description file can be created
manually, but this is an advanced topic outside the scope of this course.
— A package for an executable file. This package type allows running the specified file (not necessarily
an installer, it could be a script or a utility) on remote computers.
— A package for a 3rd-party application based on Kaspersky Lab application database. This allows installing
3rd-party applications without the need to look for and manually download their installation files.
The feature is described in course KL 009.10 Systems Management.
The fourth option which may not be visible depending on the settings is a package for operating system deployment
based on a disk image. It is also explained in the course KL 009.10 Systems Management.
I-87
Unit I. Deployment
Package settings
Package name
Now, we are interested in the first option. After you select it, the wizard prompts for the package name and path to
the folder that contains the installation files and the package description file.
Installation files
Installation files may be unpacked (this is how they are usually supplied on CD), or packed into a self-extracting
archive (in this form they are available for downloading from Kaspersky Lab website). The package creation wizard
supports both formats. If a self-extracting archive is specified, the wizard will automatically unpack it into
a temporary folder and extract all necessary files.
Installation packages for Kaspersky Lab products are created based on description files having a .kpd or .kud
extension. The files are identical, except for the character encoding: .kpd files use ANSI encoding, while .kud files
I-88 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
are in Unicode. The files contain the product version, the name of the installer, installation parameters, error
descriptions and additional options depending on the application.
A .kpd/.kud file alone is not enough to create a package. It is just a description, not an archive. The description files
are located within the distribution package, and must not be separated from it. To create an installation package
correctly, select the .kpd/.kud file located within the corresponding distribution package. It is a common mistake to
copy just the description file into a separate folder and try to create a package from it.
A way to avoid this mistake is to point the wizard to the self-extracting installer of the application downloaded from
the Kaspersky Lab website. This option is not apparent in the wizard though. What you need to do is when prompted
for the description file, change the file type from .kpd/.kud to Self-extracting archive. And then point to the
downloaded installer. The package creation wizard will automatically unpack the specified file to a temporary folder
and extract the description file from it.
After the package description file is selected, the wizard will show the application name and version for you to
check that it is exactly the application you want.
License agreement
At the next step, the wizard may ask to accept the license agreement.
I-89
Unit I. Deployment
Application settings
Then, depending on the application, the wizard may ask for some installation parameters. In the case of Kaspersky
Endpoint Security, the wizard prompts for the installation type: Basic or Standard. This can be modified later in
the package properties, especially if you need a custom selection of components.
To create an installation package for a Kaspersky Lab program, the administrator does not need to search for and
download the installation files. Kaspersky Security Center monitors current versions of Kaspersky Security Center,
Kaspersky Endpoint Security and Kaspersky Security for Windows Server and allows the administrator to create
installation packages right from the distributions available on Kaspersky Lab servers.
In the Installation packages node, there is the Additional actions button, and the View current version of
Kaspersky Lab applications link beneath.
I-90 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
It opens the list of available distributions for various versions and localizations5. The administrator just selects the
necessary distribution and clicks the Download distribution package button; and the Administration Server
automatically completes the job: downloads the files and creates an installation package from them.
Kaspersky Security Center manages numerous programs by Kaspersky Lab. And the list of updates contains not
only new program versions, but also updates for them, new versions of plug-ins, various localizations of the same
applications. As a result, the list is rather long.
5
English, French, German and Russian localizations of Kaspersky Security Center, Kaspersky Endpoint Security for Windows and
Kaspersky Security for Windows Server are displayed.
I-91
Unit I. Deployment
To find what you need, use a filter. In the filter, you can select:
— Components:
— Update type:
— Updates to display:
— Language
— All languages
— Administration Console language or basic set (English, German, French)
— Administration Console language and the language selected on the list
After you apply the filter, the window will show only the updates that meet the specified conditions. You can also
sort the contents by name, type, language and other parameters.
I-92 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Kaspersky Security Center notifies the administrator about new versions of distributions. When they are issued,
the corresponding message appears on the Monitoring tab of the Administration Server node, in the Deployment
area.
Kaspersky Endpoint Security is not compatible with other protection tools. Before the installation, the conflicting
programs must be uninstalled. If you do not do this, the computer may operate slowly and unstably. In the worst-
case scenario, which is rare though, the computer may hang, restart spontaneously and display a blue screen.
I-93
Unit I. Deployment
Protection tools co-exist poorly because of the drivers that they install to intercept file operations, network
connections and system calls. The Network Agent does not install any drivers, and therefore does not conflict with
third-party protection tools.
To uninstall protection tools by other manufacturers, you had better use regular tools:
— The applications that have their own centralized management system should be removed via this system
— If possible, uninstall third-party protection using Windows tools
If the incompatible applications cannot be uninstalled using regular tools, the administrator may use Kaspersky
Security Center functionality for this purpose:
— The Uninstall incompatible applications automatically option in the installation package of Kaspersky
Endpoint Security, or
The former option is always enabled in the installation package and reliably uninstalls many widespread versions of
third-party antiviruses and firewalls. However, if you have an uncommon antivirus or a recently released version,
Kaspersky Endpoint Security installer may fail to detect it.
Besides, some of the incompatible applications can be detected by the installer, but cannot be uninstalled.
If the installer has detected and uninstalled incompatible applications, it will require restarting the computer to
complete the installation of Kaspersky Endpoint Security. It is the only difference compared to a typical installation.
If there are no incompatible applications on the computer, the installer will install everything without a restart.
The installation task has restart parameters for such cases. By default, the task will show the user a message that the
computer needs to be restarted every 5 minutes, and will force a restart in 30 minutes. The administrator can adjust
all these intervals in the remote installation task properties.
I-94 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If uninstallation of incompatible applications is disabled and a conflicting application is found during Kaspersky
Endpoint Security 10 installation, the installer returns an error. The error description explains that the product cannot
be installed if incompatible applications are installed on the computer. The administrator needs to uninstall
the conflicting programs and re-start the installation.
If it is a task that installs Kaspersky Endpoint Security together with Network Agent, it will install the Network
Agent and only after that inform about the error. It is handy, because you can use the Agent to uninstall
incompatible applications by a special task.
If there are incompatible applications on the computer, but the installer fails to detect them, it will complete the
installation as if they did not exist. In this case, the administrator may not know for quite a while about the conflict.
I-95
Unit I. Deployment
Eventually, the users will complain that a computer works slowly or malfunctions. When investigating what is the
matter, the administrator will discover that there are several protection tools on the computer.
The administrator can learn that there are third-party protection tools on the computers from the Administration
Console. Network Agents send lists of installed software to the server, and the aggregate list can be found in the
console in the node Advanced, Application management, Applications registry.
If the administrator suspects that there may be protection tools by other manufacturers in the network, it makes
sense to search for them on the list by the manufacturer name. For example, Symantec, McAfee or MalwareBytes.
The list of computers where the program is installed is available in its properties. After that, the administrator will
only need to uninstall it.
There is an Administration Server’s task that serves this purpose: Uninstall application remotely. However, it will
not be of any help immediately. The list of applications that the Agent can uninstall usually coincides with the list of
programs that can be removed by the installer of Kaspersky Endpoint Security. This list is updated only when a new
version or service pack is released, and new versions and service packs for Kaspersky Endpoint Security and
Kaspersky Security Center are almost always released simultaneously.
I-96 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
What to do
For each programs on the list, there is an INI file, which tells how to detect and uninstall it.
To uninstall an application that is not included in the list, send the program distribution to KL technical support and
request an INI file for it. Kaspersky Lab experts will need some time to study the application and develop an INI file
for it. This service is available only for comparatively large customers.
Copy the received INI file to the folder with other INI files on the Administration Server:
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Data\Cleaner. After that, restart the
Administration Server service.
Now the Network Agent’s “Uninstall application remotely” task will be able to remove this program. Run the task
to uninstall all incompatible applications on all computers. Or, to save resources, make a selection of only those
computers where the incompatible application is installed, and run the uninstallation task there only for this
particular incompatible application.
I-97
Unit I. Deployment
To contact the technical support, use the companyaccount.kaspersky.com portal. To sign up, specify your e-mail
address and license: activation key or code.
To request an INI file, create a new request and select the category Make a request for Tech Support.
I-98 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
— Scope—for workstations
— Product name and version—Kaspersky Endpoint Security 10 for Windows 10.x.x.xxxx
— Request type and subtype—installation and incompatible software
Then describe the situation and do not forget to attach to the request the installer of the third-party program that you
want to uninstall.
Computer selections
To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where
these programs are installed.
I-99
Unit I. Deployment
To display computers where an incompatible application is installed, create a computer selection (in the respective
node). The Device selections node contains the following pre-configured selections:
— Update agents
— Databases are out of date
— Virus Scan has not been performed for a long time
— Not connected for a long time
— There are unprocessed objects
— Many viruses detected
— Protection is off
— No security application installed
— Unassigned devices with Network Agent
— New networked devices found
— Data encryption errors
— Device connection lost
— Devices with the Critical status
— Devices with the Warning status
— Devices with the Warning and Critical statuses due to vulnerabilities
These selections are hard-coded: they can neither be modified, nor deleted. There is no selection of computers with
incompatible software among them.
To create a selection, click the Advanced button and choose Create a selection.
Unassigned devices do not transfer lists of installed programs to the server. That is why you should search for
computers with incompatible applications either among managed, or among all computers.
By default, a selection does not have any conditions, and it finds all the computers within the specified scope.
I-100 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Selection parameters
By default, each selection has a macrocondition with numerous microconditions. All microconditions within the
macrocondition are combined with logical AND. Macroconditions are combined with logical OR.
To find computers with an incompatible application, one macrocondition is enough. Open its properties and switch
to the Applications registry section. Select the program name in the list “Incompatible security application name”.
Save the condition and the selection. The computer selection results will contain only the computers where this
program has been detected.
To display computers with various incompatible applications in a single selection, add macroconditions and specify
the other incompatible applications there.
I-101
Unit I. Deployment
Now, create an uninstallation task for this selection. Start the task creation wizard in the Tasks node, and when
prompted for the target computers, choose the created selection. Every time the task runs it will check the contents
of the selection and update the target computers list accordingly.
Task types
The wizard shows all tasks you can create. Each plug-in installed in the console adds tasks of the respective
application to the list. After standard installation of Administration Server, you will be able to create tasks for
Kaspersky Security Center and Kaspersky Endpoint Security 10 SP2. The remote installation and uninstallation
tasks are the tasks of Kaspersky Security Center.
To uninstall incompatible applications, select Kaspersky Security Center Administration Server | Advanced |
Uninstall application remotely in the task creation wizard.
I-102 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
This task is used in various scenarios concerning uninstallation of programs and service packs.
After that, specify the name of the incompatible application to be uninstalled. You can select several programs or
even all the applications that are included in the list. Selecting more than one program increases the task run time
though, because such a task executes, step by step, the uninstall scripts for all the selected programs.
I-103
Unit I. Deployment
Restart parameters
The uninstallation task has computer restart parameters. The restart is often necessary to finish the uninstallation. By
default, the user is prompted to restart the computer. If he or she chooses to postpone the restart, the prompt will
reappear every 5 minutes, and the restart will be forced in 30 minutes.
The administrator can modify these intervals and the message text. If the administrator selects a forced restart,
the user’s data may be lost. Another alternative is to wait for a regular restart; however, the task will remain
uncompleted for a while.
Finally, select computers for the task. The available options include:
— Picking computers from the Managed devices group and the Unassigned devices node
— Typing the names or addresses of the computers
— Specifying a computer group name
— Specifying a computer selection name
I-104 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers
where incompatible applications have been detected.
Account
The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because
Network Agent is already installed on the computers and will run the uninstallation task under the local system
account. The account must be specified if the task is run either on computers without a Network Agent, or on
computers where the Network Agent has no administrator permissions.
I-105
Unit I. Deployment
At the last steps of the wizard, select the schedule, task name, and whether to start the task immediately. The
uninstallation task is to run once.
Once the incompatible applications are uninstalled, Kaspersky Endpoint Security can be deployed by running
the remote installation wizard or a remote installation task, which can be created using the wizard in the Tasks node.
The parameters of a remote installation task are almost the same as those specified in the remote installation wizard.
By default, the wizard offers the task name that coincides with the task type: Uninstall application remotely. If you
are uninstalling a single program, specify its name in the task name. This way, you will be able to quickly
understand in future whether this task is still necessary, or you can delete it.
I-106 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are going to
do. To start the task, select the check box Run task after Wizard finishes.
Now you know everything to be able to install protection on all network computers:
— How to select components and installation parameters for Kaspersky Endpoint Security
— How to install Kaspersky Endpoint Security and Network Agent remotely
— How to install Kaspersky Endpoint Security and Network Agent using Active Directory
— How to create a standalone package for local installation
— How to create several different packages with different parameters
— How to install on discovered and undiscovered computers
For this purpose, you can use the installation task results, as well as reports, computer selections and event
selections.
I-107
Unit I. Deployment
Task results and the information available on the Managed devices group do not always provide comprehensive
information on the protection deployment in the network. Deployment by a single task on all computers, as well as
managing all computers within one group, is characteristic of small networks only.
For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are:
The following selections are also very useful at the deployment stage:
Global statuses
Information about protection deployment is also available on the Monitoring tab of the Administration Server node.
The Deployment area contains the number of managed computers where Kaspersky Endpoint Security is not
installed. If it is non-zero, a link to the selection that includes all these computers is also displayed.
If there are any computers with Network Agent in the Unassigned devices node, this will be reflected in
the Computer management area with another link to the corresponding selection of computers.
Computer selections
Computers with Network Agent must be located within the Managed devices node. If they are located in the
Unassigned devices node, they neither send events to the Administration Server nor receive tasks and policies from
the Server.
That is why the Administration Server displays such computers on the Monitoring page and in the corresponding
selection.
I-109
Unit I. Deployment
Reports
Reports are available on the corresponding tab of the Administration Server node.
The software version report shows the number of Kaspersky Lab programs installed on managed computers. In
particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security
instances.
Various versions (builds) of the products are represented separately, which is convenient when upgrading
the products. The report shows how many computers use the current versions of the programs, and how many run
older versions.
I-110 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The graphic part of the report illustrates the statistics table, which lists all versions of managed products and
the number of installations for each of them.
The Details table gives information on every computer: which products are installed, which versions, etc.
Computers with protection tools, but without the Network Agent are included in the last category. If the Network
Agent is not installed, the Administration Server does not know whether protection tools are installed on the
computer. This category also includes the computers where the Network Agent is installed, but is not connected to
the Administration Server. For example, computers where Agents use an incorrect server address.
The chart and the Summary table show the number of computers in every category. The Details table, just like in
the software version report, shows the version of Network Agent and Kaspersky Endpoint Security on every
computer.
This report is especially useful if the administrator first moves all of the computers into the Managed devices group,
and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed computers
are not connected to the server, and how many of those connected are not yet protected with Kaspersky Endpoint
Security.
If the administrator uses the remote installation wizard for the deployment and always selects the computers from
unassigned devices area, this report is less useful as it does not cover unassigned devices.
I-111
Unit I. Deployment
Polling types
In the deployment wizard or when creating a deployment task, the administrator can select computers from a list.
The Administration Server makes up this list by polling the network. Polls are performed periodically in several
different ways:
The network is polled by the service of the Network Agent installed on the Administration Server rather than by the
Administration Server service. The Network Agents installed on ordinary network computers do not poll the
network.
I-112 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Polling results are shown in the Advanced | Network poll node separately for each discovery method:
— Domains—computers detected during Windows network polling; workgroups and domains are represented
as folders containing computers
— Active Directory—domains and organizational units are represented as folders containing computers
The discovered computers are also displayed in the Unassigned devices node.
A computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its
address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in
the corresponding folders.
To modify the poll settings for every method, select the Advanced \ Network poll node and then click Configure
polling in the corresponding section. You can also start any type of polling manually on this page.
I-113
Unit I. Deployment
The Administration Server collects the list of Windows network computers just like the operating system itself.
When a user opens the computer’s network places, the list of neighborhood computers grouped by domains and
workgroups is shown. The Administration Server can acquire the same list.
This polling method is called quick Windows network polling. It hardly places any extra load on the network.
The Computer Browser service is responsible for making up and representing the list of computers. In every
network segment there is the main computer that stores the general list and provides it when requested. To receive
the list, Administration Server only needs to send a request.
In Windows Vista/Server 2008 and later versions, the Computer Browser service is disabled by default. If the
Administration Server cannot receive the list of computers from the Computer Browser service, it sends a request to
Active Directory and tries to receive a list of computers from it. Certainly, only if the Administration Server is on an
Active Directory domain.
Quick poll is performed every 15 minutes. After a quick poll, the Server receives the list of NetBIOS names of
computers, domains and workgroups.
I-114 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
During a full poll, the Administration Server tries to receive as much information as possible about each computer
from the quick poll results.
For each name, the Server resolves the name into the IP address using NetBIOS, DNS and LLMNR protocols. For
the received addresses, the server performs a reverse resolution into the name, and if this name does not coincide
with the original one, receives the IP address for the new name.
The Server checks whether the IP addresses are accessible using ICMP requests and finally tries to connect to the
computers using SMB and RPC protocols to find out the operating system.
All these numerous requests are necessary because names and addresses of the computers may change. The
Administration Server uses direct and reverse resolution of names and IP addresses to distinguish new network
computers from the old ones that just changed the name or IP address.
As the number of requests is proportionate to the number of computers, the network activity is much higher than
with a quick poll. That is why full poll is performed hourly by default.
I-115
Unit I. Deployment
In polling results, the Server shows everything it was able to find out about a computer: its name, address, operating
system, etc.
Polling schedule is defined as a start time and a timespan. A timespan can be as small as a few minutes or as large as
several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but will
be useful if polling is performed once a week or a month.
I-116 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Additionally, for Windows network polling the administrator can specify the life span for the information on
the discovered computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by
Windows network polling, the information about this computer is deleted from the server database.
This interval can be specified independently for every domain or workgroup. Also, you can specify a common life
span and use it for the whole Windows network.
Administration Server requests from Active Directory the structure of containers (units) and the list of computers for
each of them.
Additionally, the Administration Server requests the list of users and security groups. Work with AD users falls
outside the scope of this course. See courses KL 010.10 and KL 302.10 for details.
I-117
Unit I. Deployment
In a large network, the total volume of all lists (computers, users, groups) may be very large, and that is why Active
Directory polling is performed every 60 minutes by default.
Polling parameters for Active Directory are similar to those for Windows network polling. There is an option to turn
off this polling method entirely and a schedule.
There is no explicit lifetime parameter for the polling results. Each polling replaces the previous results:
In the Advanced polling parameters, the administrator can select the polling scope:
— The Active Directory domain to which the Administration Server belongs (the default choice)
— The domain forest to which the Administration Server belongs
— The specified list of Active Directory domains
I-118 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To add a domain to the polling scope, specify the address of the domain controller, and the name and password of
the account for accessing it.
You can selectively disable polling for some organizational units in their properties.
When the administrator changes the polling scope, after the next polling, the Server will show only the new scope
contents. For example, if the administrator has disabled polling within a unit, after the next polling, the
Administration Server will delete all the information about the contents of this unit from its database. Also, if the
Server scanned several domains previously and the administrator deletes one of the domains from the list, after the
next polling, the Server will delete all data about this domain from its database.
IP subnet polling
IP range polling works similarly to full Windows network polling. However, the original list of computers is not
received as a result of quick polling; it is the list of IP addresses from the IP ranges specified by the administrator.
The server tries to resolve each address into a name, and the name into an address again; then checks whether the
address answers ICMP ECHO REQUESTs, etc.
To find out the device type, the Server also sends SNMP requests.
The polling results include only those computers that answered the ICMP request.
I-119
Unit I. Deployment
Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is
installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0,
the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses
from 192.168.0.1 to 192.168.0.254.
IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When
this polling method is enabled, the default period is 420 minutes (7 hours). Life span for the polling results is 24
hours by default. If an IP address is not verified by polling in 24 hours, it is removed from the results. Such a short
life span tries to account for dynamic IP addresses (assigned over DHCP protocol), which can change frequently.
When modifying the settings, make sure that the information life time exceeds the polling interval.
In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually.
You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also,
the name of the subnet should be specified.
I-120 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas
named subnets are not allowed to overlap, Ranges may overlap within a subnet.
You can enable and disable scanning independently for every subnet.
When the network is being polled, the Advanced | Network poll page displays the progress. Detailed information is
available in the Administration Server statistics. There you can find the time of the last poll performed by each
method, polling progress percentage and the name of the polled domain for Windows network polling.
I-121
Unit I. Deployment
The administrator can configure notifications about new computers found in the network. The corresponding event
is available in the properties of the Administration Server, and you can enable e-mail notification in the event
properties.
To receive information about new computers, open the Event notification section in the Administration Server
properties. Find the event New device found on the Info tab. Open the event properties and select the check box
Notify by e-mail.
For notifications, the Server uses the parameters that you specified in the Quick Start wizard when installing the
Administration Server. If you are not sure that correct parameters have been specified, check them in the
Notification delivery settings section of the server properties.
I-122 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
After the initial installation, there is only one group on the Administration Server—Managed devices. With a single
group, the same protection policy and task schedule is applied to all computers, which is not always preferred.
Even in small networks, it may be necessary to use different protection settings for servers and workstations. In
large networks, where different groups of users need various types of software, the capability to create policies with
different exclusions for different users is extremely useful. The computers must be placed into different groups to be
able to apply different policies6.
From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into
the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. This
way, the administrator can quickly understand where the computer is located to send an IT employee there.
There are also other examples of group use. Often, especially in large networks, the administrators create groups to
organize the deployment process. Computers without the Agent or protection tools are placed into the Deploy Agent
group, where the Network Agent automatic installation task is created. The computers with installed Agent are
moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible applications is
configured. The computers without incompatible applications are moved into the Deploy KES group, where the task
of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected computers are
moved into the permanent management structure.
6
Kaspersky Security Center 10 Service Pack 1 provides the capability to apply different policies (to be more precise, different configuration
profiles) to different computers within the same group. For more details, refer to course KL 302.10.
I-123
Unit I. Deployment
Creation of groups in the Administration Console is as simple as folder creation in Windows Explorer. First, groups
are created within the Managed devices node. Then you can create new groups either in the same node or inside the
created groups.
In the Administration Console interface, you can use any of the following methods to create a new group:
— Select the Managed devices node or an existing group and click the New group button on the Devices tab;
Enter the name of the group in the displayed dialog window: it will then appear as a subfolder in the structure of
managed devices. Each group page contains tabs for managing the hosts included into the group, group tasks and
group policies.
If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or
subgroups.
Groups can be moved within the hierarchy of managed devices. For example, if the structure of groups reflects
physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup can be
easily relocated together with its computers from the group Building 1 to the group Building 2. The task can be
accomplished using traditional Cut and Paste or Drag and Drop methods.
I-124 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
In the Administration Console, you can use any of the following methods to move computers:
— Drag and drop—select a computer among the managed or unassigned hosts and drag it with the mouse to
the necessary group. You can move several computers at once
— Cut and paste—the procedure is almost the same, but you cut the selected computers (using the shortcut
menu or CTRL+X keyboard shortcut) and then paste them into the necessary group (once again using
the shortcut menu or CTRL+V keyboard shortcut)
— Select one or several computers in the Unassigned devices node or a selection of computers (the method
does not work within the groups), open the shortcut menu, select the Move to Group command and specify
the necessary group
— Select the destination group, switch to the Devices tab, and click the Add devices link to launch the Add
Devices Wizard. In the wizard, you can either select the computers using the polling results or specify their
names or addresses manually
If you specify a name or an address of a computer that is missing from the Administration Server polling results, the
wizard will inform that it cannot be added.
If a computer exists in the network but cannot be discovered—for example, its firewall allows only outbound
connections—install Network Agent there. As soon as the Network Agent connects to the Server, the computer will
be added to the database and appear in the network polling results.
If the network is large enough and the planned structure of managed devices requires a large number of groups,
creating a hierarchy using the methods described above can be very labor-intensive. Sometimes it is easier to import
a group structure from the network polling results or from a text file.
I-126 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If administrators want to arrange the managed devices in the exact same order as their network, to combine them
into the same workgroups or domains and subdivisions, they can use the structure import functionality.
You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In
the first two cases you may import either the entire structure (groups including computers) or just groups. When
importing the topology from a text file, only groups can be created.
Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit
that is being imported are already present in a group of managed devices, the wizard will not relocate them.
To start the wizard, on the shortcut menu of the Managed devices group, select All tasks, Create groups
structure. In the wizard, specify the structure to be imported and the destination group. You can also import only a
structure from Windows network or Active Directory, and disable importing the computers.
Windows network topology and a structure defined in a text file are always imported completely. When importing
an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be
ignored.
I-127
Unit I. Deployment
The structure creating wizard is designed for initial creation of the structure of managed devices. It is not intended
for regular synchronization of structures of Kaspersky Security Center, with, for example, Active Directory. If you
need to synchronize, configure the computer relocation rules.
A structure import via a text file must be prepared manually. Every group or subgroup must be specified on
a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters,
for example:
Office1\Subdivision1\Department1
Office1\Subdivision1\Department2
Office2
Office3\Subdivision1
If a subgroup path contains groups that do not exist yet, they are created.
Groups created during the import procedure are completely identical to the groups created manually. You can
rename, move, delete them, etc.
I-128 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If groups in Kaspersky Security Center correspond to IP subnets or Active Directory units, the administrator can
easily automate the computers’ distribution into the groups. Computer relocation rules serve this purpose.
To open the list of relocation rules, click Properties on the shortcut menu of either the Unassigned devices or
Advanced | Network Poll node. Alternatively, you can click the button Configure rules in the Unassigned devices
node, or follow the Set up rules of device moving to administration groups link in the bottom of the Advanced |
Network Poll page.
In some cases, computer relocation rules are created automatically in the Kaspersky Security Center. For example,
when the administrator selects to move unassigned devices into a group in the remote installation wizard or when
creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can
be viewed on the list and can be disabled, but cannot be deleted or edited. The server deletes them automatically
when the corresponding task or standalone package is deleted.
— Where to move—the name of the group in the structure of managed devices where the hosts matching the
rule conditions will be relocated
When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on
the rule list. Also, you will need to select the destination group—where to move the computers.
Afterwards, decide when to apply the rule to the computers. Three capabilities are available:
— Run once for each computer—as soon as the rule is created, it will be applied to all computers in the server
database, and then it will be applied only to new computers when they are discovered
— Run once for each computer, then at every Network Agent reinstallation on computer—is similar to
the previous option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such
a host
— Rule works permanently—the rule is permanent; if a computer matching its conditions is manually moved
to another group, the Administration Server will immediately return it to the location specified in the rule.
If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will
not
The rules created by the Administration Server for installation tasks and standalone packages are Run once for each
computer, then at every Network Agent reinstallation on computer.
I-130 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Permanent rules are more convenient in a sense, but create a persistent computational load on the Administration
Server.
Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is
located in the General section and is named Move only computers not added to administration groups.
With this option selected, a rule—even a permanent one—will not hamper the administrator to manually move
computers in the groups. It affects only unassigned devices. To apply such a rule to a computer within a group, just
delete the computer from the group. When deleted from the managed devices structure, the computer becomes
unassigned and the rule will apply to it.
If the Move only computers not added to administration groups check box is cleared, the rule applies to all
computers in the server database and the corresponding computers are moved into the specified group no matter
what happens. This does not prevent the administrator from deleting these computers from the Administration
Server database, though.
Many of the relocation conditions are related to the network attributes of the computers:
— NetBIOS name
— Name of the domain or workgroup
— DNS name
— DNS domain
— IP address
— Server connection IP address (if a computer is behind a NAT gateway, the connection address is
the gateway address)
To apply a rule to several computers, you can specify IP addresses as ranges, and names can be specified as masks
with “*” and “?” wildcards. If these options are insufficient, you can always create several rules with different
conditions that will move computers to the same group.
I-131
Unit I. Deployment
If the rule is to be applied to unassigned devices, the conditions can be specified in the terms of unassigned
computer representation in Kaspersky Security Center:
Conditions for computers may include operating system version, architecture and currently installed Service Pack.
Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers
into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions
used in the network. For example, Windows Server 2008 R2 and Windows Server 2012 R2.
Also, there is the Network Agent is running condition. This condition can separate the computers already
connected to the Administration Server from those that need to be connected.
Other conditions
A relocation rule has a condition for virtual machines. Virtual machines running on different virtualization platforms
can be moved into different groups. Protection of virtual machines is described in courses KL 014.40 Kaspersky
Security for Virtualization. Agentless and KL 031.40 Kaspersky Security for Virtualization. Light Agent.
If these conditions are not enough, computers can be tagged and you can configure conditions using the tags. For
more details, refer to course KL 302.10.
I-132 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
There are similar conditions for the computers within the Active Directory structure:
Relocation rules allow configuring synchronization with Active Directory. For this purpose, enable additional
options under the condition Apply the rule to Active Directory organization unit:
— Including child organization units—if the selected unit has child units, computers within them will be
moved into the destination group
— Move computers from child organizational units to corresponding subgroups—if the selected unit has
child units, and the destination group has the corresponding subgroups, computers from the child units will
be moved into the corresponding subgroups
— Create missing subgroups—if the selected unit has child units, and the destination group has no
corresponding subgroups, the Administration Server will create these subgroups and move the computers of
the child unit there
— Delete subgroups that are not present in the Active directory—the opposite of the previous option.
When an organizational unit is deleted from the Active Directory, this option will remove the respective
group from the Kaspersky Security Center.
If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination
group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another,
Kaspersky Security Center will automatically repeat these changes in its group structure.
In addition to units, Active Directory has groups, which may contain computer accounts. To move computers into
groups according to the domain groups, select the condition The device is member of Active Directory group and
specify the group name.
I-133
Unit I. Deployment
The created rules are organized into a list where their order makes a difference. Permanent rules have a higher
priority than the others. Among rules of the same type, the higher the rule is on the list, the higher its priority. In
other words, if a computer meets the conditions of several rules, only the top one is applied.
Rule order can be changed by arrows on the right. Also, a rule can be applied manually using the Force button at
the bottom of the window. This allows re-applying a non-permanent rule. For the permanent rules, the button does
nothing, since permanent rules are constantly forced anyway.
The Rule execution wizard prompts for the group where the rule is to be applied, and moves the computers that meet
the rule conditions from the selected group to the group specified in the rule. There is an option that allows skipping
the computers to which this rule has already been applied and only force the rule on new computers.
I-134 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
II–1
Unit II. Protection Management
Malware get on a computer via everything that connects the computer to the external world. Specifically, via
network connections and removable media. Let us examine typical scenarios of how malware penetrates a computer,
and how to prevent this.
Via a browser
The user has installed a vulnerable browser. A web page may use a vulnerability to make the browser download and
run any software on the computer. The user opens a dubious web site, and the web site starts malware on the user’s
computer. Malicious code can reside in the ad blocks that the web site receives from other sites rather than on its
own pages.
An infected file
The user looks for free software in the Internet. For example, a handy free utility, or a pirate version of an expensive
program, or a key generator for an expensive application. Finds, downloads and starts on the computer. The program
turns out to be malicious.
Maybe the user has downloaded a seemingly appropriate file from an “Internet garbage”. Or maybe criminals have
altered freeware code or cracked the site and replaced the program.
Via e-mail
The user receives an e-mail message that looks like a message from a bank, shop, delivery service, from a partner,
acquaintance, etc. The message prompts to click a link or open an attachment. The link leads to a malicious or
phishing web site. The attachment contains malware or a document with embedded malware.
— Filter e-mail by antispam tools (software that protects against anonymous bulk unsolicited e-mailing)
— Scan the files attached to e-mail messages by an antivirus program
— Do not allow the users to save executable files from e-mail messages to the drive
— Protect against links in the messages the same way as against attacks via web browsers
The user copied a program from a shared folder on another computer and started it. The program turned out to be
malicious.
The user opened a document from a shared folder on another computer. The document contained malicious code.
A network attack
There is a vulnerability in the operating system on the user's computer. If a special sequence of packets is sent to a
specific port, one can make the vulnerable service run the code within these packets. An infected computer will also
attack the vulnerable service on all other network computer and infect them.
The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains malware
that uses a vulnerability in the operating system to automatically run on the computer.
Or the user simply connected a USB flash drive to find out what it contains, found a document or an executable file
with an intriguing name and decided to open it. The file turned out to be infected.
— Do not allow the users to connect unknown (or all) USB flash drives to the computers
— Scan files on USB flash drives by an antivirus program
— Install security updates for the operating system
BadUSB
The user connected a USB device that looks like a USB flash drive to the computer. The device registered with the
operating system as a USB flash drive and as a keyboard. After a while, the device started to execute commands on
the computer by sending keystrokes.
None of protection tools can protect against 100% of threats. Criminals may always be half a step ahead since they
Even if protection works properly, there is always risk that a computer may be infected with a new malware. If
protection is not installed on some computers, if databases are outdated on computers, if important protection
components are disabled, the risk grows.
Let us study the harm that malware can cause and how it can be decreased.
Ransomware
Ransomware encrypts documents and other files on the computer and in shared folders, and demands money in
return for the encryption key. The key is stored on the criminals’ server. Malware either downloads the key from the
server, encrypts files and deletes the key; or generates a random key, sends it to the server, encrypts files and deletes
the key. Anyway, ransomware connects to its server over the network.
Spyware
Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on the drive.
Malware intercepts everything the user enters, takes screenshots and shoots through the web camera. The program
sends all this to the criminals’ server.
Network viruses
Malware writes itself to the USB flash drives connected to computer and to shared folders over the network.
Malware infects neighbor computers via vulnerable services. Malware sends spam and participates in DDOS attacks
at a control center’s command.
Loaders
Criminals often use very simple files, which do not impose any direct threat, to get round protection tools and infect
a computer. But these files may download additional malicious files, which can encrypt documents, steal passwords,
etc.
Low-grade malware
Malware makes other programs hang or malfunction, the computer runs really slow, spontaneously restarts or
displays a blue screen.
The loss reduce methods may be grouped similarly to attack prevention methods:
Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect against attacks
and prevent losses:
Install security updates for the operating system Kaspersky Security Center (see course KL
009.10)
Install updates for web browsers and other programs Kaspersky Security Center (see course KL
009.10)
Do not allow the users to start whichever browsers Application Startup Control
Do not allow the users to open whichever web pages Web Control
Do not allow the users to save executable files from e-mail messages Mail Anti-Virus
to the drive
Prohibit connections to the ports that the users do not need for their Firewall
work
Do not allow the users to connect unknown (or any) USB flash drives Device Control
to the computers
Scan the files that the users copy, open or start File Anti-Virus
Application Privilege Control
Scan the files attached to e-mail messages by an antivirus program Mail Anti-Virus
Scan the files that the users download from the Internet by an antivirus Web Anti-Virus
program
Do not allow the users to open known infected and phishing web sites Web Anti-Virus
Do not allow the users to open web sites that are known of distributing Web Anti-Virus
malware
Scan the packets that a computer receives for network attacks by an Network Attack Blocker
antivirus program
Use protection tools that heuristically detect dangerous activities System Watcher
Application Privilege Control
This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack surface, or
actively scan, detect and block threats.
Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To protect against
spam, use Kaspersky Lab products for mail systems:
To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to regularly
update signature databases.
It is also important to allow Kaspersky Endpoint Security to use Kaspersky Security Network.
II–11
Unit II. Protection Management
Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all
protection components.
Kaspersky Security Network servers collect information about files on the protected computers, analyze it using
machine learning technologies, consider when a file was detected for the first time, whether it is widespread, in
which regions, whether the users of personal versions of Kaspersky Security trust the file, whether the file is signed
with a certificate and which one, etc. Suspicious files are additionally analyzed by Kaspersky Lab experts.
After that, Kaspersky Security Network assigns a trust group to the file:
— Trusted
— Low Restricted
— High Restricted
— Untrusted
This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to the
network, which programs may install drivers, and which of the trusted programs are to be scanned especially
thoroughly, because they may contain vulnerabilities.
Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky Lab receives
checksums of reference files from many known software manufacturers, such as Microsoft, Adobe, Google, etc.
That is why Kaspersky Endpoint Security components know which files are not infected for sure and do not hamper
the respective programs.
Except for files, Kaspersky Security Network forms reputation for web pages and software activity patterns.
If Kaspersky Lab detects a new threat, checksums of all malicious files and web pages get to Kaspersky Security
Network in a split second and are available to all products that use Kaspersky Security Network. Products learn
about new threats via Kaspersky Security Network a few hours earlier than threat signatures are downloaded with
updates.
The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and
anonymous. The complete list can be found in the Kaspersky Security Network agreement that the administrator
must accept prior to enabling Kaspersky Security Network in the Kaspersky Endpoint Security policy.
To be able to use Kaspersky Security Network without sending anything to Kaspersky Lab, there is the Kaspersky
Private Security Network service.
In this chapter, we will study which settings are available in Kaspersky Endpoint Security components:
Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example, scheduled virus
scan or update settings, are set up in tasks.
Policies (all) and tasks (mostly) are configured within groups. Also, they can be found in the first-level tree nodes:
Policies and Tasks. In these nodes, you can see to which group each policy and task belongs.
File Anti-Virus intercepts all file operations (such as reading, copying, executing) using the klif.sys driver and scans
the files being accessed. By default, if the file is infected, the operation will be blocked, and the file will be either
disinfected or deleted.
Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malicious files on
the computer drive. And even those attacks that start with executing code in the memory, can load only small
amount of code there and use it as the first step of the attack, which then downloads additional modules in files and
saves them to the drive.
Even if Mail Anti-Virus and Web Anti-Virus are disabled, the user will not be able to start an infected file received
by e-mail or downloaded from the Internet, because a file cannot be started either from an attachment or from a web
II–13
Unit II. Protection Management
page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and blocked by
the File Anti-Virus.
This makes File Anti-Virus one of the most important components of Kaspersky Endpoint Security.
— Malware signatures—a signature database is a “black list” of known malicious files. If a file does not match
any of the database records, it is not malicious. A complete black list, where each known malicious or
infected file is described thoroughly, requires too much space; that is why a signature database is optimized
and narrowed down to a size that can be easily downloaded to a computer. Each record identifies a family
of similar threats.
— Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which change
their code during the execution, and which are therefore difficult to detect using signatures. File Anti-Virus
starts executable files in a special isolated environment and waits whether code changes in the memory to
match a signature.
— KSN checks—File Anti-Virus sends the file checksum to KSN and receives an answer: whether such a file
is found in the KSN database, and which reputation it has. KSN database is a huge list of all files (to be
more exact, their checksums) known to Kaspersky Lab. This list includes files with untrusted reputation. It
is a black list, and File Anti-Virus blocks such files. There are also files with trusted reputation. It is a white
list, which includes known harmless files of operating systems and widespread software. File Anti-Virus
does not block these files even if they match malware signatures. KSN verdict has higher priority, because
KSN contains more information than a local signature database.
To receive a verdict from KSN, a computer needs connection to the Internet, which may be unreliable. For this
reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature database and
emulation.
KSN verdicts may change with time. A file that has just appeared in the Internet has no reputation at first.
Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes and may
become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the KSN verdict at
each file operation. But it would scale up the computer’s network traffic. Besides, sending a request and receiving
an answer takes time, which depends on the quality of communication channel.
To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN verdicts in the
local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky Endpoint Security re-
check the verdict often. For the files that have long been known, this time is large.
To avoid slowing down the computer, File Anti-Virus does not scan all files; it scans only those files that may infect
a computer. For example, File Anti-Virus does not scan archives, because s file must be extracted prior to be started.
It is either the user who extracts the file from the archive, or the operating system does this for the user. Anyway,
File Anti-Virus will scan the extracted files (and block them if necessary).
Scan the files that are not scanned by File Anti-Virus by virus scan tasks. Virus scanning checks files within the
specified scope and uses the same methods as File Anti-Virus.
II–14 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The more files File Anti-Virus scans, the better it solves the former task, and the worse the latter, and vice versa.
The default settings balance protection and performance. By adjusting the settings, the administrator can tilt the
balance one way or the other.
You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are located in the
respective sections: File Anti-Virus settings, in the File Anti-Virus section. To adjust its parameters, click the
Settings button in the Security level area.
Let us first tell about the parameters that should not be changed and explain why.
All files File Anti-Virus scans all files belonging to the Protection scope that the
user or programs access
Files scanned by format (by default File Anti-Virus checks the extension and file header to decide which format
with the Recommended security the file has. If files of this format may harm the computer, File Anti-Virus
level) scans the file
Files scanned by extension File Anti-Virus checks only the file extension and decides on the format
based on the extension only. If files of this format may harm the computer,
File Anti-Virus scans the file
II–15
Unit II. Protection Management
Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may contain
executable code (macros), which can be malicious. Even documents without code, some graphic files for example,
may use vulnerabilities of the applications that open them and make these programs run a part of the file as code.
By default, File Anti-Virus scans files by format. This way, Kaspersky Endpoint Security reliably protects the
computer, because scans all dangerous files, but does not slow down the computer, since does not scan all the files.
Scanning files by extension only is dangerous. For example, a malicious Word document may have extension .123,
which is not included in the scan list, but the user can open it nevertheless via its shortcut menu (Open with). Also,
scanning by extension is not significantly faster than scanning by format. The user will not perceive any difference
in performance.
If the administrator wants to improve performance of slow computers, better start with exclusions for the programs
with which users work. How to create exclusions is explained at the end of this section.
Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment and
watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can change its code
during the execution.
When criminals e-mail new malware, or upload a new version of a malicious module to an infected computer, they
may generate a file with a unique checksum for each computer or addressee. Signatures and even Kaspersky
Security Network will not help in this case. But heuristic analysis clearly shows that all these versions restore the
same malicious code when running.
That is why you should not turn off Heuristic analysis in File Anti-Virus.
II–17
Unit II. Protection Management
On the other hand, Heuristic analysis delays file start. Heuristics levels—Light, Medium or Deep—define
the period of observing the object in the virtual environment. In the context of the File Anti-Virus operation this
means an increased delay when a program is run. To avoid slowing down the computer, the lowest level is selected
in the settings by default.
File Anti-Virus does not scan files that have already been scanned
Enabled File Anti-Virus does not scan files that have already been scanned if they have not been modified
(by default) since then
Disabled File Anti-Virus scans a file every time when the user or a program accesses it
Most of the files a rarely changed on the computer, and if File Anti-Virus scans only new and changed files, it
almost does not load the computer. In the first few days, while all files are new for Kaspersky Endpoint Security, the
user may feel that the computer works slower. But File Anti-Virus stops influencing performance soon.
Do not turn off the option Scan only new and changed files in File Anti-Virus, it will slow down the computer.
How does Kaspersky Endpoint Security learn which files have been changed and
which have not?
The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of these
records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file modification date.
FAT32 file system cannot log the modification date; neither can it protect the modification date against unsolicited
changes. Malware may modify a file, and then assign any modification date to it. For this reason, Kaspersky
Endpoint Security saves checksums of scanned files into a special database for FAT32 drives. When the file is
accessed next time, Kaspersky Endpoint Security re-calculates the checksum and compares it with that saved. If the
sums differ, the file has been changed, and File Anti-Virus scans it.
Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint Security
receives its signatures, File Anti-Virus will scan it, consider to be clean, and will not scan at the next start.
To prevent this, even if the option Scan only new and changed files is enabled, File Anti-Virus scans all new files
repeatedly, at least twice, or even several times.
For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file was
scanned fist and last. If a file has been scanned only once, or if the current version of signatures was issued less than
24 hours after that with which the file was scanned for the first time, File Anti-Virus re-scans the file.
What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides, except for
signatures, Kaspersky Endpoint Security uses information from Kaspersky Security Network, whereto information
about threats gets without delays.
To further reduce the risk, use a virus scan task to check all files on the computer, including those that have not been
changed, and which File Anti-Virus scanned already.
Enabled If the option Scan only new and changed files is disabled, File Anti-Virus uses a special algorithm to
(by default) scan files in the NTFS file system not every time they are accessed
Disabled If the option Scan only new and changed files is disabled, files in the NTFS file system are scanned
every time they are accessed
II–18 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Enabled If the option Scan only new and changed files is disabled, File Anti-Virus uses a special algorithm to
(by default) scan files in the FAT32 file system not every time they are accessed
Disabled If the option Scan only new and changed files is disabled, files in the FAT32 file system are scanned
every time they are accessed
iSwift and iChecker scanning technologies are responsible for collecting data about the changes made to files.
The iSwift technology extracts the data about changes from the NTFS and ReFS file systems. The iChecker
technology is used for executable files located on the drives with other file systems, for example, FAT32. For this
purpose, iChecker calculates and saves the checksums of the scanned executable files. If the checksum remains
the same during the next check, this means that the file has not been changed. Both technologies save the file scan
time and the version of signatures used for scanning into a special database.
If the Scan only new and changed files checkbox is selected, the iSwift Technology and iChecker Technology
check boxes are of no importance. Even if they are cleared, Kaspersky Endpoint Security will still monitor whether
files have been changed, and will log the versions of signatures used for scanning files in the iSwift and iChecker
databases.
Why are the iSwift Technology and iChecker Technology parameters necessary? Suppose the administrator
believes that scanning new files only the first 24 hours is too dangerous, and disables the option Scan only new and
changed files. However, he or she does not want to scan files at each access either, because it will slow down the
computer. The iSwift Technology and iChecker Technology parameters enable the mode when File Anti-Virus
does not scan files at each access, but never completely trusts already scanned files; it re-scans them sometimes with
newer databases. It works as follows.
Kaspersky Endpoint Security does not trust new files, and scans them at each access, if the signatures’ version has
changed since the last scanning. It does not make any sense to scan a file with the same signatures. It goes on like
that for several days.
If the file does not change and is found to be clean at each scanning, Kaspersky Endpoint Security assigns a trust
period to the file. During the trust period, if the file does not change, File Anti-Virus does not scan it.
When the trust period is over, File Anti-Virus rescans the file at the next access with the latest signatures. If the file
is still clean, it receives a new trust period, longer than the previous.
This way, files that are stored on the computer for a long time without being changed are eventually scanned rarer
and rarer.
Using the parameters iSwift Technology and iChecker Technology instead of Scan only new and changed files is
safer. With the lapse of time, File Anti-Virus will load the computer almost as little as with the option Scan only
new and changed files. However, performance improves considerably longer.
Do not disable the iSwift and iChecker technologies in File Anti-Virus. This will either have no effect (if the Scan
only new and changed files feature is enabled) or will lead to more scans and slow down the computer.
Enabled File Anti-Virus scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE archives. For this
purpose, File Anti-Virus unpacks an archive into a temporary folder or into the memory
Disabled File Anti-Virus neither unpacks archives nor scans files within them
(by default)
To scan archived files, File Anti-Virus unpacks the archive, which consumes considerable computer resources.
Archives are not dangerous as they are. A malicious file cannot be started from the archive. The user either unpacks
II–19
Unit II. Protection Management
the archive manually, or the operating system does this for the user. Anyway, a malicious file gets on a drive prior to
run, and File Anti-Virus scans it as any other file.
Do not enable the Scan archives option in File Anti-Virus. It will slow down the computer, but will not improve
protection
Enabled File Anti-Virus scans files within self-extracting archives and installation packages, such as MSI. For
this purpose, File Anti-Virus extracts files into a temporary folder
Disabled File Anti-Virus does not scan self-extracting archives and installation packages
(by default)
Installation packages are executable files, and File Anti-Virus scans their executable part anyway. However, a large
part of data within an installation package consists of archived files of the program to be installed by the package.
To scan them, File Anti-Virus extracts them from the package, similar to archives.
Installation packages need not be scanned by File Anti-Virus. If the user copies a package, it cannot infect the
computer. If the user starts a package, it will extract files itself and save them on the drive, where they will be
scanned by File Anti-Virus.
Enabled File Anti-Virus scans executable parts not only within Microsoft Office documents, but also in the
(by default) objects embedded into them
Disabled File Anti-Virus scans executable parts only within Microsoft Office documents, and skips embedded
objects
Microsoft Office files have a complicated structure. We can even say that there is a file system with additional files
within a Microsoft Office document. When the user pastes an Excel chart into a Word document, Microsoft Office
can add the whole Excel document to the Word document, with all its data, formulas and macros.
Do not disable scanning for office documents. Not scanning objects embedded in office documents is dangerous.
They may contain malicious macros, which Office programs can start without saving to the drive.
If you disable the option Scan only new and changed files, you receive the capability to scan only new and
changed archives, installation packages and office files.
If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the operation will
not start until File Anti-Virus unpacks the archive and scans all files within it. Meanwhile, the user cannot do
anything with the archive.
If the administrator wants to scan archives, the user experience can be improved by changing additional archive scan
settings.
Unpack compound File Anti-Virus will detain operations with small archives only. If the user opens a large
files in the archive, File Anti-Virus will allow access, but at the same time will unpack the archive and
background mode scan the files. The user will not have to wait. Large archives are those that are larger than
the Minimum file size value
II–20 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Minimum file size By default, is not specified. Meaning, if you select to unpack compound files in the
background, File Anti-Virus will scan all archives in the background mode
Do not unpack large File Anti-Virus will scan only those archives that are less than the Maximum file size
compound files
The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse
order of their appearance:
On execution File Anti-Virus scans a file before it is started. When the user or an application copies or edits a
file, File Anti-Virus does not scan it
On access File Anti-Virus scans a file before a read operation. To copy or start a file, it must be read,
meaning, File Anti-Virus scans executable files before they are started and all potentially
dangerous files before they are copied. When the user or a program edits a file, File Anti-Virus
does not scan it
On access and File Anti-Virus scans files at every read or write operation. This is the safest mode, yet the most
on modification resource-consuming
Smart mode File Anti-Virus analyzes file operations. If a file is opened for writing, the scan will be
performed after it is closed and all changes to it are made. Intermediate changes made to the file
are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not
be rescanned on intermediate read operations until the file is closed
Smart mode ensures the same protection as On access and modification, but consumes less resources. It is the best
choice for most computers.
You can use the modes On access and On execution on the computers where performance is more important than
security at your peril.
Malware detected by File Anti-Virus should not be left unprocessed, and the settings that regulate File Anti-Virus
actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected files 1.
Most of the malicious files cannot be disinfected, because they contain nothing but the infected code.
Before a file is disinfected or deleted, its copy is placed into the Backup repository or Quarantine, depending on
the verdict. In case a file contains important information or is deleted because of a false positive, it can be recovered.
If the Roll back malware actions during disinfection option is enabled within the properties of the System
Watcher component, Kaspersky Endpoint Security not only deletes malicious files, but also rolls back their actions 2.
1
The Select action automatically option is equivalent to the Disinfect. Delete if disinfection fails option.
2
The rollback procedure is described in Chapter 4 of this Unit.
II–21
Unit II. Protection Management
First, find out whether File Anti-Virus actually slows down the computer (or a program):
Even if programs work faster on the computer without File Anti-Virus, do not disable File Anti-Virus entirely.
Configure exclusions for applications. Try various exclusion types:
— If all program files are located in a single folder, exclude the program’s folder from scanning
— If the program works with files in various folders or in a temporary folder, make the executable file of the
program trusted
Never exclude the operating system’s temporary folder from scanning. Malware is often started from it.
— If the program works with files in shared folders, try to disable scanning of network drives
— For the programs that start on the specified schedule during off business hours, pause File Anti-Virus while
the program runs
II–22 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Exclusions are configured in Kaspersky Endpoint Security policy: in the General Protection Settings section, click
the Settings button in the Scan exclusions and trusted zone area.
Exclusions for folders are located on the tab Scan exclusions and are applied to all protection components. A scan
exclusion consists of three attributes:
— File or folder—the name of the file or folder to which the exclusion applies. The name of the object may
include environment variables (%systemroot%, %userprofile% and others) and also “*” and “?” wildcard
characters
— Object name—the name of the threat to be ignored (usually corresponds to a malware name), which can
also be specified using wildcard characters
Of the three attributes, any of the first two and the third one must be specified. You can create a scan exclusion for
a file or folder without specifying the threat type; then the selected components will ignore any threats in
the specified file or folder. Alternatively, you can create a scan exclusion for a threat type, for example, for
the UltraVNC remote administration tool, so that the selected protection components would not respond to this
threat regardless of where it is detected.
All three attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for
widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object
(typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security
would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from
another folder, Kaspersky Endpoint Security would consider it a threat.
II–23
Unit II. Protection Management
If the computer runs resource-consuming programs, their operation can be slowed down by the File Anti-Virus. This
is especially true for the programs that perform numerous file operations, for example, backup copying or
defragmentation. To avoid slowdowns, make these applications trusted.
For this purpose, in the exclusion settings window, add the executable file to the list on the tab Trusted
applications. Within the Scan exclusions for application window, specify the path to the executable file and select
the Do not scan opened files action. The path may contain environmental variables and “*”, “?” wildcards.
Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that protection
tools are installed on all network computers. Do not disable network drive scanning “just in case”; do it only if it
solves the users’ issues
To exclude network drives from scanning, edit the protection scope in the security level settings.
II–24 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
In other words, all drives from which malware can be run. A protection area allows adding individual drives and
folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection
level.
If the desired effect is not achieved by setting up exclusions, as a last resort, configure pausing File Anti-Virus while
the program runs (in the Security Level settings, on the Additional tab).
File Anti-Virus can be paused while a resource-consuming operation is performed using the settings in the Pause
task area:
— By schedule—the schedule (daily only) is set by specifying the time when the File Anti-Virus is to be
paused and when it is to resume its normal operation. The time is specified in hours and minutes
— At application startup—File Anti-Virus will pause when the specified program loads in the memory and
will resume its operation when this program is unloaded from the memory
Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers.
Since all locks are closed in a policy by default, the administrator may not even notice them. While you edit settings
without touching the locks, all settings remain required and are enforced on the computers.
However, you should remember that if locks are open, the configured settings are not applied. If you have changed
settings in a policy, and they have not changed on the computers, check the locks in the policy.
II–25
Unit II. Protection Management
The security levels can be managed using the three-position switch: Low, Recommended and High. Depending on
the switch position, the File Anti-Virus settings adopt the following values:
Protection scope All removable drives All removable drives All removable drives
All hard drives All hard drives All hard drives
All network drives All network drives All network drives
Pause task — — —
If any setting is modified, the security level is changed to Custom. In order to return to the Recommended level,
click the By default button.
II–26 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
How can virus scanning help if File Anti-Virus scans all dangerous files anyway? Virus Scan:
— Updates caches of KSN, iSwift and iChecker, after which File Anti-Virus can scan fewer files
— Scans files that have not been changed. The File Anti-Virus does not scan such files, which may be
dangerous
Virus scan tasks check objects using the same methods as File Anti-Virus: signature and heuristic analysis and KSN.
The difference is that File Anti-Virus checks files on-the-fly when they are accessed while virus scan tasks inspect
the files by schedule or on demand.
File Anti-Virus works with the user. The more actively work the user’s applications, the more files are scanned by
the File Anti-Virus and the more resources it consumes. Therefore, the File Anti-Virus settings are optimized to
ensure protection against immediate threats only. If the user copies an archive, there is no immediate infection risk
and the archive need not be scanned.
Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be
performed. That is why the scan task will wait for the answer from KSN before returning the final verdict,
regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from
the scan scope of the File Anti-Virus—archives, installation packages, files in non-infectable formats, etc.
A virus scan task can be configured to check the processes in the memory and be scheduled to run after each
successful database update.
II–27
Unit II. Protection Management
Configure virus scan settings in virus scan tasks. The Quick Start wizard creates one of these tasks in the Managed
devices group. Adjust this task until you decide that you need more tasks.
Scan scope
Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for
example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select
whether to scan all the contents, including subfolders, or just the folder itself without subfolders. If subfolders are
not selected to be scanned, the object icon is marked with the little red "minus" sign.
In addition to files and directories, the following scan objects can be specified:
Create a task that scans the whole computer weekly or every other week. If you cannot find proper time for such a
task, scan at least critical areas:
— Kernel Memory
— Running processes and Startup Objects
— Disk boot sectors
— %systemroot%\
— %systemroot%\system\
— %systemroot%\system32\
— %systemroot%\system32\drivers\
— %systemroot%\syswow64\
— %systemroot%\syswow64\drivers\
II–28 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Security level
Security level parameters in virus scan tasks are almost identical to the security level parameters specified for File
Anti-Virus. There are only a few virus scan parameters in the tasks that are not available in File Anti-Virus:
— Skip files that are scanned for longer than N s. —on the Scope tab in the Scan optimization area.
Enable this parameter if virus scanning takes long and does not complete within the allocated time
— Parse email formats—on the Scope tab in the area Scan of compound files. It is disabled by default,
because mail formats also include mailbox files, whose scanning takes too much time
Some malicious files are spread within office documents with an embedded mail file, which contains an
executable attachment. To completely prevent running such a file, enable scanning for office documents
and mail formats
— Password-protected archives—when scanning these, Kaspersky Endpoint Security will prompt the active
user for the password to unpack the archive. Since scheduled scans usually run in off hours when there is
no user, this option should be reserved for manual scans performed locally.
Virus scan tasks are also used to check archives. This is important because the File Anti-Virus usually does not scan
archives. A virus scan task can check the same types of compound objects as the File Anti-Virus.
Processing of compound objects is regulated by another option that becomes available after clicking the Additional
button—Do not unpack large compound files.
The other security level parameters are identical to those of File Anti-Virus.
Since the objective of virus scanning is to scan the files that have not been scanned by File Anti-Virus, and update
caches of KSN, iSwift and iChecker, use the following settings for File Anti-Virus to scan fewer files:
Account
By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes
network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem,
specify an account that has the necessary rights within the task properties.
You can also change the scan settings using the Security level slider. In that case the following settings will be
used:
Skip files that are scanned for longer than 180 sec – –
II–29
Unit II. Protection Management
iChecker technology + + +
iSwift technology + + +
Virus scan tasks may use any regular schedule: every N minutes, every N hours, every N days, weekly, monthly.
They can also be started once: either automatically at the specified time, or manually.
— After application update—the task will start after new threat signatures are downloaded and applied. This
is convenient for the scanning of memory and other locations where active threats may appear
— At application start—the task will start immediately after the launch of Kaspersky Endpoint Security (or
in a few minutes). This is another opportunity for the scanning of the most vulnerable computer areas
— On completing another task—a universal schedule that allows arranging tasks into a chain. From
the practical viewpoint, the best approach would be to link virus scan to update completion, but there is
already a special schedule option for that purpose
— On virus outbreak—when the Virus outbreak event is registered on the Administration Server
There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task
will start as soon as the computer is switched on. Use this option cautiously. If virus scanning starts in the morning
when the user turns on the computer, scanning will hamper the user.
II–30 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The mode Define task launch delay automatically makes more sense for an update task than for a virus scan task.
See Unit IV for details.
— Activate computer before the task is launched by the Wake On LAN function (min)—the option
allows you to schedule scan start for the night time or weekends without needing to worry whether
the computer is on. However, to use this feature, you need to enable its support in the BIOS settings of
the target computers
— Turn off computer after task is complete—the option may supplement the previous one. If a scan is
scheduled for the night or a weekend, the computer can be turned off after its completion
— Stop if the task is taking longer than (min) —the option allows guaranteed task completion before
the working day begins, so that the running scan does not interfere with the user activity
On servers, perform virus scanning on weekends, when they are less loaded.
On workstations, try to find such a time when computers are on, but virus scanning will not hamper the users:
If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the computers
at night and run the virus scan task. If this capability cannot be used either, use so-called idle scanning.
To enable idle scanning, open the Properties section in the task and select the check box Pause scheduled scan
when the screensaver is inactive and the computer is unlocked (in the Run mode area). In this mode, virus
scanning will be performed only when the computer is not used (locked or a screensaver is active), otherwise, the
task will be Paused.
Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than not to scan a
computer at all.
II–31
Unit II. Protection Management
If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false positive.
False positives hamper work considerably. Kaspersky Lab very thoroughly tests new signatures on a huge number
of files of operating systems and popular software to prevent false positives. During a scanning, Kaspersky Endpoint
Security checks files against Kaspersky Security Network and ignores threats in the files which KSN considers to be
trusted.
False positives happen extremely rarely, and usually concern files of infrequent software: for example, homeware.
If File Anti-Virus or a virus scan task finds a threat in a clean file, create an exclusion for it:
1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Protection Settings |
Scan exclusions and trusted zone | Settings
2. Add the file that gets a false positive to the list on the Scan exclusions tab. Select the File or folder check
box. Click the link select file or folder in the lower part of the window to specify the complete path to the
file. Use environmental variables, for example, %ProgramFiles%
It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected erroneously rather
than exclude the file entirely. For this purpose:
3. Select the check box Object name in the exclusion window. Click the link enter object name in the lower
part of the window to specify the threat name. The threat name can be found in the event about detected
threat by Kaspersky Endpoint Security in the Result \Name field.
II–32 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Exclusion by certificate
What to do if you configured an exclusion, but a new program version has been issued with new names of the folder
and executable file, which also gets a false positive?
If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of symbols,
and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask matches all files
whose names start with “file” and have the .exe extension.
If file names are entirely different, but all files are signed by a certificate, place the certificates to the certificate store
on the computers where the program is used and configure Kaspersky Endpoint Security to trust these certificates:
1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Protection Settings |
Scan exclusions and trusted zone | Settings
2. Switch to the tab Trusted system certificate store, select the check box Use trusted system certificate
store and select a store. The default choice is Enterprise Trust
3. Place the certificate(s) with which program files are signed to the selected store on the client computer.
You can use, for example, Active Directory group policies for this.
Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint Security
trusts only the certificates that are located in the computer’s repository
File Anti-Virus scans files on the drive that the user, operating system, and programs access. To avoid slowing down
the computer, File Anti-Virus scans only those files that pose an immediate threat. However, it does not prevent the
user from copying archived malicious files.
Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for example,
archived malicious files.
II–33
Unit II. Protection Management
If you cannot figure out a suitable schedule for running the scan task, use idle scanning.
— Schedule virus scanning. It updates the cache of scanned files and permits File Anti-Virus not to scan them
repeatedly if they have not been changed
— If files (for example, user profiles) load slowly over the network, and protection is installed on network
servers, do not scan network drives
A network is one of the main ways of spreading a virus. That is why network protection and network traffic
scanning are so important for computer security. In Kaspersky Endpoint Security, Mail Anti-Virus, Web Anti-Virus
and IM Anti-Virus components are responsible for anti-malware scanning of network traffic:
II–34 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Mail Anti-Virus Deletes malicious code from e-mail messages and attachments
Renames potentially dangerous attachments
IM Anti-Virus Deletes links to malicious and phishing web sites from messages
Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts outbound
connections from the computer programs and transfers packets to the network antivirus components. Kaspersky
Endpoint Security detects the connection protocol and transfers packets to the corresponding component:
Other packets are sent directly to the programs and applications for which they are destined.
Kaspersky Endpoint Security does not scan data in secure connections (SSL/TLS)
Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the outbound
connections. To achieve this, in the Kaspersky Endpoint Security policy, select General Protection Settings and in
the Monitored ports area, select Monitor only selected ports. Click the Settings button and specify the ports
which need to be controlled.
If you do not know which ports a program uses, select the check box Monitor all ports for specified applications,
and add the path to program’s executable file to the list.
Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or programs are used,
add them to the list.
II–35
Unit II. Protection Management
The Mail Anti-Virus protects from e-mail threats. Messages are intercepted at the protocol level (POP3, SMTP,
IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI).
Mail Anti-Virus detects and deletes malware using virus signatures, heuristic analysis and Kaspersky Security
Network. Additionally, Mail Anti-Virus can block or rename e-mail attachments that match the specified masks.
Mail Anti-Virus changes the subject of infected messages. The action taken is described in the message subject.
Protection scope
Security settings, among other options, determine the Protection scope. Mail Anti-Virus can scan either
To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing messages can
prevent inadvertent sending of an archived infected file and save the embarrassment. Additionally, you can select to
scan outgoing messages if you want to block attachments of certain types, for example, music or videos.
II–36 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Connectivity
The Connectivity group of settings more precisely defines the protection scope:
— Additional: Microsoft Office Outlook extension—scan objects3 when they are received, read and sent at
the level of Microsoft Office Outlook client.
If Mail Anti-Virus slows down the Microsoft Outlook mail client, try disabling scanning when a message is read.
Click the Settings button and clear the check box Scan when reading.
Scanning at the protocol level operates independent of the mail clients used. However, messages transferred over
unsupported protocols (for example, through Microsoft Exchange or Lotus Notes servers) will not be scanned.
Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of
supported mail clients is rather limited.
Scanning methods
If archives are attached, they can be unpacked and scanned. This behavior is controlled with the following settings:
— Scan attached archives—this setting allows the administrator to fully disable archive scanning. As a rule,
it is better to leave this check box selected and to scan archives “on the fly” using Mail Anti-Virus. It is
much easier not to allow any infected archive to penetrate into the mail database than to remove it from
the database later using an on-demand scan task
Do not turn off these parameters. Malicious files are often spread in attached archives and office documents
— Do not scan archives larger than NN MB—limits the volume of archives or office files to be scanned.
Malware is rarely spread in big files. Enable this limitation to avoid waiting too long when receiving large
compound files
— Do not scan archives for more than NN sec.—this option implements protection against “archive bombs”
whose scanning requires a very long time and a lot of resources, which slows down the computer.
Attachment filter
These settings concern only attached files. You can:
— Rename specified attachment types4—is used by default and renames attachments of executable types
(.exe, .bat, .cmd, etc.) This is a preventive measure against unknown malware. The user will not be able to
start the attached file without consciously renaming it.
3
Not only mail messages are scanned, but also the objects within Public folders and Calendar: any objects received over MAPI from the Microsoft Exchange
storage.
4
Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes file.ex_
II–37
Unit II. Protection Management
If archive scanning is enabled, Mail Anti-Virus will also rename attached archives that contain files with
the specified extensions.
This option can also be used to fight outbreaks of new viruses. If names of the attachments used by
the virus are known, they can be added to the list and then renamed so that the users are unable to open
these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless
attachment matches the specified mask, renaming would not cause any serious problems. The user can
consult the administrator and receive instructions on how to rename the file back
— Delete specified attachment types is a safe way to prevent infections, which can also be used to prevent
exchange of files of certain types: for example, music or video files
If archive scanning is enabled, Mail Anti-Virus will delete files of the specified types from attached archives
The list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-defined
masks can contain parts of names. “*” and “?” wildcard characters can be used. The added masks will go to
the beginning of the list and will be enabled immediately.
Protection scope Incoming messages only Incoming and outgoing Incoming and outgoing
messages messages
Exclusions for Mail Anti-Virus are configured the same way as in File Anti-Virus: in the General Protection
Settings, Scan exclusions and trusted zone. In the scan exclusion settings, specify the file name only (wildcards
are allowed) to exclude all attachments with matching names from scanning. The same exclusion must be
configured for File Anti-Virus, or else the received attachments will not be saved or opened.
II–38 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
— Analyzes addresses of web pages opened by the user or applications, and blocks access to phishing and
malware-spreading sites
— Scans the objects downloaded over HTTP and FTP (the objects downloaded over HTTPS are not scanned)
and blocks malicious files
— Check against the database of suspicious sites—compare the address of the site to be opened with
the addresses of the web resources, which are known for hosting malware, attacking computers or other
harmful activities
— Check against the database of phishing sites—is similar to the previous check, but against the database of
sites on which phishing pages have been detected
— Heuristic analysis for detecting phishing sites—analysis of the site contents for HTML code characteristic
of phishing
— KSN check—addresses of the opened sites are checked against KSN. Dangerous links are blocked. The
received answer is saved in the local cache and is used for further checks.
Downloaded files are scanned using all the available methods: signature and heuristic analysis as well as KSN.
II–39
Unit II. Protection Management
Actions
You can select the action to be taken against all detected dangerous objects:
— Block download 5
— Allow download
You should select the Block download action in the policy and lock it so that the users are not able to download
hazardous objects or visit hazardous websites.
When the user attempts to open a black-listed web resource or download an infected object, a notification will be
displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.
Security level
— Check if links are listed in the database of malicious URLs—we recommend that you do not disable this
setting. If a website was added to the list of malicious web addresses by mistake, create an exclusion for it
— Heuristic analysis for detecting viruses—enables heuristic analysis. This is the same analysis as in
the File Anti-Virus: executable files are started in the virtual environment and their operations are
supervised. The depth of the analysis defines the monitoring time
— Check if links are listed in the database of phishing URLs—this setting is similar to the first parameter
and should also remain enabled
— Heuristic analysis for detecting phishing links—enables the use of heuristics when detecting phishing
sites.
Web Anti-Virus settings can be modified using the Security level switch. The table below explains how
the settings’ values change depending on the level selected:
Heuristic analysis for detecting viruses Light scan Medium scan Deep scan
Scan archives – + +
Scan archives is a hidden setting. If the Security level is switched into the Low position, in addition to the visible
parameter changes, archive scanning is disabled.
do not depend on the Security level and do not change the position of the Security level when modified.
5
The Select action automatically option is the same as Block download.
II–40 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If Web Anti-Virus erroneously considers a web site to be malicious or phishing, add its address to the trust list:
1. In the security level settings, open the tab Trusted web addresses
2. Select the check box Do not scan web traffic from trusted web addresses
3. Add the web site address to the list. To specify a mask, use “*” and “?” wildcards
The listed sites and the objects downloaded from them will not be scanned by Web Anti-Virus.
If Web Anti-Virus erroneously considers a file that a user downloads from a web site to be malicious, make an
exclusion for the file in General Protection Settings. Apply the exclusion at least to Web Anti-Virus, File Anti-Virus
and Virus scan.
II–41
Unit II. Protection Management
In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2) the driver that intercepts connections for
network antiviruses acts as a local proxy.
When a program establishes connection to a remote server, Kaspersky Endpoint Security replaces the server address
with its own address to receive the packets, and then establishes another connection to the remote server to send the
scanned packets. The answer packets from the server are processed in a similar manner: first through the connection
established by Kaspersky Endpoint Security, and then from Kaspersky Endpoint Security to the program.
Some network programs are incompatible with this interception method. To ensure that they operate properly, the
administrators disable traffic interception for the program.
Kaspersky Endpoint Security 10 SP2 uses a driver that does not disrupt the connection; it uses the operating system
functions to receive access to all packets.
The programs that are incompatible with the old interception method are likely to be compatible with the new one.
If you have a program that conflicts with the new interception method too, disable traffic interception for it:
1. Open the list of trusted processes in the Kaspersky Endpoint Security policy: in the General Protection
Settings section, click the Settings button in the Scan exclusions and trusted zone area.
2. Add the application executable file to the list of Trusted applications: specify the full path to the file. You
can use environmental variables, such as %SystemRoot%
3. In the properties of a trusted program, select the check box Do not scan network traffic and clear the other
check boxes
4. If servers with which a program works have permanent addresses (or a range of addresses) and ports,
specify them in the lower part of the window: it is safer this way
This exclusion applies to the Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus and Web Control components
II–42 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The network components Mail Anti-Virus and Web Anti-Virus do not consume much resources. On the contrary,
they enable File Anti-Virus to scan fewer files, and improve computer performance.
Web Anti-Virus is the only component that protects against phishing. It also protects against new threats that are
spread through known malicious web sites.
Do not turn off network antiviruses, it will not improve performance, but will affect protection
If Web Anti-Virus or Mail Anti-Virus erroneously delete files, block safe web sites or hamper network programs,
configure exclusions:
Criminals continually create new malicious files. Kaspersky Lab is famous for detecting new threats and adding
their signatures to the database very quickly. Checksums of malicious files get to Kaspersky Security Network even
more promptly. However, criminals are still half step ahead. How does Kaspersky Endpoint Security protect against
new threats and especially against ransomware?
Ransomware that encrypts documents and demands money in return for the key cause immediate and direct harm
Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack:
Criminals publish malware on web sites. Often these web Web Anti-Virus uses the database of known malicious
sites have also been used previously web sites and web sites’ reputation in KSN and
prevents the users from opening them
New malware have different code to get round signature System Watcher monitors what a programs does, and
scanning, but behave similarly to other malware detects new malware by behavior
Encrypted data are statistically homogeneous, as if System Watcher uses heuristic and statistical analysis
produced by a random-number generator. This makes to detect encryption in files
them different from most ordinary files
New malware do not have any reputation in KSN Application Privilege Control does not allow the
programs without a reputation to use many of the
operating system functions
New threats are mainly opposed by System Watcher and Application Privilege Control.
II–44 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The components and technologies that help to counter new malware not yet added to the Anti-Virus databases or
Kaspersky Security Network or minimize their impact are called Proactive Defense.
Heuristic analysis which we’ve studied already is an example of a Proactive Defense technology. However, the main
role in this protection aspect belongs to the System Watcher (and to some extent to the Control components, which
will be described later).
— Logs application activity for comparison with the behavior signatures database
— Detects malicious programs and blocks their actions
— Rolls back actions of the malware detected by other components (File Anti-Virus and scan tasks)
Malware detection is the main task. For this purpose, System Watcher monitors program actions and compares them
with dangerous activity patterns: so-called Behavior Stream Signatures (BSS). The BSS database is updatable, but
updates are issued comparatively rarely for it. Efficiency of the System Watcher almost does not depend on the
databases’ update regularity.
Various components gather data about application activity for the System Watcher:
— The main information source is the klif.sys driver that intercepts file operations (the one used by File Anti-
Virus). The driver gathers information about file operations and the changes made to the registry.
— System Watcher has its own module that reacts to complicated system events: installation of drivers, hooks,
etc.
II–45
Unit II. Protection Management
Configuration
System Watcher has a few settings which correspond to enabling or disabling the abovementioned task components:
— Enable Exploit Prevention—protects from various attacks (exploits) whose aim is to receive
administrative permissions in the system or conceal code execution.
Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or
service, which processes them and therefore executes some parameters as code. Specifically, such attacks
against system services running under the local system account enable criminals to receive administrative
permissions on the computer.
Typically, malware tries to start itself under the administrator account as a result of such an attack. When
this option is enabled, start operations are being monitored and if a vulnerable program starts another
program without the user’s explicit command, the start is blocked.
— Do not monitor the activity of applications that have a digital signature—do not control the programs
that are either signed with trusted certificates or have the Trusted reputation in the KSN
To exclude programs signed with self-signed certificates, configure exclusions for the certificates in the
Trusted zone (General Protection Settings)
— Roll back malware actions during disinfection—roll back actions taken by the programs deleted by File
Anti-Virus or scan tasks or quarantined by System Watcher.
Rollback means rolling back the changes made to the file system (creating, relocating, renaming files) and
registry keys (the records created by the malware are deleted). Also, a backup copy of some files and keys
is created at the time of the system start, which allows rolling back to this version if a virus makes changes
to these files and keys. These special objects include hosts and boot.ini files and registry keys responsible
for starting programs and services during the system start.
This option also recovers the files encrypted by malware (so-called cryptolockers).
Do not turn off the System Watcher. It protects against threats that other components may fail to counter
Actions
If System Watcher detects malicious behavior, it selects action automatically. This means that it interrupts the
program and quarantines its executable file.
— Terminate the malicious program—stop the malware and unload it from the memory
— Move file to Quarantine—stop the program, delete the malicious file, and place its copy into the
Quarantine repository
II–46 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The main purpose of the Application Privilege Control is to regulate the activities of the running programs, namely,
access to the file system and registry as well as interaction with other programs.
Application Privilege Control categorizes applications into trust groups, for which limitations are specified. Every
program receives one of the four trust levels:
— Trusted
— Low Restricted
— High Restricted
— Untrusted
Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time; and the start is
suspended until the analysis is over. The main categorization tool is Kaspersky Security Network. If it is
inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings:
— Use heuristic analysis to define group—if this check box is selected, Kaspersky Endpoint Security
defines the program status using a special heuristic algorithm that emulates the program start. Emulation
and analysis require time. By default, the time for assigning a trust group is limited to 30 seconds. There is
another setting named Maximum time to define group for this purpose. After the specified time,
the analysis is finished and the program gets placed into a trust group
— Automatically move to group—an alternative to using heuristics. This setting allows assigning one of
the 3 trust levels (High Restricted, Low Restricted, or Untrusted) to all unknown programs without
the analysis
— Trust applications that have a digital signature—if this parameter is enabled, the programs signed by
trusted certificates will be automatically placed in the Trusted group
Trusted certificates are certificates that Kaspersky Security Network trusts. To trust other certificates, use the
Trusted zone settings (General Protection Settings)
The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted
depending on the following settings:
II–47
Unit II. Protection Management
— Update control rules for previously unknown applications from KSN databases—program trust group
will be changed automatically if it appears in the KSN
— Delete rules for applications that are not started for more than 60 days—allows wiping out the trust
group information for the programs that have not been started for a long time. The lifetime is adjustable
Application Privilege Control limits interaction with other programs and operating system services depending on the
trust group. Generally, the default restrictions for trust categories are as follows:
Trusted No limits
Low Almost everything is allowed, except for building into operating system modules and accessing
Restricted recorders: web cams and microphones
High Interaction with operating system modules and other programs is prohibited. A program is allowed
Restricted to work only with its own segment of system memory
Application Privilege Control helps limit access to files, folders and registry keys on the hard drives. Application
Privilege Control has a list of protected resources. They are grouped into two categories:
— Operating system
— Personal data
Each category has its subcategories and resource descriptions: paths to folders, file masks, registry key masks.
Initially, the list of protected resources contains groups of most important files and registry keys. For example, the
Operating system category has a subcategory Startup settings, which lists all registry keys related to startup.
Rights to access groups of resources are defined for operations: Read, Write, Remove and Create.
Low Restricted Full access to everything except critical operating system files Full access
For critical operating system files, Read only
Program limitations automatically apply to its child processes. If a program with limitations starts a trusted program,
this trusted program will also be restricted. If a trusted application is started by the user or another trusted program,
there will be no limits
The administrator can modify limitations for any trust group and even for any individual program.
Do not change the Application Privilege Control settings unless you know precisely what you are doing
II–48 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
1. Open the Application Privilege Control section in the Kaspersky Endpoint Security policy
2. Click the upper Settings button in the Application rules area
3. Select the trust group and click Edit
4. Switch to the Rights tab
The administrator can limit or extend rights for a program having the selected reputation here, but you must
understand what you are doing. For example, you can allow low restricted programs to access the web cam.
1. Open the Application Privilege Control section in the Kaspersky Endpoint Security policy
2. Click the lower Settings button in the Application rules area
On the managed computers, the list of resources is updated together with the signature databases. To update the list
of resources in the policy, click the button Update above the list.
Do not delete or edit the pre-configured resources. To stop controlling pre-defined resources, add them to
exclusions: click the Exclusions button in the upper-right corner of the window.
To protect other files or registry keys, add them to the list. Keep your resources in an individual category.
1. Click the Add button to create your categories and resource descriptions
2. Configure access rights for the resource in the table on the right
To be informed when Application Privilege Control blocks an operation, enable logging. For this purpose, right-
click an action in the table and select Log events. You can log allow events of Application Privilege Control to
understand which programs work with a resource.
Note: The limitations configured for a program are inherited by all its child processes, even if their executable files
are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions by
using the privileges of programs having higher trust levels.
II–49
Unit II. Protection Management
With the default settings, Application Privilege Control protects the operating system and other software on the
computer against programs that have bad reputation.
The administrator can also easily protect users’ files against unknown programs. This way, they will be protected
against ransomware that encrypt documents.
— either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit starting it
— or (especially new malware) does not have any reputation in KSN and Application Privilege Control makes
them High Restricted or Low Restricted
Programs designed for working with documents, such as Microsoft Office, the other way round, are well-known and
have Trusted reputation.
Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose:
1. Open the Application Privilege Control section in the Kaspersky Endpoint Security policy and click the
second Settings button
2. Add documents to the list of protected resources in Application Privilege Control: in the list on the left,
select the category Personal data \ User files and add a new category named Documents
3. Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose, add File or
folder to the category and specify the extension in the Path field. Repeat for all extensions
4. Prohibit restricted applications from editing documents. For this purpose, select the category in the list on
the left and change the rights in the table on the right: prohibit High Restricted and Low Restricted
applications from Writing and Deleting
II–50 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Almost any heuristic analysis returns false positives. To reduce them, exclude known clean programs from analysis:
To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed programs,
use the following components’ settings:
System Watcher
Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates rather than
all of them. Trusted certificates are those issued by trusted certification centers.
Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates in the local
store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky Endpoint Security
learns about this from Kaspersky Security Network, and will not trust files signed with this certificate.
Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software with a self-
signed certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as described in “Exclusion
by certificate”, section 2.5.
If a program does not have a digital signature, you can manually add it to the Trusted group in the Application
Privilege Control policy. Alternatively, you can completely exclude a program from scanning by System Watcher
and Application Privilege Control. How to do it will be explained later.
II–51
Unit II. Protection Management
Most of the widespread commercial programs have Trusted reputation. However, some open-source programs have
Low Restricted reputation. Tailor-made software may not have any reputation in KSN, and may receive High
Restricted reputation from Application Privilege Control.
If reputation hampers working with a program, change its reputation in the Kaspersky Endpoint Security policy:
1. Open the Application Privilege Control section in the Kaspersky Endpoint Security policy
2. Click the upper Settings button in the Application rules area
3. Click Add above the list of categories
4. Enter a part of the program’s executable file name and click Refresh
5. Select the executable file in the search results
6. Select a reputation for the file in the lower-right corner of the window and click OK
If the administrator has selected a reputation for a file in the policy, Application Privilege Control will use this
reputation on the computers instead of the KSN reputation. Reputation from KSN or by heuristic analyzer is used
only for files that are not specified explicitly in the policy. Meaning, for most files, because by default the policy has
only reputation groups, and no files.
If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its restrictions as
desired. For example, the administrator can add a program to the Trusted group, but then open its properties and
prohibit accessing the web cam.
II–52 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If you use policies with the default settings, the list of executable files is likely to be empty in the policy.
Kaspersky Endpoint Security intercepts all executable files on the computers, and Application Privilege Control
assigns a reputation to all of them. However, this data is not sent to the Administration Server by default. And the
policy shows only those executable files about which Kaspersky Endpoint Security has informed the Administration
Server.
To make Kaspersky Endpoint Security send the list of computer’s executable files to the server:
1. Open in the policy the Reports and Storages section and click the Settings button in the area Inform
Administration Server
3. To view executable files in the policy, wait for two synchronization intervals (30 minutes)
The lists of computer executable files are rather large. If all managed computers send them to the server, it will
increase the load on the network considerably. Usually, this is not necessary. To receive only the necessary files,
move a reference computer to a special group and apply a policy with the selected check box Inform about started
applications to it, and after you receive the list, move the computer to its original group
II–53
Unit II. Protection Management
When the user starts a program, Kaspersky Endpoint Security adds it to the local list of known applications. If the
administrator has selected to inform the server about started files, Network Agent will periodically synchronize the
list of files with the server.
However, it is not recommended to collect lists of files from all computers, and creating a special group with a
special policy for a single workstation is not always desired.
Administrators often have test computers where all typical programs are installed. If you have such computers,
gather lists of executable files from them. To fill the local list of known programs on a test computer, do not start all
programs manually, use the Inventory task.
The Inventory task scans files in the specified folders, finds executable files and adds them to the local list of known
executable files. It does not send anything to the Administration Server. To have scans results sent to the server,
select the check box Inform Administration Server about started applications in the Kaspersky Endpoint
Security policy.
To create an inventory task, run the task creation wizard in the Tasks node. Select the Inventory task type under
Kaspersky Endpoint Security 10 Service Pack 2 for Windows. If it is a task for a test computer, specify the All hard
drives scope. Assign the task to individual test computers.
Do not assign the inventory task to all computers. It will load the network without doing much good, because lists of
executable files are almost the same on different computers.
II–54 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If the limitations set by the Application Privilege Control still block a necessary program, you can configure
the corresponding exclusion. There are two types of exclusions in Application Privilege Control:
— Exclusions for resources—allow any program to perform any operation with the specified group of
resources
Exclusions for resources are configured in the properties of the Application Privilege Control, on the Protected
resources tab. You can configure exclusions for folders, files and registry keys.
Exclusions for programs are configured in the General protection settings section (Exclusions and trusted zone),
and provide several additional capabilities:
— Do not monitor application activity—disable all restrictions for the specified program
— Do not inherit restrictions of the parent process (application)—disable the limitations inherited from
the process that started the program and the parent processes of higher levels
— Do not monitor child application activity—disable the restrictions for the processes started by
the program for which the exclusion is created
Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily System Watcher
and Application Privilege Control. Both components monitor the operations performed by the programs.
Application Privilege Control calculates the reputation of executable files and limits actions of programs that have
bad or unknown reputation. Program reputation is supplied by Kaspersky Security Network or heuristic algorithm.
The administrator can manually select a reputation for individual programs.
System Watcher monitors what programs do in general rather than their individual actions. For this purpose, it logs
everything that programs do and then checks whether sequences of actions resemble malicious activities. System
Watcher uses the log of actions to roll back malicious activities.
System Watcher has special heuristics that permit detecting ransomware (malware that encrypts documents and
demands a ransom). In some cases, System Watcher can recover encrypted documents.
To better protect against ransomware, configure Application Privilege Control to block access to documents for
programs that have bad reputation.
Do not turn off System Watcher and Application Privilege Control. These components implement state-of-the-art
technologies that protect against most sophisticated threats
II–56 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
From the security point of view, the Firewall performs two functions:
— Block unauthorized network connections to the computer, thus decreasing the infection probability
— Block unauthorized network activity of the programs on the client computer. This decreases the risk of
an outbreak, and also limits actions of the users that consciously or unconsciously violate the security
policy
The Firewall is tightly integrated with Application Privilege Control. Application Privilege Control does not limit
programs’ access to the settings of the operating system, other programs and user files. Firewall checks the program
reputation and limits its access to the network. This way, the Firewall prevents already running malware from
causing harm: for example, sending the user’s passwords to criminals.
The Network Attack Blocker component complements the Firewall and analyzes packets. While Firewall uses
simple rules to blocks packets, Network Attack Blocker checks sequences of packets for signs of a network attack,
for example, buffer overflow attack via known vulnerabilities, and blocks connections through which an attack is
performed.
II–57
Unit II. Protection Management
Firewall controls connections at the network and transport level using packet rules. It analyzes inbound and
outbound packets, compares them with the rules and takes one of the two actions:
— Allow
— Block
The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it, open the
Firewall section in the Kaspersky Endpoint Security policy and in the Firewall rules area, click the second Settings
button.
ICMP type Echo, Echo Reply, Time Exceeded, Destination Unreachable, etc.
Can be selected for ICMP and ICMPv6 protocols
ICMP code Code for some ICMP types. You can select code 0, 1 or 2
For example, for a Destination Unreachable ICMP packet, code 0 means Net Unreachable, code
1—Host Unreachable, code 2—Protocol Unreachable
Network Permits specifying the network adapter by Interface type, IP address and MAC address
adapters Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP connection,
PPPoE connection, VPN connection, Modem connection
The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports, direction,
network adapter, local address, remote address), applies the action specified in the rule.
Rule application will be registered in the Firewall log if the Log events check box is selected.
The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules, select a rule
and move it using the Up and Down buttons.
A default policy contains a list of packet rules that provides reasonable security for computers both on and off
the corporate network. The standard settings are described in detail in the end of this chapter.
Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. For
convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity,
Browsing web pages, Remote Desktop network activity, etc.) To select a template, click the button to the right of the
Name field in the rule settings.
II–59
Unit II. Protection Management
Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted networks,
Local networks or Public networks. How does the Firewall decide which addresses belong to which networks?
Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the policy does not
describe a network status, the Firewall defines it itself on the client computer.
On the computer, the Firewall adds the networks configured for the computer's network adapters to the networks
specified in the policy. If an adapter’s network coincides with or belongs to a network from the policy, it receives
the status specified in the policy.
If the adapter’s network does not belong to any of the networks described in the policy, the Firewall assigns it a
status based on its status in the operating system. If it is a domain, work or home network, the Firewall assigns it the
Local status. If the network is public in the operating system, it will also be public for Kaspersky Endpoint Security
Firewall.
For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And
a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24
respectively. Let’s say Kaspersky Endpoint Security automatically assigned the Public status to both these
networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network
effectively becomes Local network, because there is an entry in the policy for network 127.16.0.0/16 that includes
172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching
entry in the policy.
In the default policy settings, there are three network entries, all of which have the Local network status:
— 10.0.0.0/8
— 172.16.0.0/12
— 192.168.0.0/16
II–60 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered
for computers outside the perimeter, e.g., the computers connected via VPN or laptop computers on a business trip.
If the Firewall does not find a matching rule for a packet, or finds, but the action specified in the rule is According to
the application rule, it starts looking for the packet rule configured for this application. And if the application has no
settings in the policy, it checks the program’s reputation and looks for a matching packet rule in the reputation
settings.
The Firewall uses the same reputations as Application Privilege Control. The settings that Application Privilege
Control uses to select a reputation are also applied to the Firewall. If Application Privilege Control is not installed,
Firewall defines the reputation itself using the Application Privilege Control settings. A program cannot be Trusted
for Application Privilege Control and at the same time High Restricted for the Firewall. Each program has only one
reputation.
There are no applications in a policy by default; there are only reputations and settings for reputations. The
administrator can add programs to a reputation and after that he or she will be able to add whichever packet rules to
the program properties. Applications can be added in the same manner as in Application Privilege Control.
Each program and reputation in the list of rules has three rules that are always located at the bottom of the list:
For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for the High
Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or modified, except for
the Action attribute, which can be changed by the administrator.
By default, if only reputations are configured in the policy, reputations have only these three rules. These rules
intercept any network activity, because any address belongs to either a trusted, or a local, or a public network. That
II–61
Unit II. Protection Management
is why there is always a rule for any packet: a packet belongs to a process, the process has a reputation, and the
reputation has at least one rule for any remote address according to the network type.
The administrator can add custom rules to the list of reputation or application rules. These rules have only the
following attributes:
A standard policy does not contain rules for applications (except for the standard ones specified for the reputations).
That is why, by default, the ultimate network status and application reputations are defined locally in the Firewall.
Packet rules are inherited from the policy, and accordingly, packets are filtered as follows:
1. The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external
port 53) and e-mail (over TCP protocol, external ports 25, 465, 143, and 993). The According to the
application rule action is selected in these rules, that is, programs from the Trusted and Low Restricted
groups will be able to send DNS requests and e-mail, while the others will not
II–62 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
2. Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted
networks, any activity is allowed by default, except for DNS and e-mail limitations for Untrusted and
High Restricted programs
3. The fifth rule defines the order of packet processing in local networks. Such packets are processed
according to the application rules. The default application rules say that the programs from the Trusted and
Low Restricted groups have no limitations in local networks, while High restricted and Untrusted have
no access
4. The rest of the rules effectively regulate program behavior in the Public networks, since all packets from
Trusted and Local networks are processed one way or another by the above rules. Rules 6-8 block remote
desktop connections to the computer from public networks, and also block connections to the local DCOM
service, NetBIOS packets, access to Windows shared folders, and access to Universal Plug & Play devices
5. Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the Trusted and
Low Restricted groups. Considering the default application rules, this means that Trusted and Low
restricted applications can receive incoming connections from Public networks, whereas High restricted
and Untrusted applications cannot.
6. Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to test
connection to remote computers
Trusted and Low Restricted programs have full access to all networks. That is why Firewall does not hamper well-
known programs by default.
Untrusted and High restricted programs are allowed to access only trusted networks, and even there may not work
with e-mail and DNS. However, there are no trusted networks in a policy by default, and Untrusted and High
restricted programs have no network access.
Thus Firewall prevents unknown malware from stealing passwords, downloading additional modules, receiving
commands from the control center and sending spam
Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop, DCOM,
etc.) and blocks ICMP requests from public networks.
II–63
Unit II. Protection Management
Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed
to exchange data over the network.
However, little-known open source programs or tailor-made software may receive the High Restricted reputation
and will not be able to work with the network.
To grant access to the network to a program that has High Restricted reputation, use one of the following
approaches:
— Change the program reputation, add its executable file to the Low Restricted or Trusted reputation as
described in section 4.3
— If the program’s files are signed with a certificate, use Application Privilege Control settings to trust these
files
— If files are not signed with a certificate, think about signing them with a self-signed certificate and use the
Trusted zone settings to trust this certificate
— Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet rules are
processed earlier than the rules for applications and reputations.
The purpose of the Network Attack Blocker component is to block network attacks including port scanning, denial-
of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and
services running on the computer.
Network Attack Blocker uses signatures and blocks all connections that correspond to the descriptions of known
network attacks.
As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect
a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory
and thus execute the malicious code. The Network Attack Blocker component is able to prevent infections from
spreading this way. That is why it must be enabled, and its settings must be locked.
Network Attack Blocker has a few configurable parameters. If the component is enabled, attacks are blocked
automatically.
Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for some
time. The Add the attacking computer to the list of blocked computers option regulates this behavior; by default,
it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but
only in the local interface of Kaspersky Endpoint Security.
Sometimes, Network Attack Blocker considers numerous packets sent by surveillance cameras and other similar
devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses to exclusions. Network
Attack Blocker will not analyze packets from trusted addresses.
II–65
Unit II. Protection Management
When a client computer blocks another client computer because of a network attack, the administrator can see only
an event informing of a network attack in the console. There is no list of blocked computers, or events informing
that a computer was blocked and later unblocked.
You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security:
1. In the Kaspersky Endpoint Security window, on the tab Protection and Control right-click the Firewall
component and select Network Monitor
To unblock a computer from the Administration Console, restart the Network Attack Blocker component on the
computer that blocked an attack:
1. Find the event informing about the attack and check which computer sent the event (not which computer
attacked)
3. Switch to the Tasks section and find the Network Attack Blocker component
4. Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list)
II–66 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
At the network level, packets are scanned by the Firewall and Network Attack Blocker components. Network
antiviruses (Web Anti-Virus, Mail Anti-Virus and IM Anti-Virus) scan the data at the application level.
Firewall protects computer services in public networks, and also does not allow Untrusted and High Restricted
programs to use network. Thus it prevents unknown malware from connecting to its control center.
Network Attack Blocker analyzes sequences of packets within allowed connections and blocks known types of
attacks.
— Make the program trusted for Application Privilege Control. The Firewall uses the same reputations as
Application Privilege Control.
— Open ports and addresses with which the program works using simple packet rules
— Add the application’s address to exclusions of Network Attack Blocker
II–67
Unit II. Protection Management
The risk of computer infection is lower within a corporate network than outside. Thus, applying different settings to
the computers that are taken out of office seems reasonable.
Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12 and
192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within them.
However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may belong to
hotels, bars, airports and other public places. It is dangerous to trust them similarly to local networks.
Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is taken outside
the corporate network.
Out-of-office is the third possible policy status, in addition to the Active and Inactive status.
An out-of-office policy may be created for any group. There can be only one out-of-office policy for each version of
Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner as an active policy.
However, while an active policy is enforced immediately, a policy for out-of-office computers starts working only
when the computer meets the specified conditions (which will be described later).
II–68 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if
an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever settings
are locked in the parent group policy, they do not restrict the policy of the out-of-office users within the child group.
In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy,
where the locked settings are inherited by the policies of child groups. Out-of-office policies are inherited only
completely by those subgroups where an out-of-office policy is not configured.
1. Run the New Policy Wizard: select the Policies node or the Policies tab in the administration group and
click the button Create a policy
Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for
Windows. Policies of the Network Agent or, for example, Kaspersky Security for Windows Servers
Enterprise Edition do not have such an option.
To modify the status of a ready policy, open the General section in its properties.
II–69
Unit II. Protection Management
By default, computers never switch to the out-of-office policy. To make them switch to such a policy, specify
conditions in the Network Agent policy using either of the following methods:
1. Select the Switch to out-of-office policy when Administration Server is not available check box
A computer will switch to the out-of-office policy if it is not connected to any network, or if the Network
Agent cannot synchronize with the Administration Server three times in a row.
In practice, this happens when a computer is disconnected from the corporate network. By default, the
synchronization period is 15 minutes. Therefore, a client will switch to the out-of-office mode instantly
after disconnected from the network or in 30 to 45 minutes if the network has not been disconnected.
We recommend that you configure conditions. Conditions can describe more precisely when a computer is located
in a corporate network, and when it is not.
If there are many computers in the network and the Administration Server is overloaded, some of the computers
may fail to connect to the Server at every regular synchronization. It might happen that a computer fails to
synchronize three times in a row and will switch to the out-of-office policy within the corporate network. Depending
on the out-of-office policy settings, such a computer can, for example, block access to its shared folders, which
would make quite a lot of trouble if it happens to a file server or a domain controller.
Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be solved 6.
However, improperly configured conditions of switching to the out-of-office mode may aggravate the issue.
6
How to correctly scale Kaspersky Security Center in large networks is described in course KL 302.10.
II–70 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Instead of using the option Switch to out-of-office policy when Administration Server is not available, configure
conditions that precisely describe when a computer is located within the corporate network, and when outside.
Conditions switch the connection profile for the Network Agent. See course KL 302.10 for details. To make
computers switch to the out-of-office mode, use the built-in profile <Not connected>.
There are various conditions in the Network Agent policy. Many of them are simple and clear, for example, subnet
address or main gateway address. However, they may fail to unambiguously define the corporate network. Suppose,
subnet 192.168.0.0/24 is used in the internal network. However, there can be the same network in a hotel, bar or a
free hotspot in the street. That is why the conditions by subnet, gateway or DNS server address are insufficiently
reliable.
You had better use the condition Name resolvability and specify a name that can only be resolved on the internal
DNS server of the company. Configure computers to switch to the out-of-office mode when they cannot resolve this
name:
1. In the Network Agent policy, in the Network \ Connection section, add a profile switch rule: click the
Add button below the lower list
2. Name the rule comprehensibly, for example, “<an internal DNS name> unresolvable”
3. In the Use connection profile drop-down list, select the <Not connected> profile
5. Add a name that can only be resolved in the internal network to the list
6. For Condition is true if parameter, select Does not match any of the values in the list
7. Save the condition, select the check box Rule activated, save the rule and save the policy
II–71
Unit II. Protection Management
The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer
restrictions. This may not be a safe assumption out of office. These can be networks in hotels, bars or other public
places which cannot be trusted. Make these networks public in the out-of-office policy. Alternatively, if you trust the
users, delete all networks from the policy: Firewall will check the statuses of networks in the operating system,
which are specified by the user.
A policy for out-of-office computers must take into account the fact that the host is outside the corporate network
and that it is the user who manages Kaspersky Endpoint Security meanwhile. Consequently, the policy must allow
the user access to the information about the protection status and to the product management tools. The user should
at least be allowed to scan suspicious files/drives and start updates. For this purpose, allow the user to manage group
or local tasks, or both. See the previous chapter for details.
To help the users make rational decisions about protection, it is necessary to provide them with more information
about incidents. The user should be warned about detected threats, the need for advanced disinfection and about
outdated databases:
— Open the list of Kaspersky Endpoint Security events in the policy, in section Reports and Storages
— Select all events that are important for the user in the Notify on screen column
Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a yellow triangle on the
application icon in the notification area. Select about which issues to inform the user in the Interface section of the
policy.
II–72 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
When the users work outside the corporate network, they need other settings for Kaspersky Endpoint Security.
Kaspersky Security Center has out-of-office policies for this purpose.
By default, out-of-office policies are not used. To make them used, configure conditions in the Network Agent
policy. Create switch rules for the <Not connected> profile. In the rules, specify the conditions that reliably describe
when a computer is located within the corporate network, and when outside. Use the “Name resolvability” and
“Availability of SSL connection address” conditions.
— Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12
Give the users more information and more control over Kaspersky Endpoint Security:
A self-defense technology is implemented within Kaspersky Endpoint Security, which prevents unauthorized
product disabling and other attempts to hamper its operation. Self-defense is configured using two options in
Advanced Settings \ Application Settings:
— The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security
processes in the computer system memory, its files on the hard drive and its registry keys
— The Disable external management of the system service option does not permit stopping the Kaspersky
Endpoint Security service unless the command is carried out via the product interface
If self-defense is disabled, the computer protection level decreases. By default, both parameters are enabled and
locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with remote
management utilities, though there are better ways for handling those) or for troubleshooting.
II–74 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To prevent malware from disabling protection by simulating the user’s commands in the product window, self-
defense accepts mouse and keyboard events only directly from a device rather than from other processes by default.
Therefore, when the administrator tries to manage Kaspersky Endpoint Security via a remote access program, such
as UltraVNC or TeamViewer, self-defense does not permit clicking anything in the Kaspersky Endpoint
Security window.
If you need to manage Kaspersky Endpoint Security via a remote access program, and self-defense will not allow
this, configure an exclusion. Add the executable file of your remote access tool to the list of trusted applications.
The process that the administrator starts on his or her computer is not necessarily the same as the process on the
remote computer that accepts the connection and provides access to the desktop. Add the process that runs on the
remote computer
In the properties of the trusted program, select the check box Do not block interaction with the application
interface. Clear the other check boxes. Do not allow programs more than they need for their work.
II–75
Unit II. Protection Management
The default settings provide the users with at least two methods to disable the protection.
— Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in the notification
area.) This action doesn’t even ask for elevated permissions, any user can do this.
— Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However, some users
may have them, especially on laptops.
To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password protection for
the mentioned actions in the policy and make these settings required (close the lock). Though a user with
administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way or another,
the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which doesn’t
allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and processes
in the memory. Together, password protection and self-defense are mostly able to prevent any damage a user might
try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas password
protection is not.
Another, a less evident way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes
after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and
the user will be able to change any settings. There is password protection for the Network Agents too, and it is not
enabled by default either.
II–76 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its
settings, exiting, and uninstalling.
1. Open the policy, go to Advanced Settings / Application Settings and click the Settings button in the
Password protection area
— Configure application settings—protects against any attempts to modify Kaspersky Endpoint Security
settings, including the options that enable and disable the components (e.g. File Anti-Virus); but the user
will still be able to stop a component via its shortcut menu
— Exit the application—protects the Exit command on the shortcut menu of the product's icon. Meanwhile,
self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its processes or files
— Disable protection components—the user can start protection components and local tasks (if they are
displayed); the password window appears only if the user attempts to stop them. The update tasks lack this
protection
— Disable control components—the password is necessary to disable the Device Control, Application
Startup Control, or Web Control
— Disable Kaspersky Security Center policy—adds the option to temporarily disable the policy via
the shortcut menu of Kaspersky Endpoint Security icon after entering the password.
This capability is useful for local troubleshooting. When a policy is active, the administrator can’t change
Kaspersky Endpoint Security parameters to see which component or which particular setting is causing
troubles for the user. Moving a problem computer to a special group for diagnostics and then returning it
back after the problem is solved is an awkward solution, especially if different IT units are responsible for
centralized protection management and local diagnostics. The capability to temporarily disable a policy
II–77
Unit II. Protection Management
using a special password on a computer helps to carry out diagnostics without changing the settings on
the Administration Server.
— Remove key—the user cannot stop protection by deleting the key unless the password is entered
— Restore access to data on encrypted drives—prevents the user from starting the data recovery tool. It is
the administrator’s job to recover data, not user’s
— View reports—prompt for the password prior to showing events in the local interface of Kaspersky
Endpoint Security
The password protects both graphic interface of Kaspersky Endpoint Security and the command line interface.
The advantage of password protection is that it remains active even when the policy is disabled. Once the password
protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product
without a valid password even if the administrator disables the policy.
The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of
installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be
sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges,
the attempt will succeed.
To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates the
Network Agent policy automatically in the Managed computers node.
The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not specified.
Enable the Use uninstall password option, click the Modify button to enter the password and don’t forget to lock
this group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’ has
zero effect on the local Network Agent settings.
Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An attempt to
uninstall the Network Agent using the command line without the password will also fail.
Kaspersky Endpoint Security policy has more settings than we have described in this chapter.
II–78 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Actions
For most of the protection components, you can select what to do with malicious files and other threats.
By default, all components select the action automatically. This means that they try to disinfect malicious files, and
if it is impossible, delete them. The administrator can select to delete all malicious files immediately, or only block
them rather than delete. Blocking instead of deleting makes sense only if you are testing something. On the
protected computers, use the action that deletes malicious files. We recommend that you leave the default action.
Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup or Quarantine. It is a
special folder on the computer, whereto Kaspersky Endpoint Security stores encrypted copies of malware. If
Kaspersky Endpoint Security deletes a file mistakenly, the administrator will be able to restore it from the Backup
after configuring an exclusion.
Other settings
The settings that we have not mentioned usually should not be changed. They are described in the help system of
Kaspersky Endpoint Security.
Advanced Settings | Application Settings | Operating mode | Allow use of local tasks
(By default) Is disabled Do not enable. Local tasks are difficult to manage with the Administration Server and they
confuse the administrator.
If you need to enable the users to start updates or stop virus scanning, select the check box
Allow group tasks to be displayed in this list.
Advanced Settings | Application Settings | Operating mode | Postpone scheduled tasks while running on
battery power
(By default) Is enabled Do not disable.
Advanced Settings | Application Settings | Operating mode | Concede resources to other applications
(By default) Is enabled Do not disable.
All protection components in Kaspersky Endpoint Security either detect and block threats, or decrease attack
surface, meaning, prevent the user and applications from taking potentially dangerous actions on the computer.
Therefore, do not disable protection components. Instead, create exclusions for those programs that are slowed down
by the antivirus.
Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of scanned files, after
which File Anti-Virus and other components work faster.
All components do good with the default settings. Usually, these settings can hardly be improved, and should not be
changed. However, to better protect computers against ransomware, configure Application Privilege Control to
protect documents.
The default settings can be improved for notebooks, which are taken outside the corporate network. Create an out-
of-office policy for them.
Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user. Configure
password protection for Kaspersky Endpoint Security and Network Agent.
III-1
Unit III. Endpoint Control
Chapter 1. Overview
In addition to anti-malware protection, Kaspersky Endpoint Security 10 contains control components that restrict
actions harmful to the computers or the company in general. Primarily, Application Control, which can be used to
prohibit computer games, movies, and other activities that have little to do with work.
Device Control enables the administrator to bring the use of various devices to conformity with the company
policy. In particular, blocking removable drives considerably impedes unauthorized data copying; the prohibition to
connect mobile phones and players helps reduce the temptation of listening and copying music; also, Wi-Fi
connections and external network adapters can be blocked.
If network connections are allowed, they can be regulated by Web Control, which allows restricting access to social
networks and non-corporate web e-mail, communications with recruiting agencies or browsing job sites.
— Antivirus protection
— Control components
— Encryption
— Systems management
— Mobile device management
The control components require KESB Select license and are automatically installed if the Standard installation
type is selected. (Except for Application Privilege Control, which belongs to the Basic functionality level and
requires KESB Core license.) Under KESB Core license, the control components will not work.
Since control components are not included in the Basic functionality, their settings are not displayed in
the Administration Console1 by default. To be more precise, their settings are not displayed in Kaspersky Endpoint
Security 10 policies.
To be able to change the settings of the control components within a policy, the corresponding interface elements
must be activated in the Administration Console. This is found in the interface settings window: click the Configure
functionality displayed in user interface link located in the Administration Server area on the Monitoring page.
An alternative method to open this window is to select the Administration Server node on the tree, then on the View
system menu, click Configure interface.
In the interface settings window, select the Display endpoint control settings check box. To apply these settings,
restart the Administration Console.
To install the control components on the computers, Standard installation or Custom installation type must be
selected in the properties of the Kaspersky Endpoint Security 10 installation package that will be used for
deployment.
If only Basic components are installed on the computers, the administrator can upgrade the installation type to
Standard.
Using the Change application components task of Kaspersky Endpoint Security 10. This task is designed
especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product.
The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on
the client computer during the initial installation2.
In the task properties, you can select either the installation type or the components that you need to be installed, just
like in an installation package. However, you cannot select individual components while creating the task in
the wizard. To specify the necessary components, complete the task creation wizard and then open the task
properties: the choice of components is not limited there.
1
Except for the Application Privilege Control, which is displayed always
2
You can find the package in the %ProgramData%\Kaspersky Lab\KES10SP1\Setup folder on the protected computers.
III-7
Unit III. Endpoint Control
III–8 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Application Startup Control allows the administrator to restrict the program start on the endpoint. At the same time,
Application Startup Control reduces the computer infection risk by decreasing the attack surface.
Operation Principles
Application Startup Control allows the administrator to restrict the program start on the client computer. Program
start permissions are specified in special rules.
— The category the program belongs to (the categories are configured by the administrator)
— The account under which the program was started
— Whether the KES policy contains any rules that regulate the start of this program category for this account
1. Black list: everything is allowed by default. Only the programs that belong to categories that the
administrator prohibited in the KES policy are blocked. Meaning, if there is no matching block rule, the
program will be permitted to start
2. White list: everything is blocked by default. Only the programs that belong to categories that the
administrator allowed in the KES policy are permitted to start. If there is no matching allow rule, the
program will be blocked
The white list mode is used in the Default deny approach. It is described in the respective section of this
chapter, and much more detail is available in a dedicated training course KL 032.10 Default Deny.
III-9
Unit III. Endpoint Control
III–10 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
In two stages:
a) Make up the list of categories. For example, Web browsers, Games, Third-party messengers, Allowed
programs, etc.
b) Add all programs that we want to control to these categories. How to do it is described in the next
section.
Categories are configured once for the whole Administration Server: in the container Advanced /
Application management / Application categories
2. Make up the list of rules: In the KES policy, you can specify what KES is to do with the applications that
belong to each application category: allow, block, or just notify KSC about each start.
Note: categories are specified for the whole server, while different rules may be configured for different computer
groups. For example, Skype can be prohibited for everybody except individual users; additionally, marketers can be
allowed to use it, but every time when they start it, the administrator will receive the respective notification.
An application category is a list of conditions and exclusions that allows identifying a program or a group of
programs. The list is displayed in the Advanced, Application management, Application categories container and
is empty by default. New categories are created using a special wizard. There are three types of categories:
1. Filled manually—their conditions are added and changed only manually For example, all programs that
have “zombies” in their names, or all programs signed with the specified certificate
3. Filled automatically from a folder—the administrator selects only the directory where executable files of
programs belonging to this category are located; the Administration Server checks the contents of
this directory on schedule, calculates checksums of executable files (MD5) and updates the list of
the category criteria A network folder whereto all prohibited or allowed programs are copied may come in
handy
4. Filled automatically from computers—the administrator selects one or several managed computers, and
the Administration Server automatically includes executable files found on the computers into the category
Meaning, you can specify a reference computer
Categories are created on the KSC Administration Server and are transferred to client computers similarly to
policies and tasks. You can monitor categories’ delivery to computers using the chart in the upper-right corner of
the Advanced | Application management | Application categories page.
III-11
Unit III. Endpoint Control
III–12 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
You can send the complete list and contents of categories every time, or only what has changed. This is configured
in the Administration Server properties, in the Application categories section.
This transfer option appeared in KSC 10 SP2 MR1 and KES 10 SP2; in earlier versions, the full set of categories is
always transferred, even if changes are few and minor. That is why everything is transferred by default, because
otherwise, if there are older clients in the network, they will not be able to receive changes only, and will receive
nothing.
For a manually filled category, conditions for the programs are specified in the list; each condition can contain
several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set
by various methods, but all of them can be boiled down to six general types:
Note: in KES version 10 SP1 MR3 and earlier, MD5 checksum was used for file identification in
Application Control instead of SHA-256. Starting with KES 10 SP2, only SHA-256 is used.
If there are various KES versions in the network, select the corresponding check box in the category
properties, for example, collect not only SHA-256, but also MD-5. Then the same category will be usable
for policies configured for different KES versions.
On the other hand, if application categories become too large as a result, you can create different categories
for different versions of KES.
5. Certificate—another new function, which works only starting with KES SP2
6. Metadata—file name, its version, name of the program and manufacturer. The version does not have to be
specified exactly. You can select all files older or younger than the specified version. Various file
characteristics constitute a single condition, rather than several individual conditions When specifying
metadata, you can allow only files signed with a valid certificate, or those for which KSN returns the
Trusted verdict
7. Application folder—the path to the folder that contains program executable files
8. Device type—a special parameter that allows the administrator to create a separate category for the files
started from a removable medium
Most of the available condition adding options boil down to a condition based on SHA256 (MD5 for old versions of
KES) or metadata. For example, the Add button by default opens a window where you can select a program from
the applications registry.
This registry contains programs installed on the computers, namely, the programs displayed in the Programs and
components tool. Network Agents gather names and attributes of these programs and transfer them to the server.
The gathered information about the installed programs does not contain data about the program executable files. But
it is the data about executables that is necessary to create a condition. That is why the Administration Server
compares data about installed programs and data about executable files detected on the computers, and after that
creates a condition based on the hash sum of the program executables.
III-13
Unit III. Endpoint Control
It might happen that a program is considered to be installed by mistake, or a program is installed but started
extremely rarely and the data about its executable file is missing on the Administration Server.
In this case, a condition for this program may fail to be created. On the other hand, if a program has several
executable files, the applications registry simplifies rule creation. The Administration Server automatically adds
conditions for all executable files associated with the program.
If a program is installed but its executable files haven’t been reported to the Administration Server yet,
the administrator may consider running an Inventory task to speed up the process.
The administrator can create a condition based on individual files. The files can be selected using several methods:
From the executable files list—the list of executable files that have ever been started on the client
computers or detected by an Inventory task. This list of files is displayed in the Advanced | Application
management | Executable files container
From file properties—you can add a checksum or metadata of a local or network file to the condition list
When selecting a file on the drive, the administrator can specify a simple SHA-256 (MD5) condition for it, or
a more flexible condition based on the attributes.
A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For
example, hash sums are used in automatically filled categories described earlier, because it is important to allow
starting the exact file versions installed on the reference computer or included in an approved distribution. Any
changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file
start.
Hash sums are also convenient if it is necessary to prohibit renamed files from starting. Renaming does not
influence the hash sum and the blocking rule will still work.
At the same time, you may need to include several application versions in a category. In this case you should create
a condition based on file attributes, such as name, manufacturer name, version number. The version number may not
only coincide with the specified value, but also be more or less than the specified value, or start from it, etc.; so you
will be able to block old program versions or too new, which have not been approved yet.
Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file
metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files
will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create
a condition based on the file name and then be surprised that a file with a matching name is not treated as expected.
Most probably, this means that the file has no digital signature.
In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by
the vendor’s certificate. To control open-source and freeware programs, use other condition types.
You can select not only a file, but also a whole folder. If a file or several files are located within an MSI package,
you can specify this MSI package. The wizard will scan the specified folder or package for executable files and
create a condition for each of them. The condition can be created based on the hash sum or on the attributes.
These capabilities are similar to creating an automatic category based on folder; but in an automatically filled
category, the Administration Server monitors the changes within the folder and updates the condition
correspondingly. An automatically filled category cannot have conditions other than those retrieved from the files
located in the folder.
III-15
Unit III. Endpoint Control
III–16 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be
scanned once when creating the category, and later will not be rescanned. The administrator can add any other
condition to such a category.
Use KL Categories
The described conditions enable the administrator to allow or prohibit known programs—programs whose hash
sum, or attributes, or location on the drive, etc. are known or can be found out.
In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for
one, etc. This task is not easy to solve using the described tools.
The solution is to use KL categories. These categories define program class or type: e-mail programs, web browsers,
development tools, electronic payment systems, etc. ‘KL category’ means that the programs are categorized by
Kaspersky Lab experts.
The program categorization information is a part of the downloadable databases. That is why the Download
updates to the repository task must run at least once before you can create conditions based on KL categories.
Programs started on each computer are independently scanned for correspondence to the conditions, and if different
database versions are used on different computers, Startup Control rules can work to different effects. Also, if
the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time.
Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All
uncategorized files are automatically associated with the Other Software KL category.
So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file
location. Copying or moving the executable file would not influence the file start regulations based on
these conditions.
The following two types of conditions consider only the file location:
1. Application folder—defines the local path to the file. The administrator can, for example, prohibit starting
executable files from the desktop or from the whole user's home directory
Alternatively, the administrator can allow starting executable files from the system folders: c:\Windows,
c:\Program Files and prohibit from all other computer locations.
The condition is recursive, meaning, it works for the files in subfolders of the specified folder.
2. Device type—can have only one value: Removable device. Essentially, its purpose is to enable
the administrator to prohibit starting programs from removable media.
III-17
Unit III. Endpoint Control
III–18 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Specify Certificates
A more reliable method than using file path, but a bit less reliable than SHA-256, is selecting files by certificates.
You can select from among the certificates on the Administration Server.
If it is necessary to prohibit all programs corresponding to the specified conditions except for one, add an exclusion
to the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion
condition will be excluded from the category.
III-19
Unit III. Endpoint Control
III–20 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The contents of an automatically filled category are updated when the source folder contents change (executable
files are deleted or added). Also, you can make a category update to schedule.
If the specified folder contains archives or installation packages (for example, .msi), the Administration Server will
automatically unpack them (into a temporary folder) and include in the category data about the executable files
within the archive or package. So, if you place program distribution into the folder, the category will include not
only the installation file, but also program files.
This method of creating a category is useful if the company has a repository of program distributions to be installed
on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add
programs to the list or replace them with newer versions.
To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make
the Administration Server automatically monitor the changes and add parameters of the detected files to
the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in
the policy to allow start of all the used programs.
You can also select to Include dynamic-link libraries (.DLL) in this category. If this check box is selected,
Kaspersky Security Center will calculate checksums of .dll files and add them to the category along with executable
files.
It makes sense to care about .dll files because Windows allows starting processes from them through
the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others
blocked.
In this regard .dll files are similar to script files (.js or .vbs), which are not executable, but are started via
the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked.
To include scripts into a category, select the check box Include script data in this category.
Similar to other category types, select whether to use hash sums. If various KES versions are installed in the
network, 10 SP2 and older, you can select both check boxes. Then the category will be larger, but will work for all
KES versions.
III-21
Unit III. Endpoint Control
III–22 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
In addition to the repository of allowed program distributions, there may be a reference computer in the organization
where all the programs used in the company are installed. Such a reference computer is usually necessary for
creating images to be deployed on new computers. As a result of such a deployment, the operating system and all
programs necessary for work are installed on the computer, and the whole process takes much less time than
installing everything from distributions. The administrator periodically upgrades programs on the reference
computer and updates the image accordingly.
With this approach, it would only be logical to automatically make all programs installed on the reference computer
allowed. For this purpose, it is necessary to scan the computer, add all programs to a category, and then create
an allowing rule for it in the policy. This is what a category automatically filled with files from selected computers
is designed for.
Sometimes it is necessary to categorize the files found on the reference computer. For example, separate Windows
files from Program files. In this case, you can configure a filter based on the folder where a file is located.
The category will include only the files that are located in the specified folder of the reference computer.
Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with
a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky
Endpoint Security. That means that a reference computer must be equipped with Kaspersky Endpoint Security for
file detection and with Kaspersky Network Agent for sending the data to the Administration Server. There will be
more details on how this works later in this chapter.
Similar to a category filled from a folder, the administrator can specify the scanning interval.
The detected files will be added to the category and will later be identifiable by SHA-256 (for the latest versions of
KES) or MD5 hash sums (for KES 10 SP1 MR3 and earlier)—depending on the KES version installed on the
reference computer.
Note: unlike for a folder-based category, here you must select either SHA-256 or MD5 (depending on the KES
version installed on the reference computer). Which means that if KES of different versions is installed in the
network, you need to use two reference computers for a category
III-23
Unit III. Endpoint Control
III–24 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If the administrator wants to know which KL category includes a specific executable file, they can find this
information both locally on the computer and in the Administration console. The local verdicts (which may vary
slightly on different computers because of different database versions) are available in the Application Activity
Monitor window.
Information in the Administration Console can be used for troubleshooting as well as for planning the rules. The list
of executable files is located in the Advanced | Application management | Executable files node. The
administrator can view the attributes and KL category of each file.
Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering
options may help finding the necessary one. The administrator can search for a file using a part of its name, or apply
a filter and search by the values of various file attributes.
You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as
when the file was first detected on the computers, but also to add or exclude the file to or from an administrator-
defined category. There is a button that adds the file to administrator-defined categories. You can add the file to
an existing category or create a new one. And when modifying an existing category, you can either add the file to
the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the file’s MD5
hash sum.
If the administrator notices something new when looking through the list of executable files detected on computers
connected to KSC, and decides to add the program to a category, he or she does not need to memorize its name and
go to the container with program categories. You can simply right-click it and select Add to category.
The program will be added by hash sum or certificate with which its executable file is signed.
III-25
Unit III. Endpoint Control
III–26 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
There are two handy lists in KSC Administration Console: applications registry and executable files. When you
need to do something with a specific program, it is logical to use the list of applications. However, a program may
have several executable files.
KES can be configured to work with individual executable files as well as with programs.
Select the necessary program in the registry, open its properties, and go to the list of executable files that correspond
to this program. Application categories are filled with executable files.
The list of executable files that we can see on the KSC Administration Server consists of all executable files
detected by KSC and KES on all computers connected to this Administration Server. Meaning, this list can be very
long.
However, when you know what you are looking for, it is very handy. You can sort it by names, or use filters.
III-27
Unit III. Endpoint Control
III–28 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
On which computers and when it was detected for the first time (but not how), when it undertook network activity
for the first time, whether it is signed with a certificate.
Right after the installation, the Executable files container will be almost empty on the Administration Server: it will
contain only names of files that have been detected by the local Network Agent. Gradually, when new clients are
connected, new data will be sent to the Administration Server.
How to make sure that client computers collect information and send it to the Administration Server?
Note: we recommend that you do not enable sending information about installed applications for all client
computers. In some cases, it is especially recommended to disable it: for example, on weak computers, or non-
persistent virtual machines
There is a list of executable files in the properties of each managed computer. This list is supplemented by:
1. The Inventory task, which scans the client computers’ folders specified in it properties
2. Application Startup Control and Application Privilege Control, which, when enabled, collect information
about all executable files started on the client computers
Network Agent also gathers information about software, but only about installed applications, for which it scans the
registry. Meaning, the Network Agent does not add data to the list of executable files found on the computer.
There are two places to check: make sure that Application Controls transfer data to the server (configure in the KES
policy), and that the Inventory task has been created and run.
Information transfer can be enabled in the KES policy: Reports and Storages / Inform Administration Server /
Settings / About started applications. This check box enables sending information about running applications, as
well as results of the Inventory task.
The Inventory task is to be created and started. You can also configure a schedule, but we recommend that you do
not do it for all computers: for large drives, if you select to scan the whole drive, it can noticeably affect computer
performance.
III-29
Unit III. Endpoint Control
III–30 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Inventory task
It is not created by default. Executable files are reported to the Kaspersky Security Center by Kaspersky Endpoint
Security via the Network Agent. When a file is launched, either Application Startup Control or Application Privilege
Control intercepts the file, collects its data and sends it to the Administration Server. However, some files may start
very rarely. It may take a very long time until all executable files are intercepted and reported to the Administration
Server. A faster way to detect files is by using an Inventory task.
This is a Kaspersky Endpoint Security task, which can be created for both groups and computer selections. With
standard settings, the task searches for executable files in the following directories:
— %SystemRoot%
— %ProgramFiles%
— %ProgramFiles(x86)%
The list of folders is configurable. The information about discovered files is sent to the Administration Server and is
available in the Advanced | Application management | Executable files container.
Unlike the monitoring components, this task can detect executable files within archives and installation packages.
Click the Additional button and select the Scan archives and Scan installation packages check boxes.
When executable files are being searched for, their checksums are calculated, which may slow down the computers.
To reduce resource consumption, you can use the option to scan only new and changed files. The information about
changes is obtained using the iSwift technology and requires almost no calculations.
Alternatively, you can schedule the task to run during nonworking time, or use the Suspend scheduled scanning
when the screensaver is off and the computer is unlocked option.
Note: There are settings in the Kaspersky Endpoint Security policy that control which types of data are sent and
which are not. It is critically important that informing the Administration Server about executable files is disabled by
default. The settings are located in the Reports and Storages section of the policy. As a result, all lists of
executable files will be empty. Even a successful execution of an Inventory task will not change this, unless you
enable sending information About started applications in the Kaspersky Endpoint Security policy.
III-31
Unit III. Endpoint Control
III–32 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Note that Application Startup Control is disabled by default in Kaspersky Endpoint Security starting with version
10 Service Pack 1. That is one of the reasons why sending the information about executable files is disabled. The
first thing the administrator needs to do before configuring rules is to enable the component and select the mode:
white list or black list.
By default, right after you enable Application Startup Control, the Notify mode will be used. Which is good: it is
recommended first to test how everything will work. Instead of real denies, only events will be sent to the
Administration Server: Application startup prohibited in test mode or Application startup allowed in test
mode. You can generate a report for them. It will include only what would have been blocked if the control operated
in the normal mode, either white or black list. The report helps to analyze everything, and make changes prior to
enabling Control for real.
There is also the option to Control DLL and modules. If it is enabled, start of DLL libraries and drivers will also
be controlled. However, it increases KES overhead, and is recommended to be enabled only if it is really necessary.
For example, with rigid Default Deny.
There can be as many rules as you wish; prohibition always has a higher priority. The black and white lists have
different sets of rules. For example, if you first selected the Black list, added a rule, and then switched to White list,
your rule will not be there.
Category—an application category created on the Administration Server beforehand. A policy may contain
only one rule for each category
Users and/or groups that are granted permission—the list of local or domain users and groups who are allowed
to start the programs belonging to the selected category. If more than one entity needs to be specified, separate
them with semicolon (;)
There is a related option Deny for other users. When enabled, it automatically denies permission to all unlisted
users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this option were
always enabled. In version 10 Service Pack 1 this option is configurable and disabled by default. Unlisted users
are granted or denied permission based on the rest of the rules
Users and/or groups that are denied permission—this parameter explicitly defines the list of users and groups
who are prohibited from starting the programs
Each rule (regardless of the selected mode, white or black list) can be either allowing (Allowed) or prohibiting
(Blocked).
3
This option is described in detail later in this chapter.
III-33
Unit III. Endpoint Control
Denial has a higher priority than permission. For example, if a rule is configured to allow program start to all users
and prohibit for the Tom user, this user will not be able to start the program according to this rule.
The list of rules is initially empty for the Black list mode; for the White list, it contains two system rules that cannot
be deleted:
Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not be blocked
even if there are no allowing rules for them. It is a special KL category4 that includes programs that download
and install module updates, for example, Adobe Updater, Chrome Component Updater, etc. The rule is enabled
by default, meaning, Trusted updaters are allowed.
Golden Image—contains the executable files necessary for the operating system, as well as executable files
supplied with the system—various standard utilities and applications, To prevent KES from accidentally
blocking files important for the operating system.
4
This KL category cannot be selected when configuring program category conditions.
III–34 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on
a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of
different application categories; but some programs may belong to several categories at once. If there is at least one
rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say.
If a program does not belong to any category, in the black list mode, it will be allowed, and in the white list mode,
blocked.
When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up message
notifying that the program was blocked so that the user is not confused about the reason for the program behavior.
If the user needs this program for work, the pop-up notification allows for sending the administrator a request for
program start permission. The user should click the Request access link in the notification window and then click
the Send button.
The text of the pop-up notification, as well as the request to allow a program start, can be modified in the Kaspersky
Endpoint Security policy. You can use variables there, which provide information about a specific event, for
example, the name of the blocked program, the computer where the event was registered, etc.
III-35
Unit III. Endpoint Control
III–36 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
complete information necessary for the administrator to make a decision. It may happen that a user would need a
program urgently. That is why, if the administrator rarely opens the User requests selection, it might be worthwhile
to configure e-mail notification for the Application startup blockage message to administrator event. This will
enable the administrator to process the requests as soon as possible.
It is possible to use the request events to modify application categories. An event contains complete important
information about the blocked file, including its SHA-256 (MD5 for older versions of KES). The administrator can
use the Add file to category link to immediately add the blocked file to an existing or a new category either as
an inclusion condition or as an exclusion.
Events
By default, all the events except for Application startup allowed are transferred to the Administration Server.
If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup
prohibited in test mode or Application startup allowed in test mode events,
III-37
Unit III. Endpoint Control
III–38 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked runs,
which shows the distribution of the number of blocked starts on the client computers by applications. Click the
program name in the Summary table to open another report in the browser, which contains information about all
computers where start of this program was blocked.
Starting with KSC version 10 SP2 MR1, you can generate a report on program starts blocked in the test mode. It
will contain only events about blocked starts, regardless of the selected mode: black list or white list.
This mode is also named whitelisting. Meaning, there is a white list: everything is prohibited except for “white”
known good programs, for which allowing rules are configured.
In most cases, this approach is optimal and helps prevent unwanted activity, without causing serious inconvenience
to the users. However, the security policy may prescribe that all programs are prohibited except for those that are
absolutely necessary for work. For example, there can be a policy for using programs on the computers that are used
as point-of-sale (POS) terminals. Only special programs must be allowed to start on them, and all unknown
programs must be prohibited.
The main difficulty when working in the white list mode (when the start of uncategorized programs is prohibited by
default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked
along with other programs. That is why there is an allow rule for operating system files in the white list by default.
III-39
Unit III. Endpoint Control
III–40 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Various configurations of allowing rules are possible; it will be necessary to create one or several categories for
system executable files and configure allowing rules for them using one of the following methods:
Use a «reference» computer with the operating system and allowed programs installed for creating
an automatically filled category
Use a directory with distributions of allowed programs for creating an automatically filled category
For those programs for which allowing rules are configured not to be blocked after upgrades, use the Trusted
updaters standard rule. This rule exists by default in the list and cannot be deleted; but it is disabled by default.
When enabled, the programs downloaded and installed by the applications included in the Trusted updaters
category will not be blocked even if the corresponding allowing rules are not configured.
The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allowing
rule.
For more details about configuring KES for Default Deny, refer to course KL 032.10.
III-41
Unit III. Endpoint Control
III–42 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various
devices in the corporate network and, if necessary, prohibit using some of them.
The most popular use case for this component is blocking USB flash drives. The users can bring infected files on
them or, for example, their children’s homework and end up devoting a workday to it. Accidentally or deliberately,
the user can take away files that are of commercial value for the company on a USB drive. Various restrictions help
prevent such problems.
The Device Control component in Kaspersky Endpoint Security allows the administrator to enforce the corporate
security standards, by specifying who, when and which devices can use on the computers. The rules may be applied
to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc.
Almost all peripheral devices can be blocked. They can be blocked by types (removable drives, CD/DVD, Wi-Fi,
portable devices (MTP), etc.), or by buses: for example, you can entirely disable all USB devices.
Some devices can be allowed, but with limitations: you can explicitly specify the prohibition schedule, restrict only
writing operations or make exclusions for some users but not others. You can do that for:
— Hard drives
— Removable drives
— Floppy disks
— Printers
— CD/DVD drives
— Modems
— Tape devices
— Multifunctional devices
— Smart card readers
— Windows CE USB ActiveSync devices
— Wi-Fi
— Cameras and scanners
— Smart card readers
— Portable devices (MTP)
— Bluetooth
Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as
removable drives, if connected as external data carriers.
III-43
Unit III. Endpoint Control
III–44 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking
their connection buses.
Kaspersky Endpoint Security allows blocking connected devices by interface type (bus):
— USB
— FireWire
— Infra Red
— Serial Port
— Parallel Port
— PCMCIA
The administrator can totally block, for example, all USB devices.
Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules To protect against
attacks when an infected USB flash drive pretends being a keyboard, install and use a special component, BadUSB
Attack Prevention
Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash
drive will work correctly.
By default, all devices work in the “Depends on bus” mode, and all buses are allowed.
Additional options
Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list
cannot be edited to add new devices.
You can partially restrict the use of removable drives, CD/DVD, hard drives, and floppy disks by specifying:
What can be done. You can select to prohibit only reading or writing
The list of accounts that are allowed to use the device type. You can select accounts from the domain to
which the computer where the Administration Console is started belongs, or among local users if there is
no domain. The rule will work on any computer where the policy is enforced The Everyone universal
account is always available.
Operation types and access schedule. You can manage Read and Write permissions separately.
The schedule is specified by hours and days of the week. For example, you can allow Read operations for
removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to
the Administrators and only during business hours
If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means “always
allow everyone to perform any operation.”
You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for
the administrators: allow them using USB flash drives during business hours.
The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are
blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable
as soon as the policy is enforced and the next operation will be blocked.
III-45
Unit III. Endpoint Control
III–46 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
By default, logging access to USB flash drives is disabled. To enable it, click the Logging button. It is available
only for removable drives. You can select which operations to log, writing and/or deleting, and file formats:
Text files
Video files
Audio files
Graphic files
Executable files
Office files
Database files
Archives
Connecting corporate notebooks to public Wi-Fi networks is not always desired. Also, the users may try to access a
workstation via a Wi-Fi hotspot configured on a mobile phone, while the corporate policy prohibits this.
In the latter case, you can simply block Wi-Fi. However, for notebooks, which the users may take home, it is not
the most optimal solution. It will be more logical to prohibit Wi-Fi in general, but allow trusted networks: for
example, corporate and home.
Trusted networks are specified by name, authentication type, and encryption type.
III-47
Unit III. Endpoint Control
III–48 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile
to make them trusted. Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device
Control | Trusted devices section.
Devices can be made trusted by their ID, a mask of ID or by model. When you click the Add button above the list of
trusted devices, it expands into a list of three options:
— Devices by ID
— Devices by model
— Devices by ID mask
The first two options allow you to select the device that you want to make trusted and its ID or model will be added
to the list. ‘Select’ means that the Administration Server should have the device it its database. If the Administration
Server is unaware of this particular device you can’t make it trusted.
The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on
the Administration Server knowledge of the device, only on the administrator’s knowledge of the device ID. Device
ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of
the Device Instance Path property. It looks somewhat like
USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0
When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple devices, e.g.,
‘NEC*CDR??’. This helps when a company has a lot of devices with similar IDs that should be trusted. Adding
a device by model can also help in this case, if all devices are from the same vendor and of the same type.
There is also a Comment filed when adding a trusted device, which the administrator can fill in to describe why this
trusted device (or a group) is added.
To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky
Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some
time till the information about the device makes it to the Administration Server.
To simplify the search for the necessary device, you can choose the device type and also specify the name of
the computer where it is or was connected. Then click the Refresh button to display the filtered results.
Before adding the device, you can also restrict the list of users that will have access to it. You may want to have
trusted devices, but you may not necessarily want everybody to have access to them. Perhaps only administrators
should be able to use them.
III-49
Unit III. Endpoint Control
III–50 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
When the user attempts to connect a blocked device, a pop-up notification is displayed.
If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or
even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add
the contact information of the person responsible for device access.
To open the notification template, click the Templates button in the Device Control section of Kaspersky Endpoint
Security policy. You can use variables in the notification text, for example, the name of the device or the blocked
operation.
If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled
nor hidden.
If the user sends a request, it will be sent to the server as an event having the Warning severity level. Similar to
the other control components, requests are displayed in a special selection named User requests. The administrator
does not have to react to a request; but if they want to, they can, for example, configure the corresponding e-mail
notifications in the KES policy.
III-51
Unit III. Endpoint Control
III–52 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as
follows:
3. Generates a request key for it in the Kaspersky Endpoint Security local interface
5. The administrator examines the request, and in the case of an affirmative answer, creates and sends the user
a special access code
6. The user activates the received code. After this, the selected device (and only that device) becomes
accessible for the time span specified by the administrator. The user cannot pause temporary access to use
it later; and the administrator cannot remotely revoke temporary access
It goes without saying that many users may believe that their devices are blocked by mistake, and will ask
the administrator for temporary access. To avoid numerous requests, you can disable this capability: in
the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access
check box.
The user opens Kaspersky Endpoint Security interface on the Protection and Control tab, and on the shortcut menu
of Device Control clicks Access to device. A window opens with the list of devices ever connected to the computer,
including those blocked. Find the device for which the access is necessary, select it and click Get access code. So as
not to make a mistake when selecting the device, switch the device representation mode from For the entire
runtime to Currently.
Note: If the administrator prohibits requesting temporary access, the button appears dimmed
The only configurable parameter is the desirable access duration (24 hours by default). The value entered by the user
is only a wish. The administrator can either use the offered value or change it when generating the access code.
A client computer can be conveniently found in the Administration Console by the Search utility. Then
the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode
command. In the window that opens, switch to the Device Control tab and click the Browse button to select
the received .akey file.
The Administration Server checks the file integrity and whether it belongs to the selected computer, and then
displays the request. If necessary, the administrator can change the access duration and activation window. Both
periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours.
Then the administrator is to save the generated code into an .acode file and send it back to the user.
So, the code is generated for the exact device and the computer where the user generated the key. Any other devices
will still be blocked; also, the device for which the access was granted will be blocked on other computers.
The code is also bound to the username. Another user will not be able to access the same device on the same
computer using this access code. If temporary access is activated by the user who requested it and another user logs
on to the computer during the allowed period, they will not be able to use the device.
The code must be activated before the specified activation window expires, and the access duration countdown starts
at the moment of activation. The device may be connected at any time (or even several times) during this period, or
not connected at all. The access countdown cannot be paused.
When temporary access is activated, a notification is sent to the Administration Server, but it is not included either
in the selection of user requests, or in the report on Device Control events.
III-55
Unit III. Endpoint Control
III–56 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains
the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and
the account that initiated it.
The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of Critical
events. If necessary, the administrator can make a separate selection for blocked device access attempts.
The Operation with the device allowed event having the Info severity will be sent if a non-prohibited device is
connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners,
removable drives, etc.
All events, including complaints, are stored on the server for 30 days by default.
The Report on Device Control events provides the general view of the device control work. It displays a chart with
the distribution of its responses by user names. By default, the report includes all actions—device connecting,
disconnecting and blocking. To generate a report about device blocking only, leave only the Connection is blocked
check box selected in the Settings section of the report properties.
If necessary, the administrator can configure receiving daily e-mail statistics about who and when tried to connect,
for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV
Maintenance.
III-57
Unit III. Endpoint Control
III–58 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is
used to block social networks, music, video, non-corporate web e-mail, etc. during business hours. If a user tries to
open such a site, either a notification that the access is blocked or a warning about an unwelcome site can be
displayed, depending on the settings in the policy.
Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule
properties include the user accounts, schedule, connection and content-specific conditions, and the action. The rules
are applied in the order specified by the administrator, and a page is processed according to the first applicable rule.
The Default rule that allows everything to everyone takes the last place on the list and acts as a ‘catch all’ rule.
First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be
blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*.
Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following
categories:
— Video
— Sound
— Office files
— Executable files
— Archives
— Graphic files
As far as secure connections (HTTPS) are concerned, Kaspersky Endpoint Security has no access to the traffic
contents. Therefore, HTTPs traffic is filtered only be addresses, for example, if social networks are blocked,
https://facebook.com will also be blocked, as this address is included in the signature databases as pertaining to
social networks.
III–60 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and
data types.
Filtering by category and data type can be combined within a rule: for example, you can block office files and
archives received by web mail.
Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic
analysis of page content (for non-secure connections only). URL reputation can also be requested from Kaspersky
Security Network.
III-61
Unit III. Endpoint Control
III–62 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Data types are hard-coded in Kaspersky Endpoint Security and include the following file types:
Let’s mention some specifics of Kaspersky Endpoint Security types and categories:
The type is defined by the file format Therefore, this does not work for secure connections; but it is
possible to use the address filter to block files by extensions. For example, to block .key files, specify
the *.key mask
Data types inside archives are not checked—if executable files are prohibited while archives are not,
archived executable files will be allowed
PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites
that use pdf may display incorrectly
In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In
Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web
Control
Flash videos in SWF format can be blocked only by extension mask—usually it is *.swf
The rules may be applied depending on the account and access time.
III–64 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network,
or online trainings can be blocked because of video files. In this case, it is easier to create an allowing rule instead of
creating a separate group with a special policy. You can configure an allow rule giving access to some categories or
data types located on the specified servers.
To have such a rule applied before the blocking rules, place it higher on the list.
In extreme cases, the organization policy can prohibit the Internet during business hours and allow only
the corporate site. An exclusion can be made only for the IT department. In this case, the administrator creates
the general rule: during business hours, deny everything to everybody. Then adds two allowing rules above it:
the first allowing any content to the accounts of IT department employees, and the second allowing everybody to
access the corporate site.
By default, in addition to the universal rule allowing everything to everybody, there is another rule in web control,
Scripts and Stylesheets, which explicitly allows files with .css, .js, and .vbs extensions. Usually these files contain
style sheets, java scripts and visual basic scripts saved as separate files. This rule is necessary because sometimes
such files are located on separate servers and their URLs differ from the main site address. If a site is allowed while
its scripts and style sheets are blocked, it will be displayed incorrectly. To avoid this, keep the rule allowing .css, .js,
and .vbs higher than the prohibiting rules.
When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this
purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control.
To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on
that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens
the window where you can specify the conditions of a presumed request:
— Select categories
— Select data types
— Specify day and time
— Select accounts
— Type site address (the * wildcard is allowed)
and get the web control verdict with the list of rules applicable to these conditions.
For example, the administrator can check whether access to a personal home mail server of an employee is blocked
by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you
can find out which rule causes the disorder.
III-65
Unit III. Endpoint Control
III–66 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If web control blocks a part of page contents, the user may overlook it. If the page is completely forbidden,
a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or
a message about blocking.
If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of
the links in the warning message: the link to the specific page that was requested, or the link that enables access to
all pages on the web site, or all pages on the web site and its sub sites (e.g. access *.amazon.com/* as opposed to
www.amazon.com/*)
If the site is blocked, there are no links to proceed, access is completely denied.
Notifications are displayed only for non-secure connections. If the HTTPS protocol is used to open a Web site,
the user will see only the browser message about inability to display the page in both cases.
III-67
Unit III. Endpoint Control
III–68 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
There is also a Request access link in all types of messages to disagree with the policy and request a policy change
to be able to access the blocked web site freely. Requests are sent to the Administration Server as events and fall
into the User requests selection.
You can edit both warning and blocking notifications, as well as the request template: in the Kaspersky Endpoint
Security policy, switch to the Web Console section and click the Templates button.
When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding
event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with
Warning severity, respectively.
In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web
Control verdict. If the rule was created for a category or data type, they are also specified.
Note: Web Control independently processes each object of which the site consists. That is why, for example, when
graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access
a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses
the Internet day and night. That is why these events are not transferred to the Administration Server by default.
If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully
attempted after warning event having the Warning severity is sent to the server.
For regular control and general information, a report can be used. It provides aggregate statistics on the number of
warnings and blockages for each rule. Allowing rules are not included.
III-69
Unit III. Endpoint Control
III–70 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
IV-1
Unit IV. Maintenance
After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the necessary
policies and tasks, and configured them as necessary, you need to monitor the system to make sure protection works,
and react to incidents.
To keep protection working, you have to do various things; something has to be done often, and something rarer.
Most of the actions are obvious, but we will tell about them nevertheless, just in case.
What to Do Daily
There are no You install protection to repel threats. Kaspersky Endpoint Security blocks most of them
unprocessed threats on automatically. But if protection cannot cope with a threat, you should be informed about
the computers this as soon as possible and neutralize it manually. The longer a threat is active, the more
harm it does.
This is obvious enough.
Protection is installed If protection does not work, you do not know whether there is malware on the computer.
and works on the And the longer protection does not work, the more chances that malware infects the
computers computer.
IV–4 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
What to do weekly
Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly.
The computers Almost all protection components use signatures to detect malware. If signatures are old,
have the latest Kaspersky Endpoint Security will not be able to detect new viruses. The older the signatures,
signature databases the greater the risk. If signatures are 2-day old, it is bad, but not critical. And if they are 2-
month old, it is almost as dangerous as if protection was not running at all
Protection uses Kaspersky Security Network informs about known malicious files and helps to detect them
Kaspersky Security even if signatures are obsolete. Moreover, Kaspersky Security Network informs about new
Network malicious files earlier than signatures are issued for them. Without Kaspersky Security
Network, protection works not so well. But still works and protects against most of the
threats.
What to do monthly
Make sure that you can You spent quite a lot of time to install protection. If you lose the Administration Server
recover the Server from because of a hardware failure, you will have to spend almost as much time to install and
a backup copy configure protection anew. Backup copying can prevent this. The crucial point about
backup copying is not make a copy, but make sure that you will be able to restore it.
Spend half an hour per month for maintenance to make sure that you do not find yourself
in a critical situation with a misconfigured backup from which you cannot restore data.
Optimize the If the database is not optimized, eventually it grows in size and becomes fragmented.
Administration Server You will have to spend more time generating reports or displaying a computer selection,
database especially in a large network or if the resources are scarce on the Administration Server
(to be more precise, database server, but it is often the same computer).
What to do quarterly
If there are any Kaspersky Security Center patches and Kaspersky Endpoint Security maintenance releases
updates or patches for are issued approximately once every quarter or two. They correct errors, improve
Kaspersky Lab performance and sometimes add new functions that are important for protection. You do
products not need to put much effort into installing patches, but do not forget to test them
beforehand.
IV-5
Unit IV. Maintenance
What to do yearly
The license has not Commercial licenses are usually valid for 1 year (sometimes, 2 or 3 years, but rarely).
expired and the node Without a license, protection keeps working, but the update task stops downloading
limitation has not been signatures and Kaspersky Endpoint Security stops using KSN. Eventually, protection
exceeded suffers.
Whether there are any New versions or service packs are issued once every year or two. They correct errors,
new versions of improve performance, and also change settings and products’ operation logic. New
Kaspersky Lab technologies, components, interception methods, etc. appear in new versions or service
products packs. If an old version is not updated for too long, it will not be able to counter the latest
threats even with up-to-date signatures and KSN. A few years after release, a version’s
support ends.
1. Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If you perform
inspection daily, you are interested in threats over the last 24 hours.
2. Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed threats,
deal with them immediately
3. Check whether protection works on all computers. If protection is not running or is not installed, run or
install it. Find out why it has happened.
To save time, configure the console to be able to quickly learn what you need about threats and protection.
IV–6 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
— Reports
— Events
— Computer statuses
— Computer properties
— Statistics of installed applications in computer properties
— Repositories
— Task logs
However, these sources are either insufficiently clear as, for example, lists of events, or cannot be reviewed all
together as reports.
To get a general idea of the overall protection status, open the Monitoring page of the Administration Console.
Indicators are colored icons and short descriptions which provide general information: how many computers are
protected, when the updates were last downloaded, how many clients have the Critical status. However, the
Monitoring tab cannot be configured to include or exclude some data. Besides, information is entirely represented
in text messages, which are not as visual as charts.
The best information source is the Statistics tab of the Administration Server. The administrator selects which
charts to show, which chart types to use and how to organize them.
To save time, make your own statistics page and add there panes that inform about:
— Malware
— Network attacks
— Computer statuses
— Computer protection statuses
— And other important data of your choice, for example, signature versions
Pane types are hardcoded, but abundant and can answer most of your questions. For those questions which have no
ready-made panes, you can often use the pane History of set of events matching criteria. You can select an event
type there, and the pane will show how many events of this type were logged in the network over the last 24 hours.
For example, there is no pane informing about phishing attacks. To be able to see phishing attacks, add events’
history pane and select the event Previously opened phishing link detected.
IV-7
Unit IV. Maintenance
By default, Statistics includes 6 pages devoted to various network status aspects: Protection status, Deployment,
Update, Statistics of threats, General information, Updates for applications. Each page represents 3 to 4 information
panes. All this can be customized. The administrator can re-arrange the panes on a page at their wish. Or add more
panes or more statistics pages, or remove some.
Usually, a pane contains a chart with a legend or a table. By default, they represent events from all managed
computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties
window, which opens with the button. A statistics page consists of several panes.
The statistics is configurable at three levels. The administrator can add, delete and move statistics pages, add, delete
and move panes on a page, and can also modify settings and representation of the panes.
Overall, there are more than 50 types of panes grouped into six categories for the administrator to choose from.
To rearrange the pages, click the Customize view button to the right of the page tabs. The administrator can add as
many pages as they wish and name them as they wish. They can also delete the default pages, or re-order them.
The tabs are always lined up in a single row.
To modify page contents, click the button to the right of the page name in its tab. This button is displayed only
for the active page. In the page properties, you can draw up the list of the panes to be displayed and their layout on
the page: one column, two columns (the default choice), 3 columns, etc.
In the pane settings, depending on its type, you can modify the time interval for the displayed data and select
the computers whose data will be shown. There are only two options for the computers: either all computers, or
computers from a specified selection. You cannot specify a group of computers or draw up an arbitrary list of
computers, as in reports.
As far as the pane layout settings are concerned, you can modify the height for the panes to better fit in the console
window. You can also modify chart type, axle orientation, chart appearance (gradient, transparency). Depending on
the pane type, the following chart types can be available: Pie chart, Column chart (the columns can be displayed
either vertically or horizontally), Table, and Graph.
The information panes’ capability to display the history of parameter changes over the specified period can be
useful. For example, you can view how many viruses were detected during each hour of the last day. These data
may help to select the threshold for the Virus outbreak event. Reports lack this capability.
IV–8 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To consult Statistics, you need to open the Administration Console first. Some of the administrators open the
Console only when they need to find out or configure something, and prefer to be informed about issues by e-mail.
This way, they use a single tool, mailbox, to learn about issues of various subsystems instead of opening a dozen of
various consoles.
Kaspersky Security Center can e-mail notifications and reports. Reports that show what is happening in the network
better fit daily inspections. Notifications inform about specific threats that need immediate attention.
1. Select the Reports tab of the Administration Server node and click the button Configure report delivery
2. If a task of this type has already been created, the Administration Console will select it in the Tasks node.
In this case, click the link Configure task in the right pane and select the Report type section
3. If there is no task of this type yet, the Console will start the report delivery task creation wizard
4. Select the types of reports that you want to receive. The task shows all report templates available on the
Reports tab of the Administration Server node. However, those are not all of the report types that
Kaspersky Security Center can create. If some reports are missing, create them beforehand on the the
Reports tab of the Administration Server node.
6. Switch to the Schedule section and select when to receive reports. By default, the task e-mails reports daily
at 8 in the morning.
To select where to send reports, in the task properties, select the section Action to be applied to report and click
the link Email notification settings. Specify the recipient’s address and message subject. Check the sender’s address
and mail server parameters in the Administration Server properties.
Note: The Quick Start wizard automatically creates a deliver reports task for the Protection status report, if
the administrator fills in the e-mail notification parameters. Later, you can edit this task or create more of them.
IV-9
Unit IV. Maintenance
For daily inspections, you will need reports that show threats and protection status:
— Threats:
— Protection
— Protection status
— Anti-virus database usage
— Errors (over the last day)
All pre-configured reports available on the Reports tab of the Administration Server node either do not have any
period, or show events over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is
difficult to understand what has changed since yesterday.
You need to create 1-day reports manually. Delete all the reports you are not going to use. For example, reports
about encryption errors if you do not have an encryption license.
IV–10 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Formally, the Reports page contains report templates, which describe report type and parameters, rather than
reports themselves. The Administration Server generates reports from templates when e-mailing them, or when the
administrator clicks the link Show reports.
2. Name the report comprehensibly, for example Viruses report over the last day
3. Select the report type. There are more than 40 types of reports in Kaspersky Security Center
4. Select the reporting period. For the daily reports, specify a 1-day period
5. Select a scope for the report. A report can cover a group, individual computers (a list), or a computer
selection. Most of the reports should cover the whole network; select report for a group and the Managed
devices group
Template settings also include the list of information fields to constitute the report tables. Some fields contain
insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes
little sense in a report if virtual Administration Servers are not used in the network1.
1
The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with Administration Servers
running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your Administration Server runs in a virtual
machine, it is still just a normal Administration Server, not a virtual server. And virtual servers in the reports and other parts of the Console are something else
entirely. Virtual Administration Servers are described in course 302.10.
IV-11
Unit IV. Maintenance
The administrator can use information field settings in a report template to create complex filters for the events to be
included in the report. Allowed values can be specified in the field properties. For example, for the Detected object
field, you can specify the malware name. As a result, you will get a report based on the events related to
the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers
with the specified version of the protection software, even if these computers belong to different groups.
For example, there is no report type to display all phishing attempts. Instead, you can use an Event report:
This is a part of description of events informing about blocked phishing attacks. This way, you will receive a report
that shows the number of such events.
In addition to filtering by field value, you can change sort order: ascending, descending, or unsorted.
Starting with version 10 Service Pack 1, you can do it in the generated report too, by clicking the column titles in the
tables. Click again to reverse the sort order.
Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also
in the Administration Server properties, in the Event notification section. The events are grouped by four severity
levels: Critical event, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event,
it cannot be modified. Each program has its own events with their default settings.
IV–12 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
This storing method is enabled for most critical and error events, as well as for many warning and some
info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for
all events (naturally, except for the events whose storage is disabled).
The Administration Server events’ default lifetime depends on their severity levels. For Information events,
it is 30 days; for Warning, 90; and for Critical and Error, 180.
— In the operating system event log on the Administration Server—similarly to local Kaspersky Endpoint
Security events. If the Administration Server becomes inaccessible, the administrator will be able to find
information in the Windows log.
— In the operating system event log on the client computer—makes sense only for the Network Agent
events. Kaspersky Endpoint Security already has this capability in the settings of local event processing.
When the specified lifetime is over, events are automatically deleted from the Administration Server database (but
not from Windows logs, which have their own settings). The more the lifetime, the more events are stored in
the database on average at each specific moment, and the more time will event processing operations take. On the
other hand, when the administrator decreases event lifetime, the maximum reporting period also decreases.
To be informed about important events, configure notifications. This is configured in the properties of every
particular event type that you want to be notified about. Kaspersky Security Center 10 supports four notification
channels:
— E-mail
— SMS
— Start of an executable file
— SNMP
Notifications help to draw the administrator’s attention to the most important events.
By default, notifications are not sent. To start receiving notifications, open the event properties and select
notification methods.
IV-13
Unit IV. Maintenance
By default, all events are delivered with the same parameters, which are specified in the Administration Server
properties. To send different notifications to different addresses or with different messages, click the Settings link in
the event properties and clear the check box Use Administration Server settings. After that, change the recipients’
addresses, text template and other notification parameters.
At first, e-mail notification delivery parameters are specified in the Quick Start wizard. Later, they can be modified
on the Events tab of the Administration Server node. Expand the list next to the link Configure notifications and
event export and select Configure notifications. These parameters are also available in the Administration Server
properties, in the section Notification delivery settings.
These parameters are sufficient if the selected SMTP server does not require authorization. The recipient address is
also used for the sender address, and the subject of the sent notifications is made of the event severity level and its
type, for example, Critical event: Threats have been detected
To view additional e-mail notification settings, click the Settings link. Then you will be able to modify:
— Message subject
— Authorization username and password
— Sender address
When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:
— %KL_VERSION%—version number
— %HOST_IP%—IP address
— %HOST_CONN_IP%—connection IP address
The macros can be added using the special buttons located next to the fields where notification text and subject are
edited.
It is up to the administrator about which events to receive notifications. However, prime candidates are events about
active threats and potentially successful attacks:
Active threat detected. The malicious file is not running on the computer, but Kaspersky Endpoint Security
Advanced Disinfection cannot terminate it. The user or the administrator must confirm starting the Advanced
should be started Disinfection procedure
Malicious object detected A malicious object was detected using a request sent to KSN rather than signatures.
(KSN) This means that it is a new threat, and the administrator should carefully monitor what
is happening in the network. Maybe even switch to a policy with stricter protection
settings
Previously opened Information that the link is phishing has appeared already after a user opened it (data
phishing link detected about previous actions is stored in the KSN cache and System Watcher’s logs). The
phishing attack presumably succeeded
Previously opened Information that the link is malicious has appeared already after a user opened it. The
malicious link detected user could have downloaded and started new malware
Process terminated Malware was running on a computer. Although Kaspersky Endpoint Security
terminated it, it could have done harm
Network attack detected If the attacking computer is located within the network, it may mean that it is infected
with unknown malware, or that protection does not work there
Application Privilege If you configured Application Privilege Control to protect documents against
Control rule triggered ransomware, these events inform when unknown programs try to edit or delete the
user’s documents
IV-15
Unit IV. Maintenance
All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in the
Kaspersky Endpoint Security policy, in the Event notification section. The last event is an Info event. The others
are Critical events.
Some events (including important) may occur too frequently to send a notification for each of them. For example,
the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications.
To make each notification draw your attention, limit the number of notifications. For this purpose, in the
Administration Server properties, open the Notification delivery settings section and click the link Configure
numeric notification limit.
Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached, notifications
are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew.
The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for
the Threats have been detected event hit the limit, notifications for other event types will not be affected.
If no new events about threats have appeared on the computers over the last day, you need not do anything. But
what to do if there are some events?
First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted, disinfected
or blocked a threat, you need not do anything. Just reset the virus counter on the computer to be able to see when
new threats appear.
If malware is not treated or removed, act according to a plan. Prepare the plan beforehand.
IV–16 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
— Run the critical areas scan task to understand whether the computer is infected
— If a computer is infected or you suspect that it may be infected with unknown malware:
— Isolate the computer from other computers in the network
— Disable the policy using the password
— Raise the heuristics level and enable Advanced Disinfection technology
— Check integrity of Kaspersky Endpoint Security by a local task
— Perform full scan on the computer
If this does not help, restore the computer from an image. If all computers are installed from images at the company,
and the users’ data are stored in the network rather than on the computers, restoring from an image may be the first
step of your plan to save time.
If you find suspicious files during an investigation, send them to Kaspersky Lab for analysis via the
companyaccount.kaspersky.com portal
You can find out that viruses have been found from events, reports, statistics and computers’ statuses. Next to
statistics, statuses draw your attention first of all.
Threat detection and their processing results define the computer status in the Administration Console: OK,
Warning or Critical. This allows the administrator to easily notice problematic computers when looking through
the groups. The OK status corresponds to a green icon, the Warning icon is yellow, and Critical is red.
The Many viruses detected status tells that viruses were found on the computers. This status is related to the virus
counter parameter. Every time malware is detected on the computer, the counter increases its value by 1.
The counter value is transferred to the Administration Server during the synchronization. The status is activated if
the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled.
To enable the status to show the computers where malware was found, open the properties of the Managed devices
node. Switch to the Device status section and select the check box next to status Many viruses detected. To make
computers receive the Warning status and be displayed yellow, select the respective check box in the listSet status
to Warning if. To make computers receive the Critical status and be displayed red, select the respective check box
in the listSet status to Critical if. To paint computers yellow when there are a few viruses on them, and red when
the number of viruses exceeds, say, 5, configure different thresholds for the status Many viruses detected (via the
status’s shortcut menu).
IV-17
Unit IV. Maintenance
If at least one of the managed computers receives either There are unprocessed objects, or Many viruses detected
status, the global Protection status also changes on the Monitoring tab of the Administration Server node.
The cause of the status change is displayed in the same area.
If there are computers with different statuses in the network, the Protection settings area will show all critical
statuses. If there are computers with the Critical status, this area will describe all causes that are giving this status to
the computers. The causes that are giving the Warning status to other computers at the same time will be hidden. For
example, the critical status Protection is off can override the status There are unprocessed objects, which has the
Warning level, on the Monitoring page.
A message like Many viruses detected on ХХ devices is a link. If you click it, the Console will open the selection of
computers where many viruses have been detected. All statuses behave this way on the Monitoring page.
A selection is a dynamic set of computers selected by an attribute. There are standard selections on the
Administration Server, which show computers with various statuses. For example, There are unprocessed objects
and Many viruses detected
You can take group actions on the computers joined into a selection, for example, start update and search tasks, reset
virus counters, move into a group, etc. So, selections are very useful when dealing with the computers having
a problem status.
IV–18 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The Viruses report shows statistics of processing the malware detected on the managed computers: how many
objects were treated, how many blocked (by Web Anti-Virus), how many deleted and how many still remain
unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics
are available for each type of malware.
The Viruses report can show which malware KES detected using KSN, and which threats were detected using
traditional tools (antimalware databases and heuristics). To be able to see this information, add the By KSN verdict
column to the Details table.
If you find it difficult to sort out the report about all network computers, consult reports of individual computers. For
this purpose:
— Expand the description of the status Many viruses detected and click the link View virus activity level
report
If you do not use the Many viruses detected status, you can open a computer’s report from its properties, in the
Protection section. Use the link View report on viruses
Except for the viruses report, Report on most heavily infected devices and Report on users of infected devices may
come in handy. If some computers have been infected considerably more than others, it might be worthwhile to find
the reason and take appropriate measures.
Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the Network
attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking
computers. Knowing the address, the administrator can investigate the incidents and better solve the problem.
The Network attack report is not created by default. To view it, create a new template on the Reports tab of the
Administration Server node.
In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with threats.
Events show what was happening simultaneously with threat detection, whether there were other threats or errors in
components’ operation. To understand where a threat ended, always check the last event about it. It is normal for
Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and in a second, report that the file was
deleted successfully.
IV-19
Unit IV. Maintenance
You do not have to study reports and events to be able to understand whether any computers are infected.
Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this using the
status There are unprocessed objects. This status is enabled by default, gives computers the Warning status, and is
displayed on the Monitoring page.
This status is assigned to computers where malware programs were detected and were not cured.
The Unprocessed files category can be comprised of widely different objects. It can be a virus in memory, which
actively counters the attempts to delete it. Or it can be an infected object on a network drive where Kaspersky
Endpoint Security has no Write permission to disinfect or delete the file.
When a user accesses a malicious file in a shared folder on a file server, the antivirus installed on the server may
block access and delete the file. Meanwhile, the antivirus installed on the user’s computer detects the threat at the
same time, but cannot delete the file from the folder and informs that there is an unprocessed threat, although in
reality it has been processed on the server. It is a reason for paying attention anyway, since malicious files must not
appear in shared folders, and you need to find out how it got there.
To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the described
situation with malware in a shared folder, delete the record about the unprocessed object from the list of
unprocessed objects:
1. In the Administration Console, open the node Advanced, Repositories, Unprocessed files
2. Find the file that has actually been removed from the shared folder, and carry out the Delete command on it
IV–20 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If many viruses or a previously opened malicious link have been detected on a computer, or a malicious process has
been terminated, it may mean that the computer can still be infected. To scan a computer for known threats, run
critical areas scan there.
There are a few ways to achieve this. The one which is always available is as follows:
Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security. Local
means that it is displayed only in the computer properties, but is not shown in groups or in the Tasks node. This
makes it less useful. To start it on several computers, you have to open their properties one by one.
You can also use the group task Quick Virus Scan, which the Quick Start wizard creates. However, it will scan all
computers, and why slow down the computers where there are no threats?
To quickly scan critical areas on those computers where threats have been detected, make a virus scan task for
specific computers. For this purpose, copy the group task Quick Virus Scan to the Tasks node and rename it. To
scan a computer, select on its shortcut menu All tasks, Run a task, and in the window that opens, select the virus
scan task for specific computers.
You can start only tasks for specific computers from the shortcut menu, group tasks are not available there
To run a task on several computers, select them with the mouse and use the same command from the shortcut menu:
All tasks, Run a task.
To start a task on all computers within a selection, open the target selection, click the button Perform action and
select the command Perform task.
IV-21
Unit IV. Maintenance
Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Application Privilege Control
and System Watcher components are responsible for this. File Anti-Virus does not scan programs in the memory.
If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced Disinfection
technology.
This technology is disabled by default, because it blocks start of all programs and restarts the computer, which
would hamper the users. The user can agree to perform the Advanced Disinfection procedure and take the risk of
losing data, or refuse to start the procedure and leave the computer infected. Anyway, it should be the administrator
who makes the decision rather than the user.
If you suspect that a computer is infected, you had better reinstall it from the image. If it is unacceptable or
impossible, try to disinfect the computer:
To use this command, enable password protection in the Kaspersky Endpoint Security policy
— Open Kaspersky Endpoint Security window and switch to the Settings tab
— Select the Anti-Virus protection node and select the check box Enable Advanced Disinfection technology
— On the Protection and Control tab, run the Full Scan task
— If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection procedure,
agree
With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit new
programs to start, scans memory, takes more aggressive methods when terminating processes, tries to
delete malicious files at restart
— Restart the computer, connect it to the Internet and update the signatures
— Scan the whole computer once again
IV–22 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
After all threats have been neutralized, reset the virus counters on the computer.
The virus counter can only increase without interference from outside, and the only method of changing this status is
to manually reset the counter. To do it, on the shortcut menu of the computer, click All tasks, Reset Virus Counter.
This command can also be applied to a few computers: select them with the mouse and click Reset virus counter in
the right pane of the Console window.
If you are sure that there are no threats on any computers, use the command Reset virus counter in the shortcut
menu of the Managed devices node.
IV-23
Unit IV. Maintenance
If protection does not work, it may be caused by various reasons. Prior to contacting the technical support, solve
trivial issues. Make sure that:
The Network Agent is The user could have uninstalled Network Agent and then the Console would show the
installed on the last data which the Agent had sent to the Server. Reinstall the Agent and protect it from
computer the user: set an uninstallation password
Kaspersky Endpoint The user may have uninstalled Kaspersky Endpoint Security. Reinstall the protection
Security is installed on and protect it from the user: set a password
the computer
A policy is applied to A computer may belong to a group without a policy, or a Kaspersky Endpoint Security
the computer version for which there is no policy on the server can be installed on the computer.
Create policies in all groups and for all used versions of Kaspersky Endpoint Security
Policy settings are If the locks are open, the user can modify parameter values and potentially can disable
locked components or even start of Kaspersky Endpoint Security. Close the locks for all
important parameters in the policy
Password protection is If password protection is not enabled, the user can exit Kaspersky Endpoint Security
enabled even without administrative permissions
After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run because of
failures, collect diagnostic logs and contact the technical support of Kaspersky Lab.
IV–24 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The following computer statuses may mean that protection does not work:
No security application installed It is enabled by default for the Warning and Critical statuses
Real-time protection level is different It is disabled by default. You can set one of the following values:
from the level set by the administrator Stopped, Paused, Running
The security application is not running It is enabled by default for the Critical status
The status Real-time protection level is different from the level set by the administrator, although disabled by
default, is more useful than the status Protection is off. The status Protection is off does not show why it is off:
because of a failure or because the user has disabled it. The status Real-time protection level is different from
the level set by the administrator shows this difference.
We suggest that you enable the condition Real-time protection level is different from the level set by
the administrator for the Critical status and select the Running value for it.
There are standard computer selections for the statuses Protection is off and No security application installed. The
administrator can create custom selections for other statuses.
The status Security application is not running is always accompanied by the status Protection is off, but not the other
way around. If Kaspersky Endpoint Security works, but all protection components are disabled, the computer’s
status will be Protection is off without the status Security application is not running.
Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection components
works. Even if it is just IM Anti-Virus
To understand that components have not started on the computer because of a failure, consult the Errors report or an
event selection. To check all errors:
To understand which components are running on a computer, open the Tasks section in the computer properties.
Components are listed among other tasks and the list shows which ones are running and which are not.
Protection or some components may be not running if a policy is not applied to the computer. Then the user can
open Kaspersky Endpoint Security settings and disable its components.
By default, the Quick Start wizard creates the Kaspersky Endpoint Security policy in the Managed devices group,
meaning, for all computers. However, the administrator may regroup computers later, create new policies in groups,
and delete the original policy or make it inactive. As a result, there may be a group where the administrator have not
created or have not activated a policy by mistake.
Different versions of Kaspersky Endpoint Security require different policy versions. Usually, a single policy applies
to all installations of Kaspersky Endpoint Security that have the same Service Pack version. Different Service Packs
require different policies. It may turn out that some computers do not have a policy after an upgrade.
To check whether a computer has a policy, start with the computer selection Protection is off:
2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version
3. Close computer properties and go to its group: use the command Go to device on its shortcut menu
5. Set the Inherited policies option to Show, to be able to see policies of the parental groups
6. Make sure that there is a policy for the necessary version of Kaspersky Endpoint Security on the list
8. If the policy exists already, select it and click the Details link in the right pane. Make sure that the policy is
applied to the computer
9. Open the policy and make sure that locks are closed, especially on the parameters that enable the protection
components
IV–26 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The Kaspersky Anti-Virus is not running status is one of the most critical protection statuses. To solve this
problem, carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications
tab of the computer properties.
If individual components are not running, you can start them on the Tasks tab.
Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is an
advanced task of Kaspersky Security Center that can be created both for groups and for specific computers.
A group task is convenient if the Virus outbreak event is registered—it can start protection on all network
computers, in case the protection is stopped somewhere.
IV-27
Unit IV. Maintenance
A task for specific computers can better serve the purpose of rectifying the Protection is off status. A task for
specific computers can be started from a computer’s shortcut menu or using the button Perform action in a computer
selection.
If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay attention
to computers that have old signatures, update them and find out why the signatures have not been updated.
The computers have an update task This task is created by default. However, when groups and tasks
become numerous, it may turn out that some computers do not have an
update task for the necessary version of Kaspersky Endpoint Security
Task schedule If the administrator created update tasks manually, he or she may
failed to set a schedule for them by mistake
Task source Within the network, the Kaspersky Security Center source must be
specified
The Administration Server has a It is created by default, but may have been deleted by mistake
“Download updates to the repository” task
After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect logs and
contact the technical support.
Specifically consider whether you need Update Agents. They are not of much help in a small network, but
complicate diagnostics. The Administration Server automatically assigns Update Agents by default. You can disable
this.
The Monitoring page provides the most important information about the databases in use. If everything is fine,
the Update area displays the time when the latest updates were downloaded to the server repository. If there is a
problem, the indicator will turn yellow or red and a problem description will appear, which also acts as a link to
remediation (run a task) or troubleshooting (check a computer selection) tools.
The Databases in the repository not updated for a long time link opens the properties of the Download updates to
the repository task. The Databases are out of date: N devices link opens the selection of hosts that have
a Databases are outdated status.
The permanent link Go to Kaspersky Lab software updates and patches folder in the Update area of the Monitoring
page opens the node Advanced / Repositories / Kaspersky Lab software updates and patches. which contains
links to the settings of the default update tasks and the database version report.
More detailed information about the databases in use and computers with problems is available on the statistics
screen and also within the appropriate reports. The Database usage report shows the number of computers where
databases are 1-day old, 3-day old, 7, and more.
These data are also available on the Statistics tab of the Administration Server node. The charts concerning updates
are displayed on the Update page. Unlike reports, statistic charts are updated in real time.
If the databases became obsolete on the computer not because it was off, but because of update task errors,
the administrator would need to view update task events to find out the reason. The events sent to the Administration
Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint
Security usually contains more events.
IV-29
Unit IV. Maintenance
Computers with old databases receive a Warning or Critical status depending on how old their databases are.
The status criteria are configured in the group properties. By default, the Warning status is given to the computers
whose databases are 7 or more days old, and Critical is assigned after 14 days.
You can identify that the computer status changed from OK due to outdated databases by the status description in
the Protection section of computer properties, or in the panel displaying computer characteristics in the lower-right
part of the Administration Console. To view detailed information about the signatures and, specifically, the last
update date, open the properties of the Kaspersky Endpoint Security program in the Applications section of
computer properties.
Updates from the Administration Server repository are distributed to the client computers by group update tasks.
To ensure coverage of all managed computers, an update task must be a group task created within the Managed
computers node. The Quick Start wizard creates this type of task: Install update. If computers are combined into
IV–30 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
groups and the optimal updating procedure is different for various groups, you can create a customized update task
for each group.
If both parent and child groups have tasks of the same type, the computers of the child group will run both tasks.
This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid
that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their
own tasks from the parent group task scope.
Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac
or Kaspersky Security for Windows Servers) are used in your network, they need separate update tasks.
If there are many groups in the console, and different versions of Kaspersky Endpoint Security are installed on the
computers, it is hard to immediately understand whether all computers have update tasks. If signatures are outdated
on a computer, to understand whether it has an update task:
2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version
3. Open the computer’s group (click the command Go to device on the computer’s shortcut menu)
4. Open the Tasks tab and set the Inherited tasks option to Show
5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with that
displayed in the computer properties
If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as possible. One
update task per each version of Kaspersky Endpoint Security created in the root group Managed devices is often
sufficient.
Schedule
Each product update task has a specific schedule and settings, including:
The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to
the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts
the task regardless of whether the Administration Server can be reached or not, the When new updates are
downloaded to the repository schedule means that the task is always started by the Administration Server
command.
The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are
new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect
to the Administration Server and download whatever new settings are available. Upon connection to the Server,
the Agent receives the command to start the task and transfers it to Kaspersky Endpoint Security, which carries it
out. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned
synchronization performed every 15 minutes (the period is defined in the Network Agent policy).
The schedule When new updates are downloaded to the repository guarantees that the client computers will
receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple
periodical schedule can be used (for example, once an hour).
To prevent serious peak loads on the update source and the network at the moment of task start, randomization of
the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin
the next scheduled update after a random delay ranging from 0 to 5 minutes.
By default, the Administration Server automatically defines the randomization interval depending on the number of
computers the task pertains to. The administrator can also specify it manually.
If signatures are outdated on the computers, check the update task schedule. If the schedule is set to Manually,
weekly or monthly, change it to When new updates are downloaded to the repository or Once every N hours
Source
To specify the list of sources, open the Properties section of the task properties and click the Settings button.
Updates can be retrieved from the following sources:
— Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most
natural source for the When new updates are downloaded to the repository schedule
— Kaspersky Lab update servers—the recommended source for the computers outside the corporate
perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection rather than
create extra Internet traffic
— Local or network update folder—another option for backup update sources. An HTTP or FTP address
may be specified instead of a network folder. For example, if there are several Administration Servers in
the network (which is described in course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources
Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky
Lab or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security without the Agent.
If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security Center
source. If you want to use a folder or FTP server, make sure that updates are accessible at this address, and the
computers can access the files
In the update task properties you can configure copying updates into a separate folder. This mode can be used for
creating an update source in small networks or subnets without their own Administration Server. In larger networks,
update agents are used to create intermediate update sources. The Administration Server assigns Update agents
automatically (for more details, refer to course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills.)
IV–32 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
The task that updates the Administration Server repository is named Download updates to the repository.
The Quick Start wizard automatically creates this task. It can be found in the Administration Console in the Tasks
node.
If databases are outdated on the computers, check whether the Administration Server has an update task. Open the
Tasks node and look for the Download updates to the repository task
You can have only one task of this type. If it is present already, the task creation wizard doesn’t allow creating
another one. However, it is possible to delete the automatically created Download updates to the repository task
and create a new one for troubleshooting.
The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be
downloaded and a few additional options.
Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging
from 15-20 minutes to several hours. The default value is 1 hour.
— Kaspersky Lab update servers—a list of FTP and HTTP servers officially maintained by Kaspersky Lab.
These servers are located in various countries worldwide to help ensure a high reliability of the updating
procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of
servers is downloaded together with the other updates
— Master Administration Server—this option is used if there are several Administration Servers and they
are connected in a hierarchy (described in detail in course KL 302.10 Kaspersky Endpoint Security and
Management. Advanced Skills)
— Local or network folder—an update source created by administrators. You may specify not only a
network folder, but also an FTP or HTTP address
The task can have several different sources organized in a list. If the first source turns out to be inaccessible2,
the task will attempt to download updates from the next.
2
The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.
IV-33
Unit IV. Maintenance
You may need to specify the proxy server parameters for the Administration Server update source. All sources
would share the same proxy server. If some sources are accessed without it, enable the Do not use proxy server
option in their properties.
The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server parameters. To
specify a proxy server later:
2. Specify the proxy server address, port and authentication parameters: the user name and password
These settings will be used for downloading updates and for KSN requests.
IV–34 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy server,
specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open Advanced Settings /
Application Settings, and in the Proxy Server Settings area, click the Settings button.
By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security will take
the proxy server settings specified in the Internet options in Windows Control Panel. The administrator can
explicitly specify the address, port and account for authentication.
Update Agents are additional update sources in a network. Any computer where the Network Agent is installed can
act as an Update Agent. The Administration Server automatically selects the computers to which it assigns the
Update Agent role. The administrator can disable automatic allocation and assign Update Agents manually.
IV-35
Unit IV. Maintenance
Automatically selected Update Agents multicast update files and you cannot disable multicasting. Network
administrators often do not like uncontrollable traffic in the network. Also, in a small network of a few hundred
machines, the Administration Server can cope with updates alone, without Update Agents.
When the check box is cleared, the administrator can manually select the computers to be assigned Update Agents.
For more details about Update Agents, please refer to course KL 302.10. Advanced Skills.
Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers have no
access to KSN, they are more likely to get infected.
If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via the status
KSN servers unavailable. This status does not get on the Monitoring page. To quickly find all computers that have
no access to KSN, create a custom computer selection.
By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named Kaspersky
Security Network proxy server. The service accepts connections on TCP port 13111. If computers cannot access
KSN, make sure that:
— The service Proxy server Kaspersky Security Network is running on the Administration Server
— Port 13111 is not closed by a firewall
— The service can access KSN servers in the Internet:
It may turn out that KSN servers are accessible, but the use of KSN is disabled in the policy.
To find out about this and also which computers are experiencing the issue, run the task Checking connection with
KSN:
1. Open the Tasks node and click the button Create a task
2. Select the task type Checking connection with KSN under Kaspersky Endpoint Security 10 SP2
3. Select the Managed devices group to make it run on all computers
On the computers where KSN is turned off in the policy, the task will return the error “Participation in KSN is
disabled”. The task will also show the computers where KSN is used but inaccessible.
They differ by the icon in the console: powered off computers have an icon with network connection crossed out in
red at the bottom (workstations) or on the right (servers). Also, check the columns Agent running and Connecting to
Server. If the Agent is not running, and the last connection was established long ago, do not pay attention to the
computer protection status, it can be inaccurate.
IV-37
Unit IV. Maintenance
If a computer remains powered off for a long time, Administration Server assigns one of the following two statuses
to it:
Not connected for a By default, computers receive this status in 14 days. You can change this in the status
long time settings, in the properties of the Managed devices node
This status means that the Network Agent has not connected to the Server all this time, and
the Server was not able to connect to the computer during the full network poll either
Device connection This status means that the Network Agent has not connected to the Server, but the Server
lost connected to the computer during the full network poll
If the computer has the status Not connected for a long time, find out what is the matter with it. If the computer does
not exist anymore, delete it from the group and then once again from the Unassigned devices node. If its owner is on
vacation, do nothing.
IV–38 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If employees may not connect to the network for a long time (months), increase the period after which the
Administration Server automatically deletes computers from groups (60 days by default). Open the properties of the
Managed devices node, select Devices and change the value of the parameter Delete the device from the group if
it has been inactive for longer than (days). Or disable this parameter at all, if employees may work out of office
for an indefinitely long time.
To enable computers connect to the Administration Server, receive settings and inform about threats when outside
the office, configure access to the Administration Server ports from the Internet. How to do it is described in course
KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills
If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy.
If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network Agent’s
folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent:
When run without parameters, the utility outputs the Network Agent settings, tries to connect to the Administration
Server with these settings, publishes the result, and finally outputs the connection statistics.
During the test connection, the Agent neither checks whether new settings are available on the server nor sends its
data to the server.
To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb
The Administration Console also has commands for checking connection to a computer:
Check device Verifies the computer status Visible in the network against the Administration Server
accessibility database. Does not try to connect to the computer, and therefore adds nothing to what the
computer icon shows
All tasks, Force Sends a signal to UDP port 15000 of the computer. If the Agent answers in a few seconds,
synchronization closes the synchronization window. Otherwise, informs that the Agent does not answer and
queues synchronization
If the Network Agent has incorrect Server connection parameters, modify them using the utility klmover.exe that is
located in the same folder of Network Agent:
If the Server’s port is non-standard, add the parameter –ps and the port number.
To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the settings of the
Network Agent package. If an Agent has incorrect parameters, they may also be incorrect in the package.
IV–40 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If Kaspersky Endpoint Security does not work or works differently from what the administrator has configured, and
simple measures cannot help, contact the tech support.
To receive an answer quicker, collect all logs and attach them to your request:
You can collect logs either on the computer or via the Kaspersky Security Center Console.
IV-41
Unit IV. Maintenance
To collect logs remotely, connect to the computer using the remote diagnostics utility:
The utility can also be started from the Kaspersky Security Center folder in the Start menu. Then you will
need to specify the computer name and the Administration Server address in the window. The console fills
in these boxes automatically
4. To receive information about the computer, click the link Load system information in the upper-left corner
of the window
5. To receive Windows logs, select the log and click the link Download event log… in the upper-left corner of
the window
Download Kaspersky Event Log and any other logs that contain events concerning the issue
The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in the
lower-left corner of the window.
IV–42 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
2. Click the link Enable tracing on the left, do not change the trace level, and click OK
6. Select files one by one and download them using the link Download file on the left
If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of Network
Agent, Administration Server, Updater component in a similar manner.
When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the folder
until you send the logs to the technical support.
IV-43
Unit IV. Maintenance
Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs locally, too.
To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com web site.
Run it and save the log in a folder. The utility also collects information about the system and Windows logs, and you
will not have to add them manually.
1. In the Kaspersky Endpoint Security window, click the second out of the three icons in the lower-left corner
3. Select the check box Enable tracing, select level Normal (500) and click OK
The file name includes the creation date and time, select the latest logs
How to locally enable trace logs for Kaspersky Security Center components is explained in the article
http://support.kaspersky.com/9323
IV–44 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
When you have all logs at hand, contact the technical support:
If you have no account, sign up: specify your email and license for Kaspersky Lab products (the activation
code or key file)
2. Click the button New request and select Make a request for Tech Support
3. Select the protection scope, product, version, operating system, request type and subtype
5. Describe the issue: the steps that result in it, which result you expect, and which get instead
Except for signature updates, which are issued continually, there are program updates, which are released much
rarer:
New versions Are released once every few years, introduce new capabilities, components, settings, etc.
Are installed by Kaspersky Endpoint Security installation task and the installation wizard of
Kaspersky Security Center
Service Packs Are released approximately yearly, sometimes rarer. Upgrade components and drivers, may add
new settings and capabilities, but the changed are not as significant as in a new version
Are installed by Kaspersky Endpoint Security installation task and the installation wizard of
Kaspersky Security Center
Maintenance For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix errors, may
Releases slightly change settings, are installed by the update task
For Kaspersky Security Center, a Maintenance Release is almost the same as a Service Pack:
they are released in a year after a new version or Service Pack, and are installed by the
installation wizard of Kaspersky Security Center
Patches Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center, patches are
released quarterly, fix errors, slightly alter operation, are installed automatically on Network
Agents
Private fixes Are released by request, correct specific issues for individual customers. Usually, for customers
with a Maintenance Service Agreement
IV–46 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for Kaspersky
Security Center) has been released on the Monitoring page. Monitor messages in the Update area.
Minor updates are installed automatically, but only after the administrator approves them. When updates are
released, the status “New updates for Kaspersky Lab software modules registered” appears. Usually, to install an
update, you need to accept the license agreement. “Kaspersky Lab software updates not approved” status informs
about this
Both statuses lead to the node Advanced, Application management, Software updates. This node shows all
available updates, not only for Kaspersky Lab programs, but also for operating systems and third-party software.
To be able to install updates by other manufacturers, you need a Systems Management license, for example, KESB
Advanced. This is described in course KL 009.10 Systems Management.
1. Click Filter…
2. In the Source field, select AO Kaspersky Lab and wait for a while
IV-47
Unit IV. Maintenance
Kaspersky Endpoint Security can do without application updates. If there are no critical issues that impede work,
you can use Kaspersky Endpoint Security until a new version or Service Pack is released.
Still, module updates can be useful. They can improve computer performance, increase protection efficiency and
add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing
the updates and installing only approved ones.
As far as module updates are concerned, the administrator has the following option in the update task of Kaspersky
Endpoint Security:
— Download updates of application modules—enabled by default. Can be disabled in the groups where
computers are extremely sensitive to changes, e.g., groups with important servers
— Install critical and approved updates—installs the updates marked as approved by the administrator
and the updates marked as critical by Kaspersky Lab without the administrator’s approval. Installing
unapproved updates may be risky because unforeseen issues might arise
To approve an update:
1. Select the update in the node Advanced \ Application management \ Software updates
3. If the update has a license agreement, the respective window will open. Accept the agreement
If you approve a wrong update by mistake, open its properties and change the value of the Update approval field to
Undefined or Declined.
Prior to approving an update, install it on test computers and make sure that it is not causing any issues.
Approved updates of Network Agent are installed automatically without tasks. After the administrator approves an
update, Agents will start downloading it during planned synchronizations and install locally.
By default, the Administration Server installs all Network Agent updates rather than only approved ones. To install
only approved updates:
3. Clear the check box Install applicable updates with Undefined approval
To test Network Agent updates, create a group for test computers and enable installing unapproved updates in the
policy of this group
The administrator can always select not to install some update, even if automatic update is configured in the policy.
For this purpose, open the update properties and for the parameter Update approval, select Declined.
To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable the
respective parameter in the task Download updates to the repository:
1. In the Tasks node, open the properties of the task Download updates to the repository
2. Switch to the Settings section and in the Other settings area, click the link Configure…
3. Clear the check box Update Network Agent modules (for Network Agent versions earlier than 10
Service Pack 2)
Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or
will not be installed in the whole network. You cannot enable installation of these updates in some groups and
disable in others.
IV-49
Unit IV. Maintenance
The Update area of the Monitoring page also informs about new product versions and Service Packs. Monitor the
messages:
To open this window in another way, click the link View current version of Kaspersky Lab applications.
Alternatively, open the node Advanced, Remote installation, Installation packages in the console; click the
button Additional actions and select View current version of Kaspersky Lab applications.
The window shows the list of available product versions by Kaspersky Lab, which are manageable via Kaspersky
Security Center. You can download them from Kaspersky Lab servers through this window.
— Distributions that can be downloaded to the Administration Server using the button Download and create
installation package
— Distributions that cannot be transformed into a package, but can just be downloaded
The list includes numerous programs, a few versions of each program and several localizations of each version, and
it’s easy to get lost.
IV–50 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
To find what you need, for example, the latest version of Kaspersky Endpoint Security in English, configure a filter:
1. Components:
Controls Distributions and patches of Kaspersky Security Center and Network Agent
components for various platforms
File Servers and Storages Distributions and plug-ins of Antivirus Kaspersky for Windows File Servers,
Kaspersky Anti-Virus for Windows Servers and
Kaspersky Security for Windows Server
Embedded Systems (ATM Kaspersky Embedded Systems Security distributions and plug-ins
and POS)
4. Language
— All languages
— Administration Console language or basic set (English, German, French)
— Administration Console language and another language selected on the list
To receive updates only for the Console language, select the third option and then select the console language once
again on the drop-down list
IV-51
Unit IV. Maintenance
Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to
overcome one of the following license limitations:
— Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to
renew the license to keep using it
— Increase the number of computers—if the company grows and the number of computers is about to exceed
the license limit
— Extend functionality—if the necessity to use additional product functions has appeared in the company, for
example, Encryption or automatic installation of Windows updates
Also, a license may be blacklisted if it is exposed to the Internet. Kaspersky Lab blocks these licenses, and they stop
working. Products receive black lists of licenses together with signature updates.
Before the first license is installed File Anti-Virus and Firewall work, an update task runs once
If a commercial license has expired All components keep working, but update tasks will not start and KSN
servers are inaccessible. Protection level gradually decreases
If a trial license has expired or a All components stop working until the administrator activates the
commercial license has been blacklisted product with a valid commercial license
IV–52 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
If the license is about to expire or has expired on a computer, the administrator should pay attention.
The license expiration date is displayed in the license properties in the node Advanced , Application management,
Kaspersky Lab licenses. To quickly open this node, use the link Manage keys in the Deployment area of the
Monitoring page.
The computer statuses configured in the administration group properties may also attract the administrator’s
attention. Two status conditions relate to licenses:
— License term expired—sets the computer status to Critical. By default, the condition is triggered in 0
days, meaning, right after the license expires. It can be configured to trigger several days after the license
expiration so that the license could update automatically and not waste the administrator’s time
— License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before
the expiration, but this parameter is adjustable
When the license that activates the Administration Server is about to expire, a pop-up message is displayed to
the administrator every time the Administration Console starts. Upcoming expiration is also indicated in the
Deployment area of the Monitoring tab of the Administration Server node.
IV-53
Unit IV. Maintenance
Most of the information about the keys that the administrator would ever need is available on the page Advanced |
Application management | Kaspersky Lab licenses, including node restriction and use percentage.
The Administration Server shows how many of the managed computers are using the license. It does not receive
data from Kaspersky Lab activation servers, which may have different statistics if the license is also used on
computers without the Network Agent
— License restriction has been exceeded—there are two events with this name, critical and warning.
The critical event is generated when the number of installations constitutes 110% of the license limit.
The warning informs of reaching the limit (100%)
The Administration Server does not take any measures if the license limit reaches either 100% or 110%. If keys are
used for activation, the administrator can distribute them with a key installation task to any number of computers.
However, if the Automatically deploy key to managed computers check box is selected in the key properties,
the Administration Server will not only distribute it to computers, but also remove the key from excessive computers
if the license limit is surpassed.
If activation codes are used, Each instance of Kaspersky Endpoint Security which needs to be activated, the
Activation Servers issue a ticket for using the product. If the number of simultaneously issued tickets greatly
exceeds the license limit (1.5 to 2 times), the activation server will stop issuing tickets.
IV–54 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one
license to another without a time gap and without reducing the effective license period of any of the licenses. You
would rather not replace the old license when there still several days left of the licensing period. However, you want
to activate the new license before the old one expires.
To prevent losing the validity period of neither old nor new license, use one of the following approaches:
1. Distribute a new key to the computers using a key installation task beforehand. In the task settings, specify
that it is an additional (backup) key
Additional keys and codes can be added in almost all products by Kaspersky Lab. Once the active key
expires, the product is automatically activated with the additional key or code.
2. Add the new license to the Administration Server and enable in it properties the check box Automatically
deployed key
When the previous key expires on the computers, they will receive the new automatically distributed key
from the Administration Server.
Automatically deployed keys are sent to all computers. If a computer does not have an active license,
the automatically distributed key will be activated on it. If an active license is already available, the automatically
distributed key will be deployed as an additional one. If a computer has both an active and an additional license,
the automatically distributed key will not be installed.
The key or code to be distributed can be added in the Quick Start wizard. To add keys later, in the Advanced \
Application management \ Kaspersky Lab licenses node, click the Add key button. The key adding wizard
prompts the administrator whether to add code or key.
Registered keys and codes can be imported from the storage as key files or text files with the code. These can be
used for local activation, if necessary, or for backup purposes.
IV-55
Unit IV. Maintenance
Only the extended functions of Kaspersky Security Center Administration Server 10 available in KESB Select and
KESB Advanced licenses require activation. The Administration Server functions supported by the KESB Core
license do not need activation, it is sufficient to activate the managed products.
The operations described in this course do not require activating the Administration Server
To replace the active key or add another one to the Administration Server, open the Keys section in the Server
properties. You can specify the active and additional license in this section. You can also replace or delete licenses
as necessary.
You can select a license for the Administration Server from among those added to the Kaspersky Lab licenses
node.
To add a key to the Administration Server, select a key specifically designed for Kaspersky Security Center. Check
what is written in key table at the very end of the Application name field. There is usually a descriptor there:
Security Center or Kaspersky Endpoint Security that indicates the key purpose.
If you are adding a code, you need not check the name, the same code activates all products covered by the license:
Kaspersky Endpoint Security and Kaspersky Security Center.
IV–56 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Sometimes it is necessary to install a specific key on a specific computer or a group of computers. Automatic
distribution would not serve this purpose. Instead, you can create an Add key task.
This task can be created using the typical task creation wizard in a group or in the Tasks node. You can also click
the Distribute key on the client computer button in the Advanced | Application management | Kaspersky Lab
licenses node—in this case, the wizard displays fewer steps.
If two products require different Console plugins to be managed, they would require different Add key tasks as well.
For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint Security 10 Service Pack 1
have independent plugins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP2 wouldn’t run on
Kaspersky Endpoint Security 10 SP1 and vice versa.
In the task creation wizard or later in the task properties, you can select a license either from the list of registered
keys and codes (in the Advanced | Application management | Kaspersky Lab licenses node) or from a file. There
is an option in the task that allows installing the selected key or code as an additional key. This option is enabled by
default, because the main license is supposed to be installed through the automatic installation feature (an option in
the key or code properties).
IV-57
Unit IV. Maintenance
Creating backup copies is a good practice that can save you a lot of trouble The administrator will be able to restore
the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important
to store backups in a reliable location.
A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This
includes the event database (which contains more than just the events), administration group structure, tasks and
policies, report templates, installation packages 3, selections of computers and events, the Administration Server
certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to
keep an old copy.
Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more
important. The Administration Server configuration now includes the encryption key store that contains master keys
for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case
of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost
irretrievably. Encryption and the risks involved are described in course KL 008.10 Encryption.
However, even if we leave encryption out of consideration, losing Administration Server data can result in many
hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be
difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, and this means
that Network Agents, even if they use the correct address, will not be able to establish a connection to the new
Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be
reinstalled.
A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all
the settings, and the encryption key store.
Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard
upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous
version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create
a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore
3
Including standalone, but excluding operating system image packages (these packages are described in detail in course KL 009.10 Systems Management).
IV–58 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
its configuration from the backup. You can use this method when it is necessary to upgrade not only the software
components of the Administration Server, but also its hardware configuration.
In a similar manner, you can use backups to move the Administration Server to a different computer. First create
a backup copy, and then install the Administration Server on another system. Restore the Administration Server
settings from the backup copy. In this case, it is important to ensure that the same type of SQL server (Microsoft
SQL or MySQL) is used by both new and old instances of the Administration Server.
If you move the Administration Server to another system and want to change the Server’s name, you must make this
change before the migration. Refer to course KL 302.10 Kaspersky Endpoint Security and Management. Advanced
Skills.
The most important thing about backup copying is to regularly make sure that you can restore the system from a
backup copy
Spend half an hour once a month or at least quarter to restore Administration Server data on a test computer. This
way, you will make sure that the backup copies are not corrupted and sharpen your skills. In case of a real failure,
you will be able to restore systems quickly and easily.
To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data.
Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick
Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure.
The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the
Administration Server. The task launches the utility with the specified options, which then creates a backup copy.
To create a backup copy, the klbackup.exe utility stops the Administration Server service (and the Network Agent
service) and copies the Server settings and data. After the backup copy is created, the utility starts the
Administration Server and Network Agent services.
When the Administration Server service is stopped, all instances of the Administration Console receive a message
that the connection with the Administration Server is lost. Then, the utility commands the SQL server to create a
backup copy of the event database.
Only one parameter is required for the backup task: the location of backup copies. This folder will contain
subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default
IV-59
Unit IV. Maintenance
location of backup copies is the SC_Backup folder in the Administration Server data directory
(%ProgramData%\KasperskySC\SC_Backup).
However, it is risky to store backup copies on the same disk with the Administration Server, because in the event of
a hardware failure, both the current system and its backup copy might be corrupted. So, it is strongly recommended
that you store backup copies separately. The administrator can either specify a network location or use an additional
process to move backup copies to a safer place for storage.
It is important to realize that backup copies of the Administration Server data are created under the Administration
Server account, whereas backups of the database are created under the database server account. If you specify a
network path as the target location for backup copies, both the Administration Server and SQL server must have
access to this folder. Also, the specified drive must have enough free space.
Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored
data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup
copies is three.
The Administration Server certificate is stored in an encrypted form for security reasons. This security measure
prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption,
you need to provide a password. By default, the password is empty.
The backup data copying task is scheduled by default to start daily at 2 a.m.; therefore, only three backup copies of
the last three days are stored.
There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done by design,
because an accidental launch of such a task would result in the loss of newly added settings and data.
In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from
the Start menu. When started without command line options, this utility works as a wizard, which prompts you to
choose the restore option, enter the path to the backup copy and the password to decrypt the Administration Server
certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if you
specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to
c:\backups\klbackup2011-12-27#02-00-02
The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To
do so, at the Choose Action step, select Backup of Administration Server data.
IV–60 KASPERSKY LAB™
KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals
Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can
be used, for example, when you only need to restore connection between the Network Agents and the Server, but
want to create the structure and settings from scratch. This limited backup is not available in the backup task.
The klbackup.exe utility can be launched from the command line with the following parameters:
With time, the Administration Server database may slow down. In particular, the reports may be generated slowly,
and lists of events or computers may be displayed only after a noticeable pause.
To speed up the console’s work with the events stored in the database, the database is to be optimized. Before
Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security
Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database
of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize
the database using the database server tools.
To speed up the Administration Server database, the Database maintenance task performs the following:
The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases
the database size. The database is recommended to be optimized once a week.
If the Administration Server works slowly because its resources are scarce, the Maintenance database task will not
help
There can be only one Maintenance database task. It is created by the Quick Start wizard. By default, the task
starts every Saturday, at 1 a.m.
IV-61
Unit IV. Maintenance
Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week. Do not
allow them to pile up; otherwise, it will soon be difficult to notice something important among them.
If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect logs and
attach them to your request.
Install updates and new versions. They correct errors and improve performance and protection.
Back up the Administration Server data. Regularly make sure that you can restore data from a backup.
Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration beforehand.
v1.0